[selinux-policy/f20] * Thu Jun 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-168 - Google chrome has a new directory i
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Jun 12 14:21:24 UTC 2014
commit 39becdf18da24d7d2665ce4837d0a1dfd67686bd
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Jun 12 16:20:53 2014 +0200
* Thu Jun 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-168
- Google chrome has a new directory in homedir
- Allow nova domains to read passwd/utmp files
- Added policy for geoclue
permissivedomains.pp | Bin 105569 -> 107399 bytes
permissivedomains.te | 7 ++
policy-f20-contrib.patch | 254 ++++++++++++++++++++++++++++++++++++++++++++--
selinux-policy.spec | 7 +-
4 files changed, 260 insertions(+), 8 deletions(-)
---
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 532ac37..3f674fe 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 0952837..a7286b7 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -192,3 +192,10 @@ optional_policy(`
')
permissive gear_t;
')
+
+optional_policy(`
+ gen_require(`
+ type geoclue_t;
+ ')
+ permissive geoclue_t;
+')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index f6fedab..a02ab88 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -11360,10 +11360,10 @@ index fdee107..a4c2efb 100644
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
-index 0000000..57866f6
+index 0000000..d020d89
--- /dev/null
+++ b/chrome.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,10 @@
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
@@ -11372,6 +11372,7 @@ index 0000000..57866f6
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
++HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
@@ -11518,10 +11519,10 @@ index 0000000..23407b8
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..fb60ffc
+index 0000000..b4f29e9
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,249 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11656,7 +11657,8 @@ index 0000000..fb60ffc
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
-+
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
@@ -28357,6 +28359,240 @@ index 0000000..cb68ca9
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
+diff --git a/geoclue.fc b/geoclue.fc
+new file mode 100644
+index 0000000..a97f14f
+--- /dev/null
++++ b/geoclue.fc
+@@ -0,0 +1,4 @@
++
++/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
++
++/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
+diff --git a/geoclue.if b/geoclue.if
+new file mode 100644
+index 0000000..9e17d3e
+--- /dev/null
++++ b/geoclue.if
+@@ -0,0 +1,158 @@
++
++## <summary>Geoclue is a D-Bus service that provides location information</summary>
++
++########################################
++## <summary>
++## Execute geoclue in the geoclue domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`geoclue_domtrans',`
++ gen_require(`
++ type geoclue_t, geoclue_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, geoclue_exec_t, geoclue_t)
++')
++
++########################################
++## <summary>
++## Search geoclue lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_search_lib',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ allow $1 geoclue_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read geoclue lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_read_lib_files',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage geoclue lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_manage_lib_files',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage geoclue lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_manage_lib_dirs',`
++ gen_require(`
++ type geoclue_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## geoclue over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`geoclue_dbus_chat',`
++ gen_require(`
++ type geoclue_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 geoclue_t:dbus send_msg;
++ allow geoclue_t $1:dbus send_msg;
++ ps_process_pattern(geoclue_t, $1)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an geoclue environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`geoclue_admin',`
++ gen_require(`
++ type geoclue_t;
++ type geoclue_var_lib_t;
++ ')
++
++ allow $1 geoclue_t:process { signal_perms };
++ ps_process_pattern($1, geoclue_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 geoclue_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, geoclue_var_lib_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/geoclue.te b/geoclue.te
+new file mode 100644
+index 0000000..d809c15
+--- /dev/null
++++ b/geoclue.te
+@@ -0,0 +1,54 @@
++policy_module(geoclue, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type geoclue_t;
++type geoclue_exec_t;
++application_domain(geoclue_t, geoclue_exec_t)
++role system_r types geoclue_t;
++
++type geoclue_var_lib_t;
++files_type(geoclue_var_lib_t)
++
++type geoclue_tmp_t;
++files_tmp_file(geoclue_tmp_t)
++
++########################################
++#
++# geoclue local policy
++#
++allow geoclue_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
++files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
++
++manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
++
++kernel_read_network_state(geoclue_t)
++
++auth_read_passwd(geoclue_t)
++
++corenet_tcp_connect_http_port(geoclue_t)
++
++corecmd_exec_bin(geoclue_t)
++
++dev_read_urand(geoclue_t)
++
++miscfiles_read_generic_certs(geoclue_t)
++
++sysnet_dns_name_resolve(geoclue_t)
++
++optional_policy(`
++ dbus_system_domain(geoclue_t, geoclue_exec_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(geoclue_t)
++ ')
++')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
--- a/gift.te
@@ -52936,10 +53172,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..e571f9a
+index 0000000..4d6335e
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -53011,11 +53247,15 @@ index 0000000..e571f9a
+corecmd_exec_shell(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
++auth_read_passwd(nova_domain)
++
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+
+fs_getattr_xattr_fs(nova_domain)
+
++init_read_utmp(nova_domain)
++
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8b33711..f199f12 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 167%{?dist}
+Release: 168%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-168
+- Google chrome has a new directory in homedir
+- Allow nova domains to read passwd/utmp files
+- Added policy for geoclue
+
* Mon Jun 09 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-167
- Allow keystone to connect to additional ports to make OpenStack working
- Allow thumb_t to connect to the xserver port when you are runnin it via an ssh tunnel
More information about the scm-commits
mailing list