[selinux-policy/f15] - Backport chrome fixes - Backport cloudform policy
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 26 11:54:01 UTC 2011
commit 79e32edc39d34523ae01c3f22a867b22113c14a3
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Oct 26 13:53:42 2011 +0200
- Backport chrome fixes
- Backport cloudform policy
modules-targeted.conf | 7 +
policy-F15.patch | 444 +++++++++++++++++++++++++++++++++++++++++++++----
selinux-policy.spec | 6 +-
3 files changed, 424 insertions(+), 33 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index aceefbb..e08d153 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2375,3 +2375,10 @@ l2tpd = module
# policy for collectd
#
collectd = module
+
+# Layer: services
+# Module: cloudform
+#
+# policy for cloudform
+#
+cloudform = module
diff --git a/policy-F15.patch b/policy-F15.patch
index 2190813..f3736aa 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2970,19 +2970,23 @@ index 1403835..2e9a72c 100644
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
-index 0000000..432fb25
+index 0000000..6073016
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,7 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..e921f24
+index 0000000..3de35ef
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,111 @@
+
+## <summary>policy for chrome</summary>
+
@@ -3029,10 +3033,12 @@ index 0000000..e921f24
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
++ type chrome_sandbox_nacl_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
++ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
@@ -3052,11 +3058,13 @@ index 0000000..e921f24
+#
+interface(`chrome_role',`
+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_nacl_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
++ role $1 types chrome_sandbox_nacl_t;
+
+ chrome_domtrans_sandbox($2)
+
@@ -3092,10 +3100,10 @@ index 0000000..e921f24
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..701cd5d
+index 0000000..c010edb
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,173 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3115,6 +3123,13 @@ index 0000000..701cd5d
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
++type chrome_sandbox_nacl_t;
++type chrome_sandbox_nacl_exec_t;
++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
++role system_r types chrome_sandbox_nacl_t;
++
++permissive chrome_sandbox_nacl_t;
++
+########################################
+#
+# chrome_sandbox local policy
@@ -3127,6 +3142,7 @@ index 0000000..701cd5d
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
++dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@@ -3168,7 +3184,7 @@ index 0000000..701cd5d
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
-+userdom_rw_user_tmpfs_files(chrome_sandbox_t)
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
@@ -3222,6 +3238,45 @@ index 0000000..701cd5d
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
++
++
++########################################
++#
++# chrome_sandbox_nacl local policy
++#
++
++allow chrome_sandbox_nacl_t self:process execmem;
++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_nacl_t self:shm create_shm_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms;
++
++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
++
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
++
++domain_use_interactive_fds(chrome_sandbox_nacl_t)
++
++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
++
++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++
++kernel_read_system_state(chrome_sandbox_nacl_t)
++
++dev_read_urand(chrome_sandbox_nacl_t)
++
++files_read_etc_files(chrome_sandbox_nacl_t)
++
++miscfiles_read_localization(chrome_sandbox_nacl_t)
++
++corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++
++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index e51e7f5..8e0405f 100644
--- a/policy/modules/apps/cpufreqselector.te
@@ -9037,7 +9092,7 @@ index 1f2cde4..b73334e 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..90537ed 100644
+index 320df26..0771c17 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -50,7 +50,7 @@ template(`screen_role_template',`
@@ -9087,13 +9142,14 @@ index 320df26..90537ed 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,7 +118,9 @@ template(`screen_role_template',`
+@@ -112,7 +118,10 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
+ domain_sigchld_interactive_fds($1_screen_t)
domain_use_interactive_fds($1_screen_t)
+ domain_read_all_domains_state($1_screen_t)
++ domain_dontaudit_read_all_domains_state($1_screen_t)
files_search_tmp($1_screen_t)
files_search_home($1_screen_t)
@@ -11482,7 +11538,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..f5b78de 100644
+index 0757523..794a39b 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11689,7 +11745,7 @@ index 0757523..f5b78de 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -205,20 +252,22 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +252,23 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -11700,6 +11756,7 @@ index 0757523..f5b78de 100644
-network_port(vnc, tcp,5900,s0)
+network_port(vnc, tcp,5900-5999,s0)
network_port(wccp, udp,2048,s0)
