Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.
THIS IS THE BASE POLICY PART.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>From the package description: "IP Tables State displays states being kept
by iptables in a top-like format". The netutils_t permission set fits it
snugly.
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains. Allowing access
by other domains to the new socket security classes is left to future
commits.
The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The kernel_read_unix_sysctls() and kernel_rw_unix_sysctls() currenly
don't allow listing the /proc/sys/net/unix directory, contrary to the
other sysctl interfaces.
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
When reading or managing noxattr fs files or symbolic links, also
let the user list noxattr fs directories.
This patch should be applied after the following one:
http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html
"Let users read/manage symlinks on fs that do not support xattr"
posted on Sat, 29 Oct 2016 15:39:46 UTC.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).
This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
