[selinux-policy/f13/master] - Fixes for sandbox policy - Allow chromium-browser to read gnome homedir content
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 18 14:28:27 UTC 2010
commit 4481e3025765e4bdebe0b8ee9a417650c6701177
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Oct 18 16:28:14 2010 +0200
- Fixes for sandbox policy
- Allow chromium-browser to read gnome homedir content
policy-F13.patch | 150 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 6 ++-
2 files changed, 120 insertions(+), 36 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index e040fd7..ec17a8c 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -3097,8 +3097,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-16 16:57:25.804637037 +0200
-@@ -0,0 +1,89 @@
++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-10-18 14:45:28.963650461 +0200
+@@ -0,0 +1,90 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3170,6 +3170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_list_home_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -3570,7 +3571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-09-23 13:21:33.431386911 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-10-18 14:45:15.884901735 +0200
@@ -74,6 +74,24 @@
########################################
@@ -3596,7 +3597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
## manage gnome homedir content (.config)
## </summary>
## <param name="user_domain">
-@@ -84,10 +102,426 @@
+@@ -84,10 +102,445 @@
#
interface(`gnome_manage_config',`
gen_require(`
@@ -4005,6 +4006,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
++#######################################
++## <summary>
++## read gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
++')
++
+########################################
+## <summary>
+## Send and receive messages from
@@ -7270,8 +7290,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-05 16:12:11.355651521 +0200
-@@ -0,0 +1,403 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-18 15:03:16.043900000 +0200
+@@ -0,0 +1,421 @@
+policy_module(sandbox,1.0.0)
+
+dbus_stub()
@@ -7411,6 +7431,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
+########################################
+#
+# sandbox_x_domain local policy
@@ -7425,6 +7447,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
++dontaudit sandbox_x_domain self:process signal;
++
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -7476,6 +7500,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+miscfiles_read_fonts(sandbox_x_domain)
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(sandbox_x_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(sandbox_x_domain)
++')
++
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
@@ -7536,6 +7568,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
++allow sandbox_web_t self:process setsched;
++
++optional_policy(`
++ nsplugin_read_rw_files(sandbox_web_t)
++')
++
+########################################
+#
+# sandbox_web_client_t local policy
@@ -7890,8 +7928,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+#/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.7.19/policy/modules/apps/telepathy.if
--- nsaserefpolicy/policy/modules/apps/telepathy.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/telepathy.if 2010-07-13 15:32:42.433752902 +0200
-@@ -0,0 +1,204 @@
++++ serefpolicy-3.7.19/policy/modules/apps/telepathy.if 2010-10-18 15:46:49.026650859 +0200
+@@ -0,0 +1,184 @@
+
+## <summary>Telepathy framework.</summary>
+
@@ -8021,26 +8059,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+
+########################################
+## <summary>
-+## Read and write Telepathy Butterfly
-+## temporary files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`telepathy_butterfly_rw_tmp_files', `
-+ gen_require(`
-+ type telepathy_butterfly_tmp_t;
-+ ')
-+
-+ allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
+## Stream connect to Telepathy Gabble
+## </summary>
+## <param name="domain">
@@ -9221,7 +9239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-07-13 08:28:56.068502788 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-10-18 15:39:59.101902148 +0200
@@ -407,7 +407,7 @@
########################################
@@ -9442,7 +9460,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -3440,6 +3594,24 @@
+@@ -2875,24 +3029,6 @@
+
+ ########################################
+ ## <summary>
+-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dev_read_printk',`
+- gen_require(`
+- type device_t, printk_device_t;
+- ')
+-
+- read_chr_files_pattern($1, device_t, printk_device_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Get the attributes of the QEMU
+ ## microcode and id interfaces.
+ ## </summary>
+@@ -3440,6 +3576,24 @@
########################################
## <summary>
@@ -9467,7 +9510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3733,6 +3905,42 @@
+@@ -3733,6 +3887,42 @@
########################################
## <summary>
@@ -9510,7 +9553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3905,6 +4113,24 @@
+@@ -3905,6 +4095,24 @@
########################################
## <summary>
@@ -18270,6 +18313,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if
+--- nsaserefpolicy/policy/modules/services/clamav.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.if 2010-10-18 15:38:09.251650866 +0200
+@@ -49,12 +49,12 @@
+ #
+ interface(`clamav_append_log',`
+ gen_require(`
+- type clamav_log_t;
++ type clamav_var_log_t;
+ ')
+
+ logging_search_logs($1)
+- allow $1 clamav_log_t:dir list_dir_perms;
+- append_files_pattern($1, clamav_log_t, clamav_log_t)
++ allow $1 clamav_var_log_t:dir list_dir_perms;
++ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-10-01 15:28:43.904599247 +0200
@@ -21149,8 +21211,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-06-16 21:55:51.478859909 +0200
-@@ -112,6 +112,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-10-18 16:03:31.352650791 +0200
+@@ -74,6 +74,8 @@
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
++corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+
+ dev_read_sysfs(dhcpd_t)
+ dev_read_rand(dhcpd_t)
+@@ -112,6 +114,10 @@
')
optional_policy(`
@@ -30079,7 +30150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.7.19/policy/modules/services/psad.if
--- nsaserefpolicy/policy/modules/services/psad.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-25 15:09:49.810137902 +0200
++++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-10-18 15:26:34.337901390 +0200
@@ -174,6 +174,26 @@
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
')
@@ -30107,6 +30178,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
########################################
## <summary>
## Read and write psad fifo files.
+@@ -186,7 +206,7 @@
+ #
+ interface(`psad_rw_fifo_file',`
+ gen_require(`
+- type psad_t;
++ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
@@ -232,9 +252,9 @@
#
interface(`psad_admin',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7ab531e..f70331c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Mon Oct 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-67
+- Fixes for sandbox policy
+- Allow chromium-browser to read gnome homedir content
+
* Wed Oct 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-66
- Allow system_mail_t to append ~/dead.letter
- Allow mount to communicate with gfs_controld
More information about the scm-commits
mailing list