rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Make Chrome work with staff user

This commit is contained in:
Daniel J Walsh 2010-02-10 22:26:52 +00:00
parent 2ffff7cb72
commit 43c7f5f787
2 changed files with 115 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

220
policy-F13.patch
View File

@ -35304,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 15:44:32.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 17:23:48.000000000 -0500
@@ -30,8 +30,9 @@
')
@ -36727,12 +36727,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
@@ -2196,6 +2402,25 @@
@@ -2080,6 +2286,25 @@
########################################
## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## Do not audit attempts to search user
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
@ -36740,124 +36740,126 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to manage users
## Do not audit attempts to list user
## temporary directories.
## </summary>
@@ -2196,7 +2421,7 @@
########################################
## <summary>
-## Do not audit attempts to manage users
+## Do not audit attempts to write users
## temporary files.
## </summary>
@@ -2276,7 +2501,7 @@
## <param name="domain">
@@ -2205,25 +2430,44 @@
## </summary>
## </param>
#
-interface(`userdom_dontaudit_manage_user_tmp_files',`
+interface(`userdom_dontaudit_write_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
- dontaudit $1 user_tmp_t:file manage_file_perms;
+ dontaudit $1 user_tmp_t:file write;
')
########################################
## <summary>
-## Read user temporary symbolic links.
+## Do not audit attempts to manage users
+## temporary files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`userdom_read_user_tmp_symlinks',`
+interface(`userdom_dontaudit_manage_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
@@ -2276,6 +2520,46 @@
########################################
## <summary>
## Create, read, write, and delete user
-## temporary symbolic links.
+## temporary chr files.
## </summary>
## <param name="domain">
## <summary>
@@ -2284,19 +2509,19 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_symlinks',`
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
gen_require(`
type user_tmp_t;
')
- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
-## temporary named pipes.
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary blk files.
## </summary>
## <param name="domain">
## <summary>
@@ -2304,19 +2529,19 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_pipes',`
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_blk_files',`
gen_require(`
type user_tmp_t;
')
- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
-## temporary named sockets.
+## temporary symbolic links.
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
## temporary symbolic links.
## </summary>
## <param name="domain">
## <summary>
@@ -2324,7 +2549,47 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_sockets',`
+interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_sockets',`
gen_require(`
type user_tmp_t;
')
@@ -2391,7 +2656,7 @@
@@ -2391,7 +2675,7 @@
########################################
## <summary>
@ -36866,7 +36868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
@@ -2399,19 +2664,21 @@
@@ -2399,19 +2683,21 @@
## </summary>
## </param>
#
@ -36892,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
@@ -2419,15 +2686,14 @@
@@ -2419,15 +2705,14 @@
## </summary>
## </param>
#
@ -36912,7 +36914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2749,7 +3015,7 @@
@@ -2749,7 +3034,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -36921,7 +36923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
@@ -2765,11 +3031,33 @@
@@ -2765,11 +3050,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -36957,7 +36959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2884,6 +3172,25 @@
@@ -2884,6 +3191,25 @@
########################################
## <summary>
@ -36983,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Write all users files in /tmp
## </summary>
## <param name="domain">
@@ -2897,7 +3204,43 @@
@@ -2897,7 +3223,43 @@
type user_tmp_t;
')
@ -37028,7 +37030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2934,6 +3277,7 @@
@@ -2934,6 +3296,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@ -37036,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
@@ -3064,3 +3408,674 @@
@@ -3064,3 +3427,674 @@
allow $1 userdomain:dbus send_msg;
')

5
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.8
Release: 8%{?dist}
Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -466,6 +466,9 @@ exit 0
%endif
%changelog
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
- Make Chrome work with staff user
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
- Add icecast policy
- Cleanup spec file