- Make Chrome work with staff user

2010-02-10 22:26:52 +00:00 · 2010-02-10 22:26:52 +00:00 · 43c7f5f787
commit 43c7f5f787
parent 2ffff7cb72
2 changed files with 115 additions and 110 deletions
--- a/policy-F13.patch
+++ b/policy-F13.patch
@ -35304,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-10 15:44:32.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-10 17:23:48.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -36727,12 +36727,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2196,6 +2402,25 @@
+@@ -2080,6 +2286,25 @@
 
 ########################################
 ## <summary>
-+##	Do not audit attempts to write users
-+##	temporary files.
+##	Do not audit attempts to search user
+##	temporary directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -36740,124 +36740,126 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
+interface(`userdom_dontaudit_search_user_tmp',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:file write;
+	dontaudit $1 user_tmp_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to manage users
+ ##	Do not audit attempts to list user
+ ##	temporary directories.
+ ## </summary>
+@@ -2196,7 +2421,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to manage users
+##	Do not audit attempts to write users
 ##	temporary files.
 ## </summary>
-@@ -2276,7 +2501,7 @@
+ ## <param name="domain">
+@@ -2205,25 +2430,44 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_manage_user_tmp_files',`
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ 	gen_require(`
+ 		type user_tmp_t;
+ 	')
+ 
+-	dontaudit $1 user_tmp_t:file manage_file_perms;
+	dontaudit $1 user_tmp_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read user temporary symbolic links.
+##	Do not audit attempts to manage users
+##	temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
+##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_tmp_symlinks',`
+interface(`userdom_dontaudit_manage_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_symlinks',`
+ 	gen_require(`
+ 		type user_tmp_t;
+ 	')
+@@ -2276,6 +2520,46 @@
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
-##	temporary symbolic links.
 +##	temporary chr files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2284,19 +2509,19 @@
- ##	</summary>
- ## </param>
- #
-interface(`userdom_manage_user_tmp_symlinks',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`userdom_manage_user_tmp_chr_files',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
-	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+	gen_require(`
+		type user_tmp_t;
+	')
+
 +	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
- 	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
-##	temporary named pipes.
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
 +##	temporary blk files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2304,19 +2529,19 @@
- ##	</summary>
- ## </param>
- #
-interface(`userdom_manage_user_tmp_pipes',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`userdom_manage_user_tmp_blk_files',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
-	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+	gen_require(`
+		type user_tmp_t;
+	')
+
 +	manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
- 	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
-##	temporary named sockets.
-+##	temporary symbolic links.
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+ ##	temporary symbolic links.
 ## </summary>
 ## <param name="domain">
- ##	<summary>
-@@ -2324,7 +2549,47 @@
- ##	</summary>
- ## </param>
- #
-interface(`userdom_manage_user_tmp_sockets',`
-+interface(`userdom_manage_user_tmp_symlinks',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete user
-+##	temporary named pipes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_user_tmp_pipes',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete user
-+##	temporary named sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_user_tmp_sockets',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
-@@ -2391,7 +2656,7 @@
+@@ -2391,7 +2675,7 @@
 
 ########################################
 ## <summary>
@ -36866,7 +36868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2399,19 +2664,21 @@
+@@ -2399,19 +2683,21 @@
 ##	</summary>
 ## </param>
 #
@ -36892,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2419,15 +2686,14 @@
+@@ -2419,15 +2705,14 @@
 ##	</summary>
 ## </param>
 #
@ -36912,7 +36914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2749,7 +3015,7 @@
+@@ -2749,7 +3034,7 @@
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -36921,7 +36923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-@@ -2765,11 +3031,33 @@
+@@ -2765,11 +3050,33 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -36957,7 +36959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2884,6 +3172,25 @@
+@@ -2884,6 +3191,25 @@
 
 ########################################
 ## <summary>
@ -36983,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Write all users files in /tmp
 ## </summary>
 ## <param name="domain">
-@@ -2897,7 +3204,43 @@
+@@ -2897,7 +3223,43 @@
 		type user_tmp_t;
 	')
 
@ -37028,7 +37030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2934,6 +3277,7 @@
+@@ -2934,6 +3296,7 @@
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -37036,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_search_proc($1)
 ')
 
-@@ -3064,3 +3408,674 @@
+@@ -3064,3 +3427,674 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.8
-Release: 8%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -466,6 +466,9 @@ exit 0
 %endif

 %changelog
+* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
+- Make Chrome work with staff user
+
 * Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
 - Add icecast policy
 - Cleanup  spec file