RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,893 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

5 Commits

Author SHA1 Message Date
Christian Göttsche 57d570f01c chromium/libraries: move lib_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Nicolas Iooss 0e045ef5fe
chromium: remove distro-specific ifdef 
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-09-08 23:12:04 +02:00
Nicolas Iooss f0cade07b2
Remove unescaped single dot from the policy 
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-27 23:38:09 +02:00
Russell Coker 1574ac4a5d chromium 
There are several nacl binaries that need labels.

Put an ifdef debian for some chromium paths.

Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?

I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

Allow domain_use_interactive_fds() for running via ssh -X.

Allow managing xdg data, cache, and config.

Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.

How does the whold naclhelper thing work anyway?  I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?

Added lots of other stuff like searching cgroup dirs etc.
 2019-01-29 18:59:33 -05:00
Jason Zaman 6d164216d9 Add chromium policy upstreamed from Gentoo 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00