- Make Chrome work with staff user
This commit is contained in:
Daniel J Walsh
parent
2ffff7cb72
commit
43c7f5f787
220
policy-F13.patch
220
policy-F13.patch
@ -35304,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
|
||||||
+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 15:44:32.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 17:23:48.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -36727,12 +36727,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
manage_files_pattern($1, user_home_t, user_home_t)
|
manage_files_pattern($1, user_home_t, user_home_t)
|
||||||
@@ -2196,6 +2402,25 @@
|
@@ -2080,6 +2286,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
+## Do not audit attempts to write users
|
+## Do not audit attempts to search user
|
||||||
+## temporary files.
|
+## temporary directories.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -36740,124 +36740,126 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
+interface(`userdom_dontaudit_write_user_tmp_files',`
|
+interface(`userdom_dontaudit_search_user_tmp',`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type user_tmp_t;
|
+ type user_tmp_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ dontaudit $1 user_tmp_t:file write;
|
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
## Do not audit attempts to manage users
|
## Do not audit attempts to list user
|
||||||
|
## temporary directories.
|
||||||
|
## </summary>
|
||||||
|
@@ -2196,7 +2421,7 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Do not audit attempts to manage users
|
||||||
|
+## Do not audit attempts to write users
|
||||||
## temporary files.
|
## temporary files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2276,7 +2501,7 @@
|
## <param name="domain">
|
||||||
|
@@ -2205,25 +2430,44 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`userdom_dontaudit_manage_user_tmp_files',`
|
||||||
|
+interface(`userdom_dontaudit_write_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type user_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- dontaudit $1 user_tmp_t:file manage_file_perms;
|
||||||
|
+ dontaudit $1 user_tmp_t:file write;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Read user temporary symbolic links.
|
||||||
|
+## Do not audit attempts to manage users
|
||||||
|
+## temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
-## Domain allowed access.
|
||||||
|
+## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-interface(`userdom_read_user_tmp_symlinks',`
|
||||||
|
+interface(`userdom_dontaudit_manage_user_tmp_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type user_tmp_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ dontaudit $1 user_tmp_t:file manage_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read user temporary symbolic links.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_read_user_tmp_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type user_tmp_t;
|
||||||
|
')
|
||||||
|
@@ -2276,6 +2520,46 @@
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete user
|
## Create, read, write, and delete user
|
||||||
-## temporary symbolic links.
|
|
||||||
+## temporary chr files.
|
+## temporary chr files.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
+## <summary>
|
||||||
@@ -2284,19 +2509,19 @@
|
+## Domain allowed access.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
#
|
+#
|
||||||
-interface(`userdom_manage_user_tmp_symlinks',`
|
|
||||||
+interface(`userdom_manage_user_tmp_chr_files',`
|
+interface(`userdom_manage_user_tmp_chr_files',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type user_tmp_t;
|
+ type user_tmp_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
|
|
||||||
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
|
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||||
files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
## Create, read, write, and delete user
|
+## Create, read, write, and delete user
|
||||||
-## temporary named pipes.
|
|
||||||
+## temporary blk files.
|
+## temporary blk files.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## <param name="domain">
|
+## <param name="domain">
|
||||||
## <summary>
|
+## <summary>
|
||||||
@@ -2304,19 +2529,19 @@
|
+## Domain allowed access.
|
||||||
## </summary>
|
+## </summary>
|
||||||
## </param>
|
+## </param>
|
||||||
#
|
+#
|
||||||
-interface(`userdom_manage_user_tmp_pipes',`
|
|
||||||
+interface(`userdom_manage_user_tmp_blk_files',`
|
+interface(`userdom_manage_user_tmp_blk_files',`
|
||||||
gen_require(`
|
+ gen_require(`
|
||||||
type user_tmp_t;
|
+ type user_tmp_t;
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
|
|
||||||
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
|
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||||
files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
## <summary>
|
+## <summary>
|
||||||
## Create, read, write, and delete user
|
+## Create, read, write, and delete user
|
||||||
-## temporary named sockets.
|
## temporary symbolic links.
|
||||||
+## temporary symbolic links.
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
@@ -2391,7 +2675,7 @@
|
||||||
@@ -2324,7 +2549,47 @@
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
-interface(`userdom_manage_user_tmp_sockets',`
|
|
||||||
+interface(`userdom_manage_user_tmp_symlinks',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type user_tmp_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
|
|
||||||
+ files_search_tmp($1)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Create, read, write, and delete user
|
|
||||||
+## temporary named pipes.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`userdom_manage_user_tmp_pipes',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type user_tmp_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
|
|
||||||
+ files_search_tmp($1)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Create, read, write, and delete user
|
|
||||||
+## temporary named sockets.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`userdom_manage_user_tmp_sockets',`
|
|
||||||
gen_require(`
|
|
||||||
type user_tmp_t;
|
|
||||||
')
|
|
||||||
@@ -2391,7 +2656,7 @@
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -36866,7 +36868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2399,19 +2664,21 @@
|
@@ -2399,19 +2683,21 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -36892,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2419,15 +2686,14 @@
|
@@ -2419,15 +2705,14 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -36912,7 +36914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2749,7 +3015,7 @@
|
@@ -2749,7 +3034,7 @@
|
||||||
|
|
||||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||||
allow unpriv_userdomain $1:fd use;
|
allow unpriv_userdomain $1:fd use;
|
||||||
@ -36921,7 +36923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
allow unpriv_userdomain $1:process sigchld;
|
allow unpriv_userdomain $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -2765,11 +3031,33 @@
|
@@ -2765,11 +3050,33 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_user_home_content',`
|
interface(`userdom_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -36957,7 +36959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2884,6 +3172,25 @@
|
@@ -2884,6 +3191,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -36983,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Write all users files in /tmp
|
## Write all users files in /tmp
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2897,7 +3204,43 @@
|
@@ -2897,7 +3223,43 @@
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -37028,7 +37030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2934,6 +3277,7 @@
|
@@ -2934,6 +3296,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, userdomain, userdomain)
|
read_files_pattern($1, userdomain, userdomain)
|
||||||
@ -37036,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3064,3 +3408,674 @@
|
@@ -3064,3 +3427,674 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.7.8
|
Version: 3.7.8
|
||||||
Release: 8%{?dist}
|
Release: 10%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -466,6 +466,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
|
||||||
|
- Make Chrome work with staff user
|
||||||
|
|
||||||
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
|
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
|
||||||
- Add icecast policy
|
- Add icecast policy
|
||||||
- Cleanup spec file
|
- Cleanup spec file
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user