diff options
| author |   Guido Trentalancia <guido@trentalancia.net> | 2016-12-06 21:41:39 +0100 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2016-12-08 12:44:05 +0800 |
| commit | 26cfb137599281b3669132f1828bd8dcab5b9848 (patch) | |
| tree | 1b9950794f5a74106364fc280d34d2fcc42f9c49 | |
| parent | modutils: Move lines. (diff) | |
| download | hardened-refpolicy-26cfb137599281b3669132f1828bd8dcab5b9848.tar.gz hardened-refpolicy-26cfb137599281b3669132f1828bd8dcab5b9848.tar.bz2 hardened-refpolicy-26cfb137599281b3669132f1828bd8dcab5b9848.zip | |
Apache OpenOffice module (base policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
| -rw-r--r-- | policy/modules/roles/staff.te | 4 | ||||
| -rw-r--r-- | policy/modules/roles/sysadm.te | 4 | ||||
| -rw-r--r-- | policy/modules/roles/unprivuser.te | 4 | ||||
| -rw-r--r-- | policy/modules/services/xserver.if | 19 | ||||
| -rw-r--r-- | policy/modules/system/libraries.fc | 2 | ||||
| -rw-r--r-- | policy/modules/system/unconfined.fc | 1 |
6 files changed, 33 insertions, 1 deletions
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 2f122502..67ca253d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 76315512..2071dbc4 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -721,6 +721,10 @@ optional_policy(` ') optional_policy(` + ooffice_role(sysadm_r, sysadm_t) +') + +optional_policy(` openct_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 6c2cd550..768dc1a9 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -114,6 +114,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + ooffice_role(user_r, user_t) + ') + + optional_policy(` postgresql_role(user_r, user_t) ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f6dc6165..3b55a08a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -621,6 +621,25 @@ interface(`xserver_read_user_dmrc',` ######################################## ## <summary> +## Read all users .ICEauthority. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + allow $1 iceauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> ## Set the attributes of the X windows console named pipes. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 2e92f7ee..f6d1e7c2 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 0abaf843..519f2bf1 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -6,7 +6,6 @@ /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) |