From 46b03739acbb8595a579780956fccf8614a6cccc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 1 Dec 2009 10:31:28 -0500 Subject: [PATCH] Seunshare patch from Dan Walsh. --- policy/modules/apps/seunshare.if | 8 ++++++++ policy/modules/apps/seunshare.te | 14 ++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index dbdf4485b..7f47897b8 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -41,6 +41,14 @@ interface(`seunshare_run',` seunshare_domtrans($1) role $2 types seunshare_t; + + allow $1 seunshare_t:process signal_perms; + + ifdef(`hide_broken_symptoms', ` + dontaudit seunshare_t $1:tcp_socket rw_socket_perms; + dontaudit seunshare_t $1:udp_socket rw_socket_perms; + dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; + ') ') ######################################## diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te index dcec4bf14..5e810f266 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -1,5 +1,5 @@ -policy_module(seunshare, 1.0.0) +policy_module(seunshare, 1.0.1) ######################################## # @@ -16,7 +16,7 @@ role system_r types seunshare_t; # seunshare local policy # -allow seunshare_t self:capability setpcap; +allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; allow seunshare_t self:process { setexec signal getcap setcap }; allow seunshare_t self:fifo_file rw_file_perms; @@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t) auth_use_nsswitch(seunshare_t) +logging_send_syslog_msg(seunshare_t) + miscfiles_read_localization(seunshare_t) userdom_use_user_terminals(seunshare_t) + +ifdef(`hide_broken_symptoms', ` + fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + + optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_t) + ') +')