The X Display Manager (XDM) does not normally require execheap
and execmem permissions.
Modify the current xserver module so that execheap and/or
execmem are enabled only when the global booleans allow_execheap
and/or allow_execmem are enabled.
This applies only to systems other than RedHat.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.te | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100
@@ -584,7 +584,14 @@ optional_policy(`
unconfined_domtrans(xdm_t)
ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
+ tunable_policy(`allow_execheap',`
+ allow xdm_t self:process execheap;
+ ')
+
+ # gnome-shell in gdm mode requires execmem
+ tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
+ ')
')
')
On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
> The X Display Manager (XDM) does not normally require execheap
> and execmem permissions.
>
> Modify the current xserver module so that execheap and/or
> execmem are enabled only when the global booleans allow_execheap
> and/or allow_execmem are enabled.
>
> This applies only to systems other than RedHat.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.te | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100
> @@ -584,7 +584,14 @@ optional_policy(`
> unconfined_domtrans(xdm_t)
>
> ifndef(`distro_redhat',`
> - allow xdm_t self:process { execheap execmem };
> + tunable_policy(`allow_execheap',`
> + allow xdm_t self:process execheap;
> + ')
> +
> + # gnome-shell in gdm mode requires execmem
> + tunable_policy(`allow_execmem',`
> + allow xdm_t self:process execmem;
> + ')
> ')
> ')
I't probably should just be removed from the ifndef, if the rules are
conditional.
A more important question is if xserver actually still needs these perms.
--
Chris PeBenito
Hello!
It only needs execmem when gnome-shell runs in gdm mode.
Regards,
Guido
On the 18th of December 2016 23:29:05 CET, Chris PeBenito <[email protected]> wrote:
>On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
>> The X Display Manager (XDM) does not normally require execheap
>> and execmem permissions.
>>
>> Modify the current xserver module so that execheap and/or
>> execmem are enabled only when the global booleans allow_execheap
>> and/or allow_execmem are enabled.
>>
>> This applies only to systems other than RedHat.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/services/xserver.te | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> --- a/policy/modules/services/xserver.te 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.te 2016-12-17
>17:23:59.955264997 +0100
>> @@ -584,7 +584,14 @@ optional_policy(`
>> unconfined_domtrans(xdm_t)
>>
>> ifndef(`distro_redhat',`
>> - allow xdm_t self:process { execheap execmem };
>> + tunable_policy(`allow_execheap',`
>> + allow xdm_t self:process execheap;
>> + ')
>> +
>> + # gnome-shell in gdm mode requires execmem
>> + tunable_policy(`allow_execmem',`
>> + allow xdm_t self:process execmem;
>> + ')
>> ')
>> ')
>
>I't probably should just be removed from the ifndef, if the rules are
>conditional.
>
>A more important question is if xserver actually still needs these
>perms.