diff --git a/modules-minimum.conf b/modules-minimum.conf
index f691dbb..685bcbb 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -39,6 +39,13 @@ ada = module
#
cpufreqselector = module
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+#
+chrome = module
+
# Layer: modules
# Module: awstats
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f691dbb..685bcbb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -39,6 +39,13 @@ ada = module
#
cpufreqselector = module
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+#
+chrome = module
+
# Layer: modules
# Module: awstats
#
diff --git a/policy-F12.patch b/policy-F12.patch
index c461fa0..303bbb3 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -937,7 +937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-10-01 17:14:31.000000000 -0400
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1010,22 +1010,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_all_executables(rpm_t)
-@@ -108,12 +130,14 @@
+@@ -108,12 +130,15 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
#devices_manage_all_device_types(rpm_t)
++fs_getattr_all_fs(rpm_t)
++fs_getattr_all_dirs(rpm_t)
++fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
- fs_getattr_all_fs(rpm_t)
-+fs_getattr_all_dirs(rpm_t)
+-fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +156,8 @@
+@@ -132,6 +157,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1034,7 +1036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +181,7 @@
+@@ -155,6 +182,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1042,7 +1044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +201,28 @@
+@@ -174,44 +202,37 @@
')
optional_policy(`
@@ -1051,28 +1053,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+- prelink_domtrans(rpm_t)
+ networkmanager_dbus_chat(rpm_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- unconfined_domain(rpm_t)
+- # yum-updatesd requires this
+- unconfined_dbus_chat(rpm_t)
+ dbus_system_domain(rpm_t, rpm_exec_t)
+ ')
-+')
-+
-+optional_policy(`
- prelink_domtrans(rpm_t)
')
+-ifdef(`TODO',`
+-# read/write/create any files in the system
+-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+-allow rpm_t ttyfile:chr_file unlink;
+-
+-# needs rw permission to the directory for an rpm package that includes a mount
+-# point
+-allow rpm_t fs_type:dir { setattr rw_dir_perms };
+-
+-allow rpm_t mount_t:tcp_socket write;
+-
+-allow rpm_t rpc_pipefs_t:dir search;
++optional_policy(`
++ prelink_domtrans(rpm_t)
++')
+
optional_policy(`
-- unconfined_domain(rpm_t)
+-allow rpm_t sysadm_gph_t:fd use;
+ unconfined_domain_noaudit(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
++ # yum-updatesd requires this
++ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
+-') dnl endif TODO
- ifdef(`TODO',`
-@@ -210,8 +248,8 @@
+ ########################################
+ #
# rpm-script Local policy
#
@@ -1083,7 +1102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +260,15 @@
+@@ -222,12 +243,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1099,7 +1118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +280,9 @@
+@@ -239,6 +263,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1109,7 +1128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +299,7 @@
+@@ -255,6 +282,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1117,7 +1136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +317,19 @@
+@@ -272,14 +300,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1137,15 +1156,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +341,7 @@
+@@ -291,8 +324,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
++init_chat(rpm_script_t)
-@@ -308,12 +359,15 @@
+ libs_exec_ld_so(rpm_script_t)
+ libs_exec_lib_files(rpm_script_t)
+@@ -308,12 +343,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1161,7 +1183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -326,13 +380,22 @@
+@@ -326,13 +364,22 @@
')
optional_policy(`
@@ -1592,6 +1614,157 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nis_use_ypbind(calamaris_t)
-')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.32/policy/modules/apps/chrome.fc
+--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.fc 2009-10-02 08:22:43.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/lib64/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if
+--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-10-02 08:37:09.000000000 -0400
+@@ -0,0 +1,85 @@
++
++## policy for chrome
++
++########################################
++##
++## Execute a domain transition to run chrome_sandbox.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chrome_domtrans_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t, chrome_sandbox_exec_t;
++ ')
++
++ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
++')
++
++
++########################################
++##
++## Execute chrome_sandbox in the chrome_sandbox domain, and
++## allow the specified role the chrome_sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the chrome_sandbox domain.
