[selinux-policy/f16] - Check in fixed for Chrome nacl support

[Miroslav Grepl]

commit ac98bc6e15c65e8f99cef6c888f5bacda84e66d2
Author: Miroslav <mgrepl at redhat.com>
Date:   Thu Oct 27 20:17:35 2011 +0200

    - Check in fixed for Chrome nacl support

 policy-F16.patch    |   35 ++++++++++++++++++++++++++++-------
 selinux-policy.spec |    5 ++++-
 2 files changed, 32 insertions(+), 8 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5356641..9083cd5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4801,10 +4801,10 @@ index 0000000..7cbe3a7
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..26aba30
+index 0000000..0eb3c23
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,173 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -4883,6 +4883,7 @@ index 0000000..26aba30
 +fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
 +
 +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_t)
 +
 +userdom_use_user_ptys(chrome_sandbox_t)
 +userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
@@ -4948,7 +4949,7 @@ index 0000000..26aba30
 +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
 +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
 +allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-+allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
 +
 +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
 +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@@ -4976,6 +4977,7 @@ index 0000000..26aba30
 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
 +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
 +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
 diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
 index 37475dd..7db4a01 100644
 --- a/policy/modules/apps/cpufreqselector.te
@@ -68497,7 +68499,7 @@ index ddbd8be..ac8e814 100644
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..5447ff6 100644
+index 560dc48..4986f1b 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@@ -68788,7 +68790,7 @@ index 560dc48..5447ff6 100644
  ') dnl end distro_redhat
  
  #
-@@ -312,17 +303,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -68838,6 +68840,7 @@ index 560dc48..5447ff6 100644
 +/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib/nspluginwrapper/np.*\.so	-- gen_context(system_u:object_r:lib_t,s0)
 +
@@ -75059,7 +75062,7 @@ index db75976..494ec08 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..c595fd2 100644
+index 4b2878a..af43357 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -77442,7 +77445,7 @@ index 4b2878a..c595fd2 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3922,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -78301,6 +78304,24 @@ index 4b2878a..c595fd2 100644
 +
 +########################################
 +## <summary>
++##	Read all inherited users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_read_inherited_user_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
 +##	Write all inherited users files in /tmp
 +## </summary>
 +## <param name="domain">
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ecbc3d7..ef7ca17 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-52
+- Check in fixed for Chrome nacl support
+
 * Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-51
 -  Begin removing qemu_t domain, we really no longer need this domain.  
 - systemd_passwd needs dac_overide to communicate with users TTY's