[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/apps/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/apps/
Date:	Sun, 10 Feb 2019 04:14:55
Message-Id:	`1549771885.60e0d1b33e0be37edd4e8971e3b2cd67966574ab.perfinion@gentoo`

1

commit:     60e0d1b33e0be37edd4e8971e3b2cd67966574ab

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Mon Jan 28 08:46:49 2019 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb 10 04:11:25 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=60e0d1b3

7

8

chromium

9

10

There are several nacl binaries that need labels.

11

12

Put an ifdef debian for some chromium paths.

13

14

Git policy misses chromium_role() lines, were they in another patch that was

15

submitted at the same time?

16

17

I don't know what this is for but doesn't seem harmful to allow it:

18

type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome

19

type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)

20

type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem

21

type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file

22

type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

23

24

Allow domain_use_interactive_fds() for running via ssh -X.

25

26

Allow managing xdg data, cache, and config.

27

28

Allow reading public data from apt and dpkg, probably from lsb_release or some

29

other shell script.

30

31

How does the whold naclhelper thing work anyway?  I'm nervous about process

32

share access involving chromium_sandbox_t, is that really what we want?

33

34

Added lots of other stuff like searching cgroup dirs etc.

35

36

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

37

38

 policy/modules/apps/chromium.fc    |  7 ++++++-

39

 policy/modules/apps/chromium.te    | 32 +++++++++++++++++++++++++++-----

40

 policy/modules/roles/staff.te      |  4 ++++

41

 policy/modules/roles/sysadm.te     |  4 ++++

42

 policy/modules/roles/unprivuser.te |  4 ++++

43

 5 files changed, 45 insertions(+), 6 deletions(-)

44

45

diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc

46

index 534235dc..58a6cb45 100644

47

--- a/policy/modules/apps/chromium.fc

48

+++ b/policy/modules/apps/chromium.fc

49

@@ -2,7 +2,7 @@

50

 /opt/google/chrome/chrome_sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)

51

 /opt/google/chrome/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)

52

 /opt/google/chrome/google-chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)

53

-/opt/google/chrome/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)

54

+/opt/google/chrome/nacl_.*				--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)

55

 /opt/google/chrome/libudev.so.0					gen_context(system_u:object_r:lib_t,s0)

56

57

 /opt/google/chrome-beta/chrome				--	gen_context(system_u:object_r:chromium_exec_t,s0)

58

@@ -19,9 +19,14 @@

59

 /opt/google/chrome-unstable/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)

60

 /opt/google/chrome-unstable/libudev.so.0			gen_context(system_u:object_r:lib_t,s0)

61

62

+ifdef(`distro_debian',`

63

+/usr/lib/chromium/chromium				--	gen_context(system_u:object_r:chromium_exec_t,s0)

64

+/usr/lib/chromium/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)

65

+', `

66

 /usr/lib/chromium-browser/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)

67

 /usr/lib/chromium-browser/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)

68

 /usr/lib/chromium-browser/chrome-sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)

69

+')

70

 /usr/lib/chromium-browser/chromium-launcher\.sh		--	gen_context(system_u:object_r:chromium_exec_t,s0)

71

 /usr/lib/chromium-browser/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)

72

73

74

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te

75

index 59c75491..7a18d814 100644

76

--- a/policy/modules/apps/chromium.te

77

+++ b/policy/modules/apps/chromium.te

78

@@ -94,8 +94,8 @@ allow chromium_t chromium_renderer_t:shm rw_shm_perms;

79

 allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };

80

 allow chromium_t chromium_renderer_t:unix_stream_socket { read write };

81

82

-allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };

83

-allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };

84

+allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };

85

+allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };

86

87

 allow chromium_t chromium_naclhelper_t:process { share };

88

89

@@ -149,6 +149,7 @@ dev_rw_xserver_misc(chromium_t)

90

 dev_map_xserver_misc(chromium_t)

91

92

 domain_dontaudit_search_all_domains_state(chromium_t)

93

+domain_use_interactive_fds(chromium_t)

94

95

 files_list_home(chromium_t)

96

 files_search_home(chromium_t)

97

@@ -159,12 +160,17 @@ files_read_etc_files(chromium_t)

