From 43c7f5f787f4d4835182aa74f96fcb77ca9f147a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 10 2010 22:26:52 +0000
Subject: - Make Chrome work with staff user


---

diff --git a/policy-F13.patch b/policy-F13.patch
index 6f7e206..ba9488d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -35304,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-10 15:44:32.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-10 17:23:48.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -36727,12 +36727,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2196,6 +2402,25 @@
+@@ -2080,6 +2286,25 @@
  
  ########################################
  ## <summary>
-+##	Do not audit attempts to write users
-+##	temporary files.
++##	Do not audit attempts to search user
++##	temporary directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -36740,92 +36740,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_dontaudit_search_user_tmp',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:file write;
++	dontaudit $1 user_tmp_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to manage users
- ##	temporary files.
+ ##	Do not audit attempts to list user
+ ##	temporary directories.
  ## </summary>
-@@ -2276,7 +2501,7 @@
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
--##	temporary symbolic links.
-+##	temporary chr files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2284,19 +2509,19 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_symlinks',`
-+interface(`userdom_manage_user_tmp_chr_files',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
--	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
- 	files_search_tmp($1)
- ')
+@@ -2196,7 +2421,7 @@
  
  ########################################
  ## <summary>
- ##	Create, read, write, and delete user
--##	temporary named pipes.
-+##	temporary blk files.
+-##	Do not audit attempts to manage users
++##	Do not audit attempts to write users
+ ##	temporary files.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -2304,19 +2529,19 @@
+@@ -2205,25 +2430,44 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_user_tmp_pipes',`
-+interface(`userdom_manage_user_tmp_blk_files',`
+-interface(`userdom_dontaudit_manage_user_tmp_files',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
  	gen_require(`
  		type user_tmp_t;
  	')
  
--	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+	manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
- 	files_search_tmp($1)
+-	dontaudit $1 user_tmp_t:file manage_file_perms;
++	dontaudit $1 user_tmp_t:file write;
  ')
  
  ########################################
  ## <summary>
- ##	Create, read, write, and delete user
--##	temporary named sockets.
-+##	temporary symbolic links.
+-##	Read user temporary symbolic links.
++##	Do not audit attempts to manage users
++##	temporary files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2324,7 +2549,47 @@
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_user_tmp_sockets',`
-+interface(`userdom_manage_user_tmp_symlinks',`
+-interface(`userdom_read_user_tmp_symlinks',`
++interface(`userdom_dontaudit_manage_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+	files_search_tmp($1)
++	dontaudit $1 user_tmp_t:file manage_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete user
-+##	temporary named pipes.
++##	Read user temporary symbolic links.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -36833,19 +36808,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_read_user_tmp_symlinks',`
+ 	gen_require(`
+ 		type user_tmp_t;
+ 	')
+@@ -2276,6 +2520,46 @@
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete user
++##	temporary chr files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_user_tmp_chr_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
 +	files_search_tmp($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
-+##	temporary named sockets.
++##	temporary blk files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -36853,11 +36844,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_sockets',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
-@@ -2391,7 +2656,7 @@
++interface(`userdom_manage_user_tmp_blk_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++	files_search_tmp($1)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete user
+ ##	temporary symbolic links.
+ ## </summary>
+ ## <param name="domain">
+@@ -2391,7 +2675,7 @@
  
  ########################################
  ## <summary>
@@ -36866,7 +36868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2399,19 +2664,21 @@
+@@ -2399,19 +2683,21 @@
  ##	</summary>
  ## </param>
  #
@@ -36892,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2419,15 +2686,14 @@
+@@ -2419,15 +2705,14 @@
  ##	</summary>
  ## </param>
  #
@@ -36912,7 +36914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2749,7 +3015,7 @@
+@@ -2749,7 +3034,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -36921,7 +36923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2765,11 +3031,33 @@
+@@ -2765,11 +3050,33 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -36957,7 +36959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2884,6 +3172,25 @@
+@@ -2884,6 +3191,25 @@
  
  ########################################
  ## <summary>
@@ -36983,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Write all users files in /tmp
  ## </summary>
  ## <param name="domain">
-@@ -2897,7 +3204,43 @@
+@@ -2897,7 +3223,43 @@
  		type user_tmp_t;
  	')
  
@@ -37028,7 +37030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2934,6 +3277,7 @@
+@@ -2934,6 +3296,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -37036,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3064,3 +3408,674 @@
+@@ -3064,3 +3427,674 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3e480c6..075329c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.8
-Release: 8%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
+- Make Chrome work with staff user
+
 * Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
 - Add icecast policy
 - Cleanup  spec file