From bc6fbd3a3105c050c754c4dbe2f3fc6565db0bb6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 27 2011 18:33:47 +0000 Subject: Check in fixed for Chrome nacl support --- diff --git a/policy-F16.patch b/policy-F16.patch index 5356641..9083cd5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4801,10 +4801,10 @@ index 0000000..7cbe3a7 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..26aba30 +index 0000000..0eb3c23 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,171 @@ +@@ -0,0 +1,173 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4883,6 +4883,7 @@ index 0000000..26aba30 +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_t) + +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) @@ -4948,7 +4949,7 @@ index 0000000..26aba30 +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms; -+allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms; ++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; @@ -4976,6 +4977,7 @@ index 0000000..26aba30 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index 37475dd..7db4a01 100644 --- a/policy/modules/apps/cpufreqselector.te @@ -68497,7 +68499,7 @@ index ddbd8be..ac8e814 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..5447ff6 100644 +index 560dc48..4986f1b 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -68788,7 +68790,7 @@ index 560dc48..5447ff6 100644 ') dnl end distro_redhat # -@@ -312,17 +303,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -68838,6 +68840,7 @@ index 560dc48..5447ff6 100644 +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + @@ -75059,7 +75062,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..c595fd2 100644 +index 4b2878a..af43357 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -77442,7 +77445,7 @@ index 4b2878a..c595fd2 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3922,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -78301,6 +78304,24 @@ index 4b2878a..c595fd2 100644 + +######################################## +## ++## Read all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## +## Write all inherited users files in /tmp +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 616ea31..4033277 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 51%{?dist} +Release: 52%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -483,6 +483,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 27 2011 Miroslav Grepl 3.10.0-52 +- Check in fixed for Chrome nacl support + * Thu Oct 27 2011 Miroslav Grepl 3.10.0-51 - Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's