The xserver module is not in base.
That must mean its use is optional.
Move all external xserver interface to optional policy blocks.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
:100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
:100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
:100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
:100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
:100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
:100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
:100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
:100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
policy/modules/apps/mozilla.te | 10 ++++++----
policy/modules/apps/mplayer.te | 6 ++++--
policy/modules/apps/thunderbird.te | 10 ++++++----
policy/modules/apps/vmware.te | 4 +++-
policy/modules/apps/xscreensaver.te | 5 ++++-
policy/modules/services/rhgb.te | 20 +++++++++++---------
policy/modules/services/xserver.te | 2 +-
policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
9 files changed, 70 insertions(+), 43 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 5d3d45c..521f16d 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
mta_read_config(evolution_t)
-xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
-xserver_read_xdm_tmp_files(evolution_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_t)
fs_manage_nfs_files(evolution_t)
@@ -340,6 +337,11 @@ optional_policy(`
spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+ xserver_read_xdm_tmp_files(evolution_t)
+')
+
########################################
#
# Evolution alarm local policy
@@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
-xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_alarm_t)
@@ -408,6 +408,10 @@ optional_policy(`
nscd_socket_use(evolution_alarm_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+')
+
########################################
#
# Evolution exchange connector local policy
@@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
-xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_exchange_t)
@@ -488,6 +490,10 @@ optional_policy(`
nscd_socket_use(evolution_exchange_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+')
+
########################################
#
# Evolution data server local policy
@@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
-xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
-
optional_policy(`
nscd_socket_use(evolution_webcal_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..7266190 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
-xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
-xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-
tunable_policy(`allow_execmem',`
allow mozilla_t self:process { execmem execstack };
')
@@ -266,3 +262,9 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 815a467..e6dc43a 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
-xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable(mplayer_t)
@@ -309,3 +307,7 @@ optional_policy(`
pulseaudio_exec(mplayer_t)
pulseaudio_stream_connect(mplayer_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 794c0be..c75a7ce 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
# .kde/....gtkrc
userdom_read_user_home_content_files(thunderbird_t)
-xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
-xserver_read_xdm_tmp_files(thunderbird_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(thunderbird_t)
@@ -208,3 +204,9 @@ optional_policy(`
mozilla_domtrans(thunderbird_t)
mozilla_dbus_chat(thunderbird_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..8524075 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
sysnet_dns_name_resolve(vmware_t)
sysnet_read_config(vmware_t)
-xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..a4d2bc5 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
+
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..ca59bdb 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_user_home_content(rhgb_t)
-xserver_read_tmp_files(rhgb_t)
-xserver_kill(rhgb_t)
-# for running setxkbmap
-xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans(rhgb_t)
-xserver_signal(rhgb_t)
-xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect(rhgb_t)
-
optional_policy(`
consoletype_exec(rhgb_t)
')
@@ -135,6 +126,17 @@ optional_policy(`
udev_read_db(rhgb_t)
')
+optional_policy(`
+ xserver_read_tmp_files(rhgb_t)
+ xserver_kill(rhgb_t)
+ # for running setxkbmap
+ xserver_read_xkb_libs(rhgb_t)
+ xserver_domtrans(rhgb_t)
+ xserver_signal(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
+ xserver_stream_connect(rhgb_t)
+')
+
ifdef(`TODO',`
#this seems a bit much
allow domain rhgb_devpts_t:chr_file { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e226da4..5216d19 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-# xserver_rw_session_template(xdm,userdomain)
+ # xserver_rw_session_template(xdm,userdomain)
',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8b4f6d8..cf5f157 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ optional_policy(`
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_t)
+ ')
')
#######################################
@@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
- xserver_restricted_role($1_r, $1_t)
-
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
+
+ optional_policy(`
+ xserver_restricted_role($1_r, $1_t)
+ ')
')
#######################################
@@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
')
xserver_xsession_spec_domtrans($1, userdomain)
+
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
@@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/cfc0799d/attachment.bin
On 09/03/10 06:53, Dominick Grift wrote:
> The xserver module is not in base.
> That must mean its use is optional.
> Move all external xserver interface to optional policy blocks.
Not being required in base doesn't necessarily mean that it should be
optional in all policies that call it. For example, Evolution won't
work without it, thus its mandatory for the Evolution and not optional.
