[selinux-policy/f13/master] - Fixes for sandbox policy - Allow chromium-browser to read gnome homedir content

Mon Oct 18 14:28:27 UTC 2010

commit 4481e3025765e4bdebe0b8ee9a417650c6701177
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Mon Oct 18 16:28:14 2010 +0200

    - Fixes for sandbox policy
    - Allow chromium-browser to read gnome homedir content

 policy-F13.patch    |  150 +++++++++++++++++++++++++++++++++++++++------------
 selinux-policy.spec |    6 ++-
 2 files changed, 120 insertions(+), 36 deletions(-)
---

diff --git a/policy-F13.patch b/policy-F13.patch
index e040fd7..ec17a8c 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -3097,8 +3097,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te	2010-09-16 16:57:25.804637037 +0200
-@@ -0,0 +1,89 @@
++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te	2010-10-18 14:45:28.963650461 +0200
+@@ -0,0 +1,90 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -3170,6 +3170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +optional_policy(`
 +	gnome_rw_inherited_config(chrome_sandbox_t)
 +	gnome_list_home_config(chrome_sandbox_t)
++	gnome_read_home_config(chrome_sandbox_t)
 +')
 +
 +optional_policy(`
@@ -3570,7 +3571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if	2010-09-23 13:21:33.431386911 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if	2010-10-18 14:45:15.884901735 +0200
 @@ -74,6 +74,24 @@
  
  ########################################
@@ -3596,7 +3597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
  ##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="user_domain">
-@@ -84,10 +102,426 @@
+@@ -84,10 +102,445 @@
  #
  interface(`gnome_manage_config',`
  	gen_require(`
@@ -4005,6 +4006,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +	allow $1 gnome_home_type:file rw_inherited_file_perms;
 +')
 +
++#######################################
++## <summary>
++##      read gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`gnome_read_home_config',`
++        gen_require(`
++                type config_home_t;
++        ')
++
++        read_files_pattern($1, config_home_t, config_home_t)
++		read_lnk_files_pattern($1, config_home_t, config_home_t)
++')
++
 +########################################
 +## <summary>
 +##	Send and receive messages from
@@ -7270,8 +7290,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-10-05 16:12:11.355651521 +0200
-@@ -0,0 +1,403 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-10-18 15:03:16.043900000 +0200
+@@ -0,0 +1,421 @@
 +policy_module(sandbox,1.0.0)
 +
 +dbus_stub()
@@ -7411,6 +7431,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +userdom_dontaudit_use_user_terminals(sandbox_domain)
 +
++mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
 +########################################
 +#
 +# sandbox_x_domain local policy
@@ -7425,6 +7447,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +
 +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
++dontaudit sandbox_x_domain self:process signal;
++
 +allow sandbox_x_domain self:shm create_shm_perms;
 +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
 +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -7476,6 +7500,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +miscfiles_read_fonts(sandbox_x_domain)
 +
++tunable_policy(`use_nfs_home_dirs',`
++	fs_search_nfs(sandbox_x_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_search_cifs(sandbox_x_domain)
++')
++
 +optional_policy(`
 +	cups_stream_connect(sandbox_x_domain)
 +	cups_read_rw_config(sandbox_x_domain)
@@ -7536,6 +7568,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	hal_dbus_chat(sandbox_x_client_t)
 +')
 +
++allow sandbox_web_t self:process setsched;
++
++optional_policy(`
++        nsplugin_read_rw_files(sandbox_web_t)
++')
++
 +########################################
 +#
 +# sandbox_web_client_t local policy
@@ -7890,8 +7928,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +#/usr/libexec/telepathy-sunshine			--		gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.7.19/policy/modules/apps/telepathy.if
 --- nsaserefpolicy/policy/modules/apps/telepathy.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/telepathy.if	2010-07-13 15:32:42.433752902 +0200
-@@ -0,0 +1,204 @@
++++ serefpolicy-3.7.19/policy/modules/apps/telepathy.if	2010-10-18 15:46:49.026650859 +0200
+@@ -0,0 +1,184 @@
 +
 +## <summary>Telepathy framework.</summary>
 +
@@ -8021,26 +8059,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +
 +########################################
 +## <summary>
-+##	Read and write Telepathy Butterfly
-+##	temporary files.
-+## </summary>
-+## <param name="domain">
-+## 	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`telepathy_butterfly_rw_tmp_files', `
-+	gen_require(`
-+		type telepathy_butterfly_tmp_t;
-+	')
-+
-+	allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
 +##	Stream connect to Telepathy Gabble
 +## </summary>
 +## <param name="domain">
@@ -9221,7 +9239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if	2010-07-13 08:28:56.068502788 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if	2010-10-18 15:39:59.101902148 +0200
 @@ -407,7 +407,7 @@
  