++##
++##
++#
++interface(`chrome_run_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t;
++ ')
++
++ chrome_domtrans_sandbox($1)
++ role $2 types chrome_sandbox_t;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ ')
++
++ role $1 types chrome_sandbox_t;
++
++ chrome_domtrans_sandbox($2)
++
++ ps_process_pattern($2, chrome_sandbox_t)
++ allow $2 chrome_sandbox_t:process signal;
++
++ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { read write };
++
++ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++
++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
+--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-02 08:23:19.000000000 -0400
+@@ -0,0 +1,52 @@
++policy_module(chrome,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type chrome_sandbox_t;
++type chrome_sandbox_exec_t;
++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
++role system_r types chrome_sandbox_t;
++
++type chrome_sandbox_tmp_t;
++files_tmp_file(chrome_sandbox_tmp_t)
++
++type chrome_sandbox_tmpfs_t;
++files_tmpfs_file(chrome_sandbox_tmpfs_t)
++ubac_constrained(chrome_sandbox_tmpfs_t)
++
++permissive chrome_sandbox_t;
++
++########################################
++#
++# chrome_sandbox local policy
++#
++allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
++allow chrome_sandbox_t self:process { setrlimit execmem };
++allow chrome_sandbox_t self:fifo_file manage_file_perms;
++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_t self:shm create_shm_perms;
++
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
++
++kernel_read_kernel_sysctls(chrome_sandbox_t)
++
++corecmd_exec_bin(chrome_sandbox_t)
++
++dev_read_urand(chrome_sandbox_t)
++
++files_read_etc_files(chrome_sandbox_t)
++
++userdom_rw_user_tmpfs_files(chrome_sandbox_t)
++userdom_use_user_ptys(chrome_sandbox_t)
++
++miscfiles_read_localization(chrome_sandbox_t)
++miscfiles_read_fonts(chrome_sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te 2009-09-30 16:12:48.000000000 -0400
@@ -2118,7 +2291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.32/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-10-02 08:53:58.000000000 -0400
@@ -2,15 +2,16 @@
# /opt
#
@@ -2139,7 +2312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,12 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2153,6 +2326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-09-30 16:12:48.000000000 -0400
@@ -2738,7 +2912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-02 08:15:50.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -4847,7 +5021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-02 08:03:28.000000000 -0400
@@ -1,4 +1,4 @@
-
+c
@@ -4897,7 +5071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -315,3 +323,21 @@
+@@ -315,3 +323,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4919,6 +5093,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.32/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.if 2009-09-30 16:12:48.000000000 -0400
@@ -6188,7 +6364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-01 17:13:44.000000000 -0400
@@ -1149,6 +1149,44 @@
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -7332,8 +7508,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,36 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-10-02 08:54:17.000000000 -0400
+@@ -0,0 +1,34 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -7358,8 +7534,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -8014,8 +8188,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,402 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-02 08:30:26.000000000 -0400
+@@ -0,0 +1,406 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -8180,6 +8354,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ chrome_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
@@ -13527,7 +13705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-10-02 08:40:53.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -13553,13 +13731,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read NetworkManager PID files.
