commit: f4583e39915721de06d103dad1e172aaa9c760cb Author: Luis Ressel <aranea <AT> aixah <DOT> de> AuthorDate: Tue Nov 14 02:03:36 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Wed Nov 15 01:12:48 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f4583e39
Allow gtk apps to map usr_t files This is required to access gtk's icon cache. IIRC, past discussion on the ML came to the conclusion that adding a new domain for this would be overkill. policy/modules/contrib/blueman.te | 1 + policy/modules/contrib/evolution.te | 1 + policy/modules/contrib/gpg.te | 1 + policy/modules/contrib/mozilla.te | 1 + policy/modules/contrib/openoffice.te | 1 + policy/modules/contrib/thunderbird.te | 1 + policy/modules/contrib/wireshark.te | 1 + policy/modules/contrib/wm.te | 1 + 8 files changed, 8 insertions(+) diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te index 3a5032e0..c00e3ccc 100644 --- a/policy/modules/contrib/blueman.te +++ b/policy/modules/contrib/blueman.te @@ -45,6 +45,7 @@ dev_rw_wireless(blueman_t) domain_use_interactive_fds(blueman_t) files_list_tmp(blueman_t) +files_map_usr_files(blueman_t) files_read_usr_files(blueman_t) auth_use_nsswitch(blueman_t) diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te index ed56f433..a9ffea32 100644 --- a/policy/modules/contrib/evolution.te +++ b/policy/modules/contrib/evolution.te @@ -182,6 +182,7 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) +files_map_usr_files(evolution_t) files_read_usr_files(evolution_t) fs_dontaudit_getattr_xattr_fs(evolution_t) diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 03bbd9c3..262d8cc6 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -338,6 +338,7 @@ dev_read_rand(gpg_pinentry_t) domain_use_interactive_fds(gpg_pinentry_t) +files_map_usr_files(gpg_pinentry_t) files_read_usr_files(gpg_pinentry_t) fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te index ddccbc79..ed6f3592 100644 --- a/policy/modules/contrib/mozilla.te +++ b/policy/modules/contrib/mozilla.te @@ -173,6 +173,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) files_read_etc_runtime_files(mozilla_t) +files_map_usr_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) files_read_var_lib_files(mozilla_t) diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te index 3c42014d..eb10349d 100644 --- a/policy/modules/contrib/openoffice.te +++ b/policy/modules/contrib/openoffice.te @@ -80,6 +80,7 @@ files_getattr_all_dirs(ooffice_t) files_getattr_all_files(ooffice_t) files_getattr_all_symlinks(ooffice_t) files_read_etc_files(ooffice_t) +files_map_usr_files(ooffice_t) files_read_usr_files(ooffice_t) fs_getattr_xattr_fs(ooffice_t) diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te index eb9ab43e..c1387eac 100644 --- a/policy/modules/contrib/thunderbird.te +++ b/policy/modules/contrib/thunderbird.te @@ -86,6 +86,7 @@ dev_read_urand(thunderbird_t) dev_dontaudit_search_sysfs(thunderbird_t) files_list_tmp(thunderbird_t) +files_map_usr_files(thunderbird_t) files_read_usr_files(thunderbird_t) files_read_etc_runtime_files(thunderbird_t) files_read_var_files(thunderbird_t) diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te index a398fd7d..ca4289f4 100644 --- a/policy/modules/contrib/wireshark.te +++ b/policy/modules/contrib/wireshark.te @@ -86,6 +86,7 @@ dev_read_rand(wireshark_t) dev_read_sysfs(wireshark_t) dev_read_urand(wireshark_t) +files_map_usr_files(wireshark_t) files_read_usr_files(wireshark_t) fs_getattr_all_fs(wireshark_t) diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te index b9c04988..e54f2830 100644 --- a/policy/modules/contrib/wm.te +++ b/policy/modules/contrib/wm.te @@ -56,6 +56,7 @@ dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) files_read_etc_runtime_files(wm_domain) +files_map_usr_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain)