rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Check in fixed for Chrome nacl support

Browse Source
This commit is contained in:
Dan Walsh 2011-10-27 14:33:47 -04:00
parent 38087df72c
commit bc6fbd3a31
2 changed files with 32 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
policy-F16.patch
View File

@ -4801,10 +4801,10 @@ index 0000000..7cbe3a7
+') +')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644 new file mode 100644
index 0000000..26aba30 index 0000000..0eb3c23
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/chrome.te +++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,171 @@ @@ -0,0 +1,173 @@
+policy_module(chrome,1.0.0) +policy_module(chrome,1.0.0)
+ +
+######################################## +########################################
@ -4883,6 +4883,7 @@ index 0000000..26aba30
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t) +fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+ +
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+ +
+userdom_use_user_ptys(chrome_sandbox_t) +userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
@ -4948,7 +4949,7 @@ index 0000000..26aba30
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms; +allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+ +
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@ -4976,6 +4977,7 @@ index 0000000..26aba30
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..7db4a01 100644 index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te --- a/policy/modules/apps/cpufreqselector.te
@ -68497,7 +68499,7 @@ index ddbd8be..ac8e814 100644
domain_use_interactive_fds(iscsid_t) domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 560dc48..5447ff6 100644 index 560dc48..4986f1b 100644
--- a/policy/modules/system/libraries.fc --- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@ -68788,7 +68790,7 @@ index 560dc48..5447ff6 100644
') dnl end distro_redhat ') dnl end distro_redhat
# #
@@ -312,17 +303,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te @@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# #
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -68838,6 +68840,7 @@ index 560dc48..5447ff6 100644
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ +
+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+ +
@ -75059,7 +75062,7 @@ index db75976..494ec08 100644
+ +
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 4b2878a..c595fd2 100644 index 4b2878a..af43357 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -77442,7 +77445,7 @@ index 4b2878a..c595fd2 100644
## Create keys for all user domains. ## Create keys for all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3194,3 +3922,1076 @@ interface(`userdom_dbus_send_all_users',` @@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')
@ -78301,6 +78304,24 @@ index 4b2878a..c595fd2 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Read all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Write all inherited users files in /tmp +## Write all inherited users files in /tmp
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.10.0 Version: 3.10.0
Release: 51%{?dist} Release: 52%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -483,6 +483,9 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51 * Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51
- Begin removing qemu_t domain, we really no longer need this domain. - Begin removing qemu_t domain, we really no longer need this domain.
- systemd_passwd needs dac_overide to communicate with users TTY's - systemd_passwd needs dac_overide to communicate with users TTY's