++network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
@@ -11715,7 +11772,7 @@ index 0757523..f5b78de 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -272,9 +321,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -17988,7 +18045,7 @@ index 1bd5812..b3631d6 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..7382308 100644
+index 0b827c5..ab5db6f 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -18057,7 +18114,15 @@ index 0b827c5..7382308 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
+@@ -175,6 +216,7 @@ interface(`abrt_cache_manage',`
+ ')
+
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ ')
+
+ ####################################
+@@ -253,6 +295,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -18082,7 +18147,7 @@ index 0b827c5..7382308 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +345,98 @@ interface(`abrt_admin',`
+@@ -286,18 +346,98 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -23216,6 +23281,269 @@ index 6077339..d10acd2 100644
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
+diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
+new file mode 100644
+index 0000000..2c745ea
+--- /dev/null
++++ b/policy/modules/services/cloudform.fc
+@@ -0,0 +1,16 @@
++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
++
++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
++/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
++
++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++
+diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
+new file mode 100644
+index 0000000..917f8d4
+--- /dev/null
++++ b/policy/modules/services/cloudform.if
+@@ -0,0 +1,23 @@
++## <summary>cloudform policy</summary>
++
++#######################################
++## <summary>
++## Creates types and rules for a basic
++## cloudform daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cloudform_domain_template',`
++ gen_require(`
++ attribute cloudform_domain;
++ ')
++
++ type $1_t, cloudform_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++')
+diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
+new file mode 100644
+index 0000000..4072045
+--- /dev/null
++++ b/policy/modules/services/cloudform.te
+@@ -0,0 +1,206 @@
++policy_module(cloudform, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute cloudform_domain;
++
++cloudform_domain_template(deltacloudd)
++cloudform_domain_template(iwhd)
++cloudform_domain_template(mongod)
++cloudform_domain_template(thin)
++
++permissive deltacloudd_t;
++permissive iwhd_t;
++permissive mongod_t;
++permissive thin_t;
++
++type deltacloudd_tmp_t;
++files_tmp_file(deltacloudd_tmp_t)
++
++type iwhd_initrc_exec_t;
++init_script_file(iwhd_initrc_exec_t)
++
++type iwhd_var_lib_t;
++files_type(iwhd_var_lib_t)
++
++type iwhd_var_run_t;
++files_pid_file(iwhd_var_run_t)
++
++type mongod_initrc_exec_t;
++init_script_file(mongod_initrc_exec_t)
++
++type mongod_log_t;
++logging_log_file(mongod_log_t)
++
++type mongod_var_lib_t;
++files_type(mongod_var_lib_t)
++
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
++type mongod_var_run_t;
++files_pid_file(mongod_var_run_t)
++
++type thin_var_run_t;
++files_pid_file(thin_var_run_t)
++
++type iwhd_log_t;
++logging_log_file(iwhd_log_t)
++
++########################################
++#
++# cloudform_domain local policy
++#
++
++allow cloudform_domain self:fifo_file rw_fifo_file_perms;
++allow cloudform_domain self:tcp_socket create_stream_socket_perms;
++
++dev_read_urand(cloudform_domain)
++
++files_read_etc_files(cloudform_domain)
++
++miscfiles_read_certs(cloudform_domain)
++miscfiles_read_localization(cloudform_domain)
++
++########################################
++#
++# deltacloudd local policy
++#
++
++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
++allow deltacloudd_t self:udp_socket create_socket_perms;
++
++allow deltacloudd_t self:process signal;
++
++allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
++allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
++
++corecmd_exec_bin(deltacloudd_t)
++
++corenet_tcp_bind_generic_node(deltacloudd_t)
++corenet_tcp_bind_generic_port(deltacloudd_t)
++
++files_read_usr_files(deltacloudd_t)
++
++logging_send_syslog_msg(deltacloudd_t)
++
++optional_policy(`
++ sysnet_read_config(deltacloudd_t)
++')
++
++########################################
++#
++# iwhd local policy
++#
++
++allow iwhd_t self:capability { chown kill };
++allow iwhd_t self:process { fork };
++
++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
++allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++
++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
++logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
++
++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
++
++kernel_read_system_state(iwhd_t)
++
++corenet_tcp_bind_generic_node(iwhd_t)
++corenet_tcp_bind_websm_port(iwhd_t)
++corenet_tcp_connect_all_ports(iwhd_t)
++
++dev_read_rand(iwhd_t)
++dev_read_urand(iwhd_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(iwhd_t)
++ fs_manage_nfs_dirs(iwhd_t)
++ fs_manage_nfs_files(iwhd_t)
++ fs_manage_nfs_symlinks(iwhd_t)
++')
++
++########################################
++#
++# mongod local policy
++#
++
++#WHY?