98

 files_dontaudit_getattr_all_dirs(chromium_t)

99

100

 fs_dontaudit_getattr_xattr_fs(chromium_t)

101

+fs_getattr_tmpfs(chromium_t)

102

+fs_search_cgroup_dirs(chromium_t)

103

104

 miscfiles_read_all_certs(chromium_t)

105

 miscfiles_read_localization(chromium_t)

106

107

 sysnet_dns_name_resolve(chromium_t)

108

109

+# for /run/udev/data/*

110

+udev_read_pid_files(chromium_t)

111

+

112

 userdom_user_content_access_template(chromium, chromium_t)

113

 userdom_dontaudit_list_user_home_dirs(chromium_t)

114

 # Debugging. Also on user_tty_device_t if X is started through "startx" for instance

115

@@ -195,6 +201,8 @@ tunable_policy(`chromium_rw_usb_dev',`

116

 tunable_policy(`chromium_read_system_info',`

117

 	kernel_read_kernel_sysctls(chromium_t)

118

 	# Memory optimizations & optimizations based on OS/version

119

+	kernel_read_crypto_sysctls(chromium_t)

120

+	kernel_read_kernel_sysctls(chromium_t)

121

 	kernel_read_system_state(chromium_t)

122

123

 	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).

124

@@ -237,6 +245,13 @@ optional_policy(`

125

')

126

')

127

128

+optional_policy(`

129

+	apt_read_cache(chromium_t)

130

+	apt_read_db(chromium_t)

131

+	dpkg_exec(chromium_t)

132

+	dpkg_read_db(chromium_t)

133

+')

134

+

135

 ifdef(`use_alsa',`

136

 	optional_policy(`

137

 		alsa_domain(chromium_t, chromium_tmpfs_t)

138

@@ -309,23 +324,27 @@ allow chromium_sandbox_t chromium_t:dir list_dir_perms;

139

 allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;

140

 allow chromium_sandbox_t chromium_t:file rw_file_perms;

141

142

-allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };

143

-allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };

144

+allow chromium_sandbox_t chromium_t:unix_stream_socket { getattr read write };

145

+allow chromium_sandbox_t chromium_t:unix_dgram_socket { getattr read write };

146

147

 kernel_list_proc(chromium_sandbox_t)

148

149

 domain_dontaudit_read_all_domains_state(chromium_sandbox_t)

150

+domain_use_interactive_fds(chromium_sandbox_t)

151

152

 userdom_use_user_ptys(chromium_sandbox_t)

153

154

 chromium_domtrans(chromium_sandbox_t)

155

+domtrans_pattern(chromium_sandbox_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)

156

+allow chromium_sandbox_t chromium_naclhelper_t:process share;

157

158

 ##########################################

159

#

160

 # Chromium nacl helper local policy

161

#

162

163

-allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };

164

+allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };

165

+allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };

166

167

 domain_mmap_low_uncond(chromium_naclhelper_t)

168

169

@@ -338,3 +357,6 @@ tunable_policy(`chromium_read_system_info',`

170

 	kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)

171

 	kernel_dontaudit_read_system_state(chromium_naclhelper_t)

172

')

173

+

174

+dev_read_sysfs(chromium_naclhelper_t)

175

+dev_read_urand(chromium_naclhelper_t)

176

177

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te

178

index 7b4a780a..2321ecf0 100644

179

--- a/policy/modules/roles/staff.te

180

+++ b/policy/modules/roles/staff.te

181

@@ -81,6 +81,10 @@ ifndef(`distro_redhat',`

182

 		cdrecord_role(staff_r, staff_t)

183

')

184

185

+	optional_policy(`

186

+		chromium_role(staff_r, staff_t)

187

+	')

188

+

189

 	optional_policy(`

190

 		cron_role(staff_r, staff_t)

191

')

192

193

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te

194

index 6960fc31..060c4396 100644

195

--- a/policy/modules/roles/sysadm.te

196

+++ b/policy/modules/roles/sysadm.te

197

@@ -1271,6 +1271,10 @@ ifndef(`distro_redhat',`

198

 		cdrecord_role(sysadm_r, sysadm_t)

199

')