  ########################################
@@ -9442,7 +9460,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  	dontaudit $1 mtrr_device_t:chr_file write;
  ')
  
-@@ -3440,6 +3594,24 @@
+@@ -2875,24 +3029,6 @@
+ 
+ ########################################
+ ## <summary>
+-##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`dev_read_printk',`
+-	gen_require(`
+-		type device_t, printk_device_t;
+-	')
+-
+-	read_chr_files_pattern($1, device_t, printk_device_t)
+-')
+-
+-########################################
+-## <summary>
+ ##	Get the attributes of the QEMU
+ ##	microcode and id interfaces.
+ ## </summary>
+@@ -3440,6 +3576,24 @@
  
  ########################################
  ## <summary>
@@ -9467,7 +9510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3733,6 +3905,42 @@
+@@ -3733,6 +3887,42 @@
  
  ########################################
  ## <summary>
@@ -9510,7 +9553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3905,6 +4113,24 @@
+@@ -3905,6 +4095,24 @@
  
  ########################################
  ## <summary>
@@ -18270,6 +18313,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
  # bind to udp/323
  corenet_udp_bind_chronyd_port(chronyd_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if
+--- nsaserefpolicy/policy/modules/services/clamav.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.if	2010-10-18 15:38:09.251650866 +0200
+@@ -49,12 +49,12 @@
+ #
+ interface(`clamav_append_log',`
+ 	gen_require(`
+-		type clamav_log_t;
++		type clamav_var_log_t;
+ 	')
+ 
+ 	logging_search_logs($1)
+-	allow $1 clamav_log_t:dir list_dir_perms;
+-	append_files_pattern($1, clamav_log_t, clamav_log_t)
++	allow $1 clamav_var_log_t:dir list_dir_perms;
++	append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/clamav.te	2010-10-01 15:28:43.904599247 +0200
@@ -21149,8 +21211,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dhcp.te	2010-06-16 21:55:51.478859909 +0200
-@@ -112,6 +112,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/dhcp.te	2010-10-18 16:03:31.352650791 +0200
+@@ -74,6 +74,8 @@
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
++corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+ 
+ dev_read_sysfs(dhcpd_t)
+ dev_read_rand(dhcpd_t)
+@@ -112,6 +114,10 @@
  ')
  
  optional_policy(`
@@ -30079,7 +30150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.7.19/policy/modules/services/psad.if
 --- nsaserefpolicy/policy/modules/services/psad.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/psad.if	2010-06-25 15:09:49.810137902 +0200
++++ serefpolicy-3.7.19/policy/modules/services/psad.if	2010-10-18 15:26:34.337901390 +0200
 @@ -174,6 +174,26 @@
  	append_files_pattern($1, psad_var_log_t, psad_var_log_t)
  ')
@@ -30107,6 +30178,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
  ########################################
  ## <summary>
  ##	Read and write psad fifo files.
+@@ -186,7 +206,7 @@
+ #
+ interface(`psad_rw_fifo_file',`
+ 	gen_require(`
+-		type psad_t;
++		type psad_t, psad_var_lib_t;
+ 	')
+ 
+ 	files_search_var_lib($1)
 @@ -232,9 +252,9 @@
  #
  interface(`psad_admin',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7ab531e..f70331c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 66%{?dist}
+Release: 67%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
 %endif
 
 %changelog
+* Mon Oct 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-67
+- Fixes for sandbox policy
+- Allow chromium-browser to read gnome homedir content
+
 * Wed Oct 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-66
 - Allow system_mail_t to append ~/dead.letter
 - Allow mount to communicate with gfs_controld
