diff --git a/policy-F13.patch b/policy-F13.patch index 6f7e206..ba9488d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -35304,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 15:44:32.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 17:23:48.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -36727,12 +36727,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,6 +2402,25 @@ +@@ -2080,6 +2286,25 @@ ######################################## ## -+## Do not audit attempts to write users -+## temporary files. ++## Do not audit attempts to search user ++## temporary directories. +## +## +## @@ -36740,92 +36740,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_dontaudit_write_user_tmp_files',` ++interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:file write; ++ dontaudit $1 user_tmp_t:dir search_dir_perms; +') + +######################################## +## - ## Do not audit attempts to manage users - ## temporary files. + ## Do not audit attempts to list user + ## temporary directories. ## -@@ -2276,7 +2501,7 @@ - ######################################## - ## - ## Create, read, write, and delete user --## temporary symbolic links. -+## temporary chr files. - ## - ## - ## -@@ -2284,19 +2509,19 @@ - ## - ## - # --interface(`userdom_manage_user_tmp_symlinks',` -+interface(`userdom_manage_user_tmp_chr_files',` - gen_require(` - type user_tmp_t; - ') - -- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') +@@ -2196,7 +2421,7 @@ ######################################## ## - ## Create, read, write, and delete user --## temporary named pipes. -+## temporary blk files. +-## Do not audit attempts to manage users ++## Do not audit attempts to write users + ## temporary files. ## ## - ## -@@ -2304,19 +2529,19 @@ +@@ -2205,25 +2430,44 @@ ## ## # --interface(`userdom_manage_user_tmp_pipes',` -+interface(`userdom_manage_user_tmp_blk_files',` +-interface(`userdom_dontaudit_manage_user_tmp_files',` ++interface(`userdom_dontaudit_write_user_tmp_files',` gen_require(` type user_tmp_t; ') -- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) +- dontaudit $1 user_tmp_t:file manage_file_perms; ++ dontaudit $1 user_tmp_t:file write; ') ######################################## ## - ## Create, read, write, and delete user --## temporary named sockets. -+## temporary symbolic links. +-## Read user temporary symbolic links. ++## Do not audit attempts to manage users ++## temporary files. ## ## ## -@@ -2324,7 +2549,47 @@ +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`userdom_manage_user_tmp_sockets',` -+interface(`userdom_manage_user_tmp_symlinks',` +-interface(`userdom_read_user_tmp_symlinks',` ++interface(`userdom_dontaudit_manage_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) ++ dontaudit $1 user_tmp_t:file manage_file_perms; +') + +######################################## +## -+## Create, read, write, and delete user -+## temporary named pipes. ++## Read user temporary symbolic links. +## +## +## @@ -36833,19 +36808,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_manage_user_tmp_pipes',` ++interface(`userdom_read_user_tmp_symlinks',` + gen_require(` + type user_tmp_t; + ') +@@ -2276,6 +2520,46 @@ + ######################################## + ## + ## Create, read, write, and delete user ++## temporary chr files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_chr_files',` + gen_require(` + type user_tmp_t; + ') + -+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) ++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user -+## temporary named sockets. ++## temporary blk files. +## +## +## @@ -36853,11 +36844,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_manage_user_tmp_sockets',` - gen_require(` - type user_tmp_t; - ') -@@ -2391,7 +2656,7 @@ ++interface(`userdom_manage_user_tmp_blk_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary symbolic links. + ## + ## +@@ -2391,7 +2675,7 @@ ######################################## ## @@ -36866,7 +36868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2399,19 +2664,21 @@ +@@ -2399,19 +2683,21 @@ ## ## # @@ -36892,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2419,15 +2686,14 @@ +@@ -2419,15 +2705,14 @@ ## ## # @@ -36912,7 +36914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2749,7 +3015,7 @@ +@@ -2749,7 +3034,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -36921,7 +36923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3031,33 @@ +@@ -2765,11 +3050,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -36957,7 +36959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2884,6 +3172,25 @@ +@@ -2884,6 +3191,25 @@ ######################################## ## @@ -36983,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all users files in /tmp ## ## -@@ -2897,7 +3204,43 @@ +@@ -2897,7 +3223,43 @@ type user_tmp_t; ') @@ -37028,7 +37030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2934,6 +3277,7 @@ +@@ -2934,6 +3296,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -37036,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3064,3 +3408,674 @@ +@@ -3064,3 +3427,674 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 3e480c6..075329c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.8 -Release: 8%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ exit 0 %endif %changelog +* Tue Feb 9 2010 Dan Walsh 3.7.8-9 +- Make Chrome work with staff user + * Thu Feb 4 2010 Dan Walsh 3.7.8-8 - Add icecast policy - Cleanup spec file