++allow mongod_t self:process execmem;
++
++allow mongod_t self:process setsched;
++
++allow mongod_t self:process { fork signal };
++
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++
++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
++
++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++
++corenet_tcp_bind_generic_node(mongod_t)
++#temporary
++corenet_tcp_bind_generic_port(mongod_t)
++
++domain_use_interactive_fds(mongod_t)
++
++optional_policy(`
++ sysnet_dns_name_resolve(mongod_t)
++')
++
++########################################
++#
++# thin local policy
++#
++
++allow thin_t self:capability { setuid kill setgid dac_override };
++
++allow thin_t self:netlink_route_socket r_netlink_socket_perms;
++allow thin_t self:udp_socket create_socket_perms;
++allow thin_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file })
++
++corecmd_exec_bin(thin_t)
++
++corenet_tcp_bind_generic_node(thin_t)
++corenet_tcp_bind_ntop_port(thin_t)
++corenet_tcp_connect_postgresql_port(thin_t)
++corenet_tcp_connect_all_ports(iwhd_t)
++
++files_read_usr_files(thin_t)
++
++fs_search_auto_mountpoints(thin_t)
++
++init_read_utmp(thin_t)
++
++kernel_read_kernel_sysctls(thin_t)
++
++optional_policy(`
++ sysnet_read_config(thin_t)
++')
++
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644
index 0000000..e500fa5
@@ -47023,7 +47351,7 @@ index d4349e9..4d112ba 100644
+ postfix_rw_master_pipes(uux_t)
+')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index f9310f3..064171e 100644
+index f9310f3..7a350f1 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.2.0)
@@ -47050,6 +47378,15 @@ index f9310f3..064171e 100644
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
+@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+ files_pid_file(varnishlog_var_run_t)
+
+ type varnishlog_log_t;
+-files_type(varnishlog_log_t)
++logging_log_file(varnishlog_log_t)
+
+ ########################################
+ #
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
index 0000000..71d9784
@@ -60438,7 +60775,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..36b1c3d 100644
+index 28b88de..a83c68a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -62059,7 +62396,50 @@ index 28b88de..36b1c3d 100644
')
########################################
-@@ -2435,13 +2877,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2224,6 +2666,42 @@ interface(`userdom_rw_user_tmp_files',`
+ files_search_tmp($1)
+ ')
+
++######################################
++## <summary>
++## Read/Write inherited user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Execute user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_execute_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to manage users
+@@ -2435,13 +2913,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -62075,7 +62455,7 @@ index 28b88de..36b1c3d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2905,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2941,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -62102,7 +62482,7 @@ index 28b88de..36b1c3d 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2570,6 +2993,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2570,6 +3029,24 @@ interface(`userdom_use_user_ttys',`
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
@@ -62127,7 +62507,7 @@ index 28b88de..36b1c3d 100644
########################################
## <summary>
## Read and write a user domain pty.
-@@ -2588,6 +3029,24 @@ interface(`userdom_use_user_ptys',`
+@@ -2588,6 +3065,24 @@ interface(`userdom_use_user_ptys',`
allow $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -62152,7 +62532,7 @@ index 28b88de..36b1c3d 100644
########################################
## <summary>
## Read and write a user TTYs and PTYs.
-@@ -2646,6 +3105,24 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2646,6 +3141,24 @@ interface(`userdom_dontaudit_use_user_terminals',`
########################################
## <summary>
@@ -62177,7 +62557,7 @@ index 28b88de..36b1c3d 100644
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2713,6 +3190,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3226,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -62202,7 +62582,7 @@ index 28b88de..36b1c3d 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2815,7 +3310,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3346,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -62211,7 +62591,7 @@ index 28b88de..36b1c3d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3326,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3362,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -62227,7 +62607,7 @@ index 28b88de..36b1c3d 100644
')
########################################
-@@ -2917,7 +3414,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3450,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -62236,7 +62616,7 @@ index 28b88de..36b1c3d 100644
')
########################################
-@@ -2972,7 +3469,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3505,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -62283,7 +62663,7 @@ index 28b88de..36b1c3d 100644
')
########################################
-@@ -3009,6 +3544,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3580,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -62291,7 +62671,7 @@ index 28b88de..36b1c3d 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3623,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3659,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -62316,7 +62696,7 @@ index 28b88de..36b1c3d 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3693,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3729,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 622da55..33e46b6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Wed Oct 26 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-45
+- Backport chrome fixes
+- Backport cloudform policy
+
* Fri Oct 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-44
- Fixes for systemd
- Add FIPS suppport for dirsrv
More information about the scm-commits
mailing list