##
##
-@@ -134,3 +152,30 @@
+@@ -134,3 +152,49 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+##
++## Read NetworkManager PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_read_var_lib_files',`
++ gen_require(`
++ type NetworkManager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++')
++
++########################################
++##
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+##
@@ -20273,7 +20470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-02 07:35:59.000000000 -0400
@@ -3,12 +3,17 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -20314,7 +20511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,16 +91,28 @@
+@@ -89,16 +91,29 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -20334,6 +20531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -22266,7 +22464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# /var
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-10-01 17:11:27.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -26969,7 +27167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-02 08:25:19.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -27416,7 +27614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -508,182 +515,209 @@
+@@ -508,182 +515,214 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -27551,6 +27749,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ optional_policy(`
++ chrome_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -27568,35 +27770,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dbus_system_bus_client($1_t)
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
-+ ')
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ hal_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_var_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpnc_dbus_chat($1_usertype)
++ vpnc_dbus_chat($1_usertype)
')
')
@@ -27625,21 +27828,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
++ ')
++
++ optional_policy(`
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
++ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
-+ nsplugin_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
')
@@ -27699,21 +27902,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -711,13 +745,26 @@
+@@ -711,13 +750,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -27721,9 +27926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -27731,7 +27934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -735,70 +782,72 @@
+@@ -735,70 +787,72 @@
allow $1_t self:context contains;
@@ -27837,7 +28040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -835,6 +884,32 @@
+@@ -835,6 +889,32 @@
# Local policy
#
@@ -27870,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +940,81 @@
+@@ -865,51 +945,81 @@
userdom_restricted_user_template($1)
@@ -27887,12 +28090,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
-+ xserver_role($1_r, $1_t)
-+ xserver_communicate($1_usertype, $1_usertype)
-+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -27965,7 +28168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1048,8 @@
+@@ -943,8 +1053,8 @@
# Declarations
#
@@ -27975,7 +28178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,11 +1058,12 @@
+@@ -953,11 +1063,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -27990,7 +28193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -975,36 +1081,53 @@
+@@ -975,36 +1086,53 @@
')
')
@@ -28058,7 +28261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1163,7 @@
+@@ -1040,7 +1168,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -28067,7 +28270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1172,7 @@
+@@ -1049,8 +1177,7 @@
#
# Inherit rules for ordinary users.
@@ -28077,7 +28280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1197,9 @@
+@@ -1075,6 +1202,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -28087,7 +28290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1214,7 @@
+@@ -1089,6 +1219,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -28095,7 +28298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1222,6 @@
+@@ -1096,8 +1227,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -28104,7 +28307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1248,8 @@
+@@ -1124,6 +1253,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -28113,7 +28316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1278,6 @@
+@@ -1152,20 +1283,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -28134,7 +28337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1323,7 @@
+@@ -1211,6 +1328,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -28142,7 +28345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1389,15 @@
+@@ -1276,11 +1394,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -28158,7 +28361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1508,13 @@
+@@ -1391,12 +1513,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -28173,7 +28376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1429,6 +1547,14 @@
+@@ -1429,6 +1552,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -28188,7 +28391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1570,11 @@
+@@ -1444,9 +1575,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -28200,7 +28403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1631,25 @@
+@@ -1503,6 +1636,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -28226,7 +28429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1577,6 +1724,8 @@
+@@ -1577,6 +1729,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -28235,7 +28438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1670,6 +1819,7 @@
+@@ -1670,6 +1824,7 @@
type user_home_dir_t, user_home_t;
')
@@ -28243,7 +28446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1947,32 @@
+@@ -1797,19 +1952,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -28283,7 +28486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2007,7 @@
+@@ -1844,6 +2012,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -28291,7 +28494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2555,7 @@
+@@ -2391,27 +2560,7 @@
########################################
##
@@ -28320,7 +28523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2765,11 +2909,32 @@
+@@ -2765,11 +2914,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -28355,7 +28558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3062,25 @@
+@@ -2897,7 +3067,25 @@
type user_tmp_t;
')
@@ -28382,7 +28585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3117,7 @@
+@@ -2934,6 +3122,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -28390,7 +28593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3248,559 @@
+@@ -3064,3 +3253,559 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 29dd93d..f889113 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Fri Oct 2 2009 Dan Walsh 3.6.32-19
+- Add labeling for /var/run/kdm
+
* Thu Oct 1 2009 Dan Walsh 3.6.32-18
- Allow svirt to list sysfs_t directory