200

201

+	optional_policy(`

202

+		chromium_role(sysadm_r, sysadm_t)

203

+	')

204

+

205

 	optional_policy(`

206

 		cron_admin_role(sysadm_r, sysadm_t)

207

')

208

209

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te

210

index 209c904b..02e3de3b 100644

211

--- a/policy/modules/roles/unprivuser.te

212

+++ b/policy/modules/roles/unprivuser.te

213

@@ -49,6 +49,10 @@ ifndef(`distro_redhat',`

214

 		cdrecord_role(user_r, user_t)

215

')

216

217

+	optional_policy(`

218

+		chromium_role(user_r, user_t)

219

+	')

220

+

221

 	optional_policy(`

222

 		cron_role(user_r, user_t)

223

')

1	commit: 60e0d1b33e0be37edd4e8971e3b2cd67966574ab
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Mon Jan 28 08:46:49 2019 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 10 04:11:25 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=60e0d1b3
7
8	chromium
9
10	There are several nacl binaries that need labels.
11
12	Put an ifdef debian for some chromium paths.
13
14	Git policy misses chromium_role() lines, were they in another patch that was
15	submitted at the same time?
16
17	I don't know what this is for but doesn't seem harmful to allow it:
18	type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
19	type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY\|O_CREAT\|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
20	type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { associate } for pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
21	type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { create } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
22	type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { add_name } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir
23
24	Allow domain_use_interactive_fds() for running via ssh -X.
25
26	Allow managing xdg data, cache, and config.
27
28	Allow reading public data from apt and dpkg, probably from lsb_release or some
29	other shell script.
30
31	How does the whold naclhelper thing work anyway? I'm nervous about process
32	share access involving chromium_sandbox_t, is that really what we want?
33
34	Added lots of other stuff like searching cgroup dirs etc.
35
36	Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
37
38	policy/modules/apps/chromium.fc \| 7 ++++++-
39	policy/modules/apps/chromium.te \| 32 +++++++++++++++++++++++++++-----
40	policy/modules/roles/staff.te \| 4 ++++
41	policy/modules/roles/sysadm.te \| 4 ++++
42	policy/modules/roles/unprivuser.te \| 4 ++++
43	5 files changed, 45 insertions(+), 6 deletions(-)
44
45	diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
46	index 534235dc..58a6cb45 100644
47	--- a/policy/modules/apps/chromium.fc
48	+++ b/policy/modules/apps/chromium.fc
49	@@ -2,7 +2,7 @@
50	/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
51	/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
52	/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
53	-/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
54	+/opt/google/chrome/nacl_.* -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
55	/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
56
57	/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
58	@@ -19,9 +19,14 @@
59	/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
60	/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
61
62	+ifdef(`distro_debian',`
63	+/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chromium_exec_t,s0)
64	+/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
65	+', `
66	/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
67	/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
68	/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
69	+')
70	/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
71	/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
72
73
74	diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
75	index 59c75491..7a18d814 100644
76	--- a/policy/modules/apps/chromium.te
77	+++ b/policy/modules/apps/chromium.te
78	@@ -94,8 +94,8 @@ allow chromium_t chromium_renderer_t:shm rw_shm_perms;
79	allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
80	allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
81
82	-allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
83	-allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
84	+allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
85	+allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
86
