diff options
| author |   Russell Coker <russell@coker.com.au> | 2019-01-28 19:46:49 +1100 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2019-02-10 12:11:25 +0800 |
| commit | 60e0d1b33e0be37edd4e8971e3b2cd67966574ab (patch) | |
| tree | d1d8b906ae52a671cf95ad75ae897478e08438d6 /policy/modules/roles/sysadm.te | |
| parent | yet another little patch (diff) | |
| download | hardened-refpolicy-60e0d1b33e0be37edd4e8971e3b2cd67966574ab.tar.gz hardened-refpolicy-60e0d1b33e0be37edd4e8971e3b2cd67966574ab.tar.bz2 hardened-refpolicy-60e0d1b33e0be37edd4e8971e3b2cd67966574ab.zip | |
chromium
There are several nacl binaries that need labels.
Put an ifdef debian for some chromium paths.
Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?
I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { associate } for pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { create } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { add_name } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir
Allow domain_use_interactive_fds() for running via ssh -X.
Allow managing xdg data, cache, and config.
Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.
How does the whold naclhelper thing work anyway? I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?
Added lots of other stuff like searching cgroup dirs etc.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Diffstat (limited to 'policy/modules/roles/sysadm.te')
| -rw-r--r-- | policy/modules/roles/sysadm.te | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 6960fc316..060c43962 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1272,6 +1272,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + chromium_role(sysadm_r, sysadm_t) + ') + + optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ') |