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
> :100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
> :100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
> :100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
> :100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
> :100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
> :100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
> :100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
> :100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
> policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
> policy/modules/apps/mozilla.te | 10 ++++++----
> policy/modules/apps/mplayer.te | 6 ++++--
> policy/modules/apps/thunderbird.te | 10 ++++++----
> policy/modules/apps/vmware.te | 4 +++-
> policy/modules/apps/xscreensaver.te | 5 ++++-
> policy/modules/services/rhgb.te | 20 +++++++++++---------
> policy/modules/services/xserver.te | 2 +-
> policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
> 9 files changed, 70 insertions(+), 43 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index 5d3d45c..521f16d 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
>
> mta_read_config(evolution_t)
>
> -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> -xserver_read_xdm_tmp_files(evolution_t)
> -
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(evolution_t)
> fs_manage_nfs_files(evolution_t)
> @@ -340,6 +337,11 @@ optional_policy(`
> spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> + xserver_read_xdm_tmp_files(evolution_t)
> +')
> +
> ########################################
> #
> # Evolution alarm local policy
> @@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
>
> -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_alarm_t)
> @@ -408,6 +408,10 @@ optional_policy(`
> nscd_socket_use(evolution_alarm_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution exchange connector local policy
> @@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
>
> -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_exchange_t)
> @@ -488,6 +490,10 @@ optional_policy(`
> nscd_socket_use(evolution_exchange_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution data server local policy
> @@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
>
> -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> -
> optional_policy(`
> nscd_socket_use(evolution_webcal_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index cbf4bec..7266190 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
>
> -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> -xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> -
> tunable_policy(`allow_execmem',`
> allow mozilla_t self:process { execmem execstack };
> ')
> @@ -266,3 +262,9 @@ optional_policy(`
> optional_policy(`
> thunderbird_domtrans(mozilla_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> + xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> +')
> diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
> index 815a467..e6dc43a 100644
> --- a/policy/modules/apps/mplayer.te
> +++ b/policy/modules/apps/mplayer.te
> @@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
> userdom_read_user_home_content_symlinks(mplayer_t)
> userdom_write_user_tmp_sockets(mplayer_t)
>
> -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> -
> # Read songs
> ifdef(`enable_mls',`',`
> fs_search_removable(mplayer_t)
> @@ -309,3 +307,7 @@ optional_policy(`
> pulseaudio_exec(mplayer_t)
> pulseaudio_stream_connect(mplayer_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
> index 794c0be..c75a7ce 100644
> --- a/policy/modules/apps/thunderbird.te
> +++ b/policy/modules/apps/thunderbird.te
> @@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
> # .kde/....gtkrc
> userdom_read_user_home_content_files(thunderbird_t)
>
> -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> -xserver_read_xdm_tmp_files(thunderbird_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> -
> # Access ~/.thunderbird
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(thunderbird_t)
> @@ -208,3 +204,9 @@ optional_policy(`
> mozilla_domtrans(thunderbird_t)
> mozilla_dbus_chat(thunderbird_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> + xserver_read_xdm_tmp_files(thunderbird_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> +')
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 1f803bb..8524075 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
> sysnet_dns_name_resolve(vmware_t)
> sysnet_read_config(vmware_t)
>
> -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
> index 1bdeb16..a4d2bc5 100644
> --- a/policy/modules/apps/xscreensaver.te
> +++ b/policy/modules/apps/xscreensaver.te
> @@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
> #access to .icons and ~/.xscreensaver
> userdom_read_user_home_content_files(xscreensaver_t)
>
> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +')
> +
> diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
> index 0f262a7..ca59bdb 100644
> --- a/policy/modules/services/rhgb.te
> +++ b/policy/modules/services/rhgb.te
> @@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
> userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
> userdom_dontaudit_search_user_home_content(rhgb_t)
>
> -xserver_read_tmp_files(rhgb_t)
> -xserver_kill(rhgb_t)
> -# for running setxkbmap
> -xserver_read_xkb_libs(rhgb_t)
> -xserver_domtrans(rhgb_t)
> -xserver_signal(rhgb_t)
> -xserver_read_xdm_tmp_files(rhgb_t)
> -xserver_stream_connect(rhgb_t)
> -
> optional_policy(`
> consoletype_exec(rhgb_t)
> ')
> @@ -135,6 +126,17 @@ optional_policy(`
> udev_read_db(rhgb_t)
> ')
>
> +optional_policy(`
> + xserver_read_tmp_files(rhgb_t)
> + xserver_kill(rhgb_t)
> + # for running setxkbmap
> + xserver_read_xkb_libs(rhgb_t)
> + xserver_domtrans(rhgb_t)
> + xserver_signal(rhgb_t)
> + xserver_read_xdm_tmp_files(rhgb_t)
> + xserver_stream_connect(rhgb_t)
> +')
> +
> ifdef(`TODO',`
> #this seems a bit much
> allow domain rhgb_devpts_t:chr_file { read write };
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index e226da4..5216d19 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
> tunable_policy(`xdm_sysadm_login',`
> userdom_xsession_spec_domtrans_all_users(xdm_t)
> # FIXME:
> -# xserver_rw_session_template(xdm,userdomain)
> + # xserver_rw_session_template(xdm,userdomain)
> ',`
> userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
> # FIXME:
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..cf5f157 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
> # GNOME checks for usb and other devices:
> dev_rw_usbfs($1_t)
>
> - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> - xserver_xsession_entry_type($1_t)
> - xserver_dontaudit_write_log($1_t)
> - xserver_stream_connect_xdm($1_t)
> - # certain apps want to read xdm.pid file
> - xserver_read_xdm_pid($1_t)
> - # gnome-session creates socket under /tmp/.ICE-unix/
> - xserver_create_xdm_tmp_sockets($1_t)
> - # Needed for escd, remove if we get escd policy
> - xserver_manage_xdm_tmp_files($1_t)
> + optional_policy(`
> + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> + xserver_xsession_entry_type($1_t)
> + xserver_dontaudit_write_log($1_t)
> + xserver_stream_connect_xdm($1_t)
> + # certain apps want to read xdm.pid file
> + xserver_read_xdm_pid($1_t)
> + # gnome-session creates socket under /tmp/.ICE-unix/
> + xserver_create_xdm_tmp_sockets($1_t)
> + # Needed for escd, remove if we get escd policy
> + xserver_manage_xdm_tmp_files($1_t)
> + ')
> ')
>
> #######################################
> @@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
> logging_send_audit_msgs($1_t)
> selinux_get_enforce_mode($1_t)
>
> - xserver_restricted_role($1_r, $1_t)
> -
> optional_policy(`
> alsa_read_rw_config($1_t)
> ')
> @@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
> optional_policy(`
> setroubleshoot_dontaudit_stream_connect($1_t)
> ')
> +
> + optional_policy(`
> + xserver_restricted_role($1_r, $1_t)
> + ')
> ')
>
> #######################################
> @@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, userdomain)
> +
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> @@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, unpriv_userdomain)
> +
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com