87	allow chromium_t chromium_naclhelper_t:process { share };
88
89	@@ -149,6 +149,7 @@ dev_rw_xserver_misc(chromium_t)
90	dev_map_xserver_misc(chromium_t)
91
92	domain_dontaudit_search_all_domains_state(chromium_t)
93	+domain_use_interactive_fds(chromium_t)
94
95	files_list_home(chromium_t)
96	files_search_home(chromium_t)
97	@@ -159,12 +160,17 @@ files_read_etc_files(chromium_t)
98	files_dontaudit_getattr_all_dirs(chromium_t)
99
100	fs_dontaudit_getattr_xattr_fs(chromium_t)
101	+fs_getattr_tmpfs(chromium_t)
102	+fs_search_cgroup_dirs(chromium_t)
103
104	miscfiles_read_all_certs(chromium_t)
105	miscfiles_read_localization(chromium_t)
106
107	sysnet_dns_name_resolve(chromium_t)
108
109	+# for /run/udev/data/*
110	+udev_read_pid_files(chromium_t)
111	+
112	userdom_user_content_access_template(chromium, chromium_t)
113	userdom_dontaudit_list_user_home_dirs(chromium_t)
114	# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
115	@@ -195,6 +201,8 @@ tunable_policy(`chromium_rw_usb_dev',`
116	tunable_policy(`chromium_read_system_info',`
117	kernel_read_kernel_sysctls(chromium_t)
118	# Memory optimizations & optimizations based on OS/version
119	+ kernel_read_crypto_sysctls(chromium_t)
120	+ kernel_read_kernel_sysctls(chromium_t)
121	kernel_read_system_state(chromium_t)
122
123	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
124	@@ -237,6 +245,13 @@ optional_policy(`
125	')
126	')
127
128	+optional_policy(`
129	+ apt_read_cache(chromium_t)
130	+ apt_read_db(chromium_t)
131	+ dpkg_exec(chromium_t)
132	+ dpkg_read_db(chromium_t)
133	+')
134	+
135	ifdef(`use_alsa',`
136	optional_policy(`
137	alsa_domain(chromium_t, chromium_tmpfs_t)
138	@@ -309,23 +324,27 @@ allow chromium_sandbox_t chromium_t:dir list_dir_perms;
139	allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
140	allow chromium_sandbox_t chromium_t:file rw_file_perms;
141
142	-allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
143	-allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
144	+allow chromium_sandbox_t chromium_t:unix_stream_socket { getattr read write };
145	+allow chromium_sandbox_t chromium_t:unix_dgram_socket { getattr read write };
146
147	kernel_list_proc(chromium_sandbox_t)
148
149	domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
150	+domain_use_interactive_fds(chromium_sandbox_t)
151
152	userdom_use_user_ptys(chromium_sandbox_t)
153
154	chromium_domtrans(chromium_sandbox_t)
155	+domtrans_pattern(chromium_sandbox_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
156	+allow chromium_sandbox_t chromium_naclhelper_t:process share;
157
158	##########################################
159	#
160	# Chromium nacl helper local policy
161	#
162
163	-allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
164	+allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };
165	+allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };
166
167	domain_mmap_low_uncond(chromium_naclhelper_t)
168
169	@@ -338,3 +357,6 @@ tunable_policy(`chromium_read_system_info',`
170	kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
171	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
172	')
173	+
174	+dev_read_sysfs(chromium_naclhelper_t)
175	+dev_read_urand(chromium_naclhelper_t)
176
177	diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
178	index 7b4a780a..2321ecf0 100644
179	--- a/policy/modules/roles/staff.te
180	+++ b/policy/modules/roles/staff.te
181	@@ -81,6 +81,10 @@ ifndef(`distro_redhat',`
182	cdrecord_role(staff_r, staff_t)
183	')
184
185	+ optional_policy(`
186	+ chromium_role(staff_r, staff_t)
187	+ ')
188	+
189	optional_policy(`
190	cron_role(staff_r, staff_t)
191	')
192
193	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
194	index 6960fc31..060c4396 100644
195	--- a/policy/modules/roles/sysadm.te
196	+++ b/policy/modules/roles/sysadm.te
197	@@ -1271,6 +1271,10 @@ ifndef(`distro_redhat',`
198	cdrecord_role(sysadm_r, sysadm_t)
199	')
200
201	+ optional_policy(`
202	+ chromium_role(sysadm_r, sysadm_t)
203	+ ')
204	+
205	optional_policy(`
206	cron_admin_role(sysadm_r, sysadm_t)
207	')
208
209	diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
210	index 209c904b..02e3de3b 100644
211	--- a/policy/modules/roles/unprivuser.te
212	+++ b/policy/modules/roles/unprivuser.te
213	@@ -49,6 +49,10 @@ ifndef(`distro_redhat',`
214	cdrecord_role(user_r, user_t)
215	')
216
217	+ optional_policy(`
218	+ chromium_role(user_r, user_t)
219	+ ')
220	+
221	optional_policy(`
222	cron_role(user_r, user_t)
223	')

Gentoo Archives: gentoo-commits