Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.
---
policy/modules/kernel/devices.if | 1 +
policy/modules/services/xserver.if | 4 +++-
policy/modules/services/xserver.te | 2 ++
policy/modules/system/userdomain.if | 2 ++
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 39069c177..b8f85c2ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
')
manage_chr_files_pattern($1, device_t, dri_device_t)
+ allow $1 dri_device_t:chr_file map;
')
########################################
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d14bf3c0d..13f800936 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
# Xserver read/write client shm
allow xserver_t $1:fd use;
allow xserver_t $1:shm rw_shm_perms;
- allow xserver_t $2:file rw_file_perms;
+ allow xserver_t $2:file { rw_file_perms map };
# Connect to xserver
allow $1 xserver_t:unix_stream_socket connectto;
@@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:fd use;
allow $1 xserver_t:shm r_shm_perms;
allow $1 xserver_tmpfs_t:file read_file_perms;
+
+ allow $1 $2:file map;
')
#######################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 0a9c8731e..e89e1535b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow xserver_t xserver_tmpfs_t:file map;
# Run xkbcomp
manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78e821eb2..849f9b6a7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
+ userdom_map_user_tmpfs_files($1_t)
+
userdom_change_password_template($1)
##############################
--
2.14.1
sds already added it to dev_read_sound_mixer, but it's also needed in
the other interfaces.
---
policy/modules/kernel/devices.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b8f85c2ad..4c47709ff 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3751,6 +3751,7 @@ interface(`dev_read_sound',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
+ allow $1 sound_device_t:chr_file map;
')
########################################
@@ -3769,6 +3770,7 @@ interface(`dev_write_sound',`
')
write_chr_files_pattern($1, device_t, sound_device_t)
+ allow $1 sound_device_t:chr_file map;
')
########################################
@@ -3806,6 +3808,7 @@ interface(`dev_write_sound_mixer',`
')
write_chr_files_pattern($1, device_t, sound_device_t)
+ allow $1 sound_device_t:chr_file map;
')
########################################
--
2.14.1
On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote:
> Note that dev_rw_dri already has the permission, it was just forgotten
> to add it to dev_manage_dri, too.
> ---
> policy/modules/kernel/devices.if | 1 +
> policy/modules/services/xserver.if | 4 +++-
> policy/modules/services/xserver.te | 2 ++
> policy/modules/system/userdomain.if | 2 ++
> 4 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 39069c177..b8f85c2ad 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
> ')
>
> manage_chr_files_pattern($1, device_t, dri_device_t)
> + allow $1 dri_device_t:chr_file map;
> ')
>
> ########################################
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index d14bf3c0d..13f800936 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
> # Xserver read/write client shm
> allow xserver_t $1:fd use;
> allow xserver_t $1:shm rw_shm_perms;
> - allow xserver_t $2:file rw_file_perms;
> + allow xserver_t $2:file { rw_file_perms map };
>
> # Connect to xserver
> allow $1 xserver_t:unix_stream_socket connectto;
> @@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
> allow $1 xserver_t:fd use;
> allow $1 xserver_t:shm r_shm_perms;
> allow $1 xserver_tmpfs_t:file read_file_perms;
> +
> + allow $1 $2:file map;
I think this should not go here, but in xserver_user_x_domain_template
instead.
> ')
>
> #######################################
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 0a9c8731e..e89e1535b 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +allow xserver_t xserver_tmpfs_t:file map;
>
> # Run xkbcomp
> manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
> @@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
> userdom_use_user_ttys(xserver_t)
> userdom_setattr_user_ttys(xserver_t)
> userdom_read_user_tmp_files(xserver_t)
> +userdom_map_user_tmpfs_files(xserver_t)
> userdom_rw_user_tmpfs_files(xserver_t)
>
> xserver_use_user_fonts(xserver_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 78e821eb2..849f9b6a7 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
> userdom_exec_user_tmp_files($1_t)
> userdom_exec_user_home_content_files($1_t)
>
> + userdom_map_user_tmpfs_files($1_t)
> +
> userdom_change_password_template($1)
>
> ##############################
>
--
Chris PeBenito
On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote:
> sds already added it to dev_read_sound_mixer, but it's also needed in
> the other interfaces.
> ---
> policy/modules/kernel/devices.if | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index b8f85c2ad..4c47709ff 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3751,6 +3751,7 @@ interface(`dev_read_sound',`
> ')
>
> read_chr_files_pattern($1, device_t, sound_device_t)
> + allow $1 sound_device_t:chr_file map;
> ')
>
> ########################################
> @@ -3769,6 +3770,7 @@ interface(`dev_write_sound',`
> ')
>
> write_chr_files_pattern($1, device_t, sound_device_t)
> + allow $1 sound_device_t:chr_file map;
> ')
>
> ########################################
> @@ -3806,6 +3808,7 @@ interface(`dev_write_sound_mixer',`
> ')
>
> write_chr_files_pattern($1, device_t, sound_device_t)
> + allow $1 sound_device_t:chr_file map;
Merged.
--
Chris PeBenito
On Tue, 12 Sep 2017 18:47:50 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:
> On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote:
> > Note that dev_rw_dri already has the permission, it was just
> > forgotten to add it to dev_manage_dri, too.
> > ---
> > policy/modules/kernel/devices.if | 1 +
> > policy/modules/services/xserver.if | 4 +++-
> > policy/modules/services/xserver.te | 2 ++
> > policy/modules/system/userdomain.if | 2 ++
> > 4 files changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if index 39069c177..b8f85c2ad 100644
> > --- a/policy/modules/kernel/devices.if
> > +++ b/policy/modules/kernel/devices.if
> > @@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
> > ')
> >
> > manage_chr_files_pattern($1, device_t, dri_device_t)
> > + allow $1 dri_device_t:chr_file map;
> > ')
> >
> > ########################################
> > diff --git a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if index d14bf3c0d..13f800936
> > 100644 --- a/policy/modules/services/xserver.if
> > +++ b/policy/modules/services/xserver.if
> > @@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
> > # Xserver read/write client shm
> > allow xserver_t $1:fd use;
> > allow xserver_t $1:shm rw_shm_perms;
> > - allow xserver_t $2:file rw_file_perms;
> > + allow xserver_t $2:file { rw_file_perms map };
> >
> > # Connect to xserver
> > allow $1 xserver_t:unix_stream_socket connectto;
> > @@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
> > allow $1 xserver_t:fd use;
> > allow $1 xserver_t:shm r_shm_perms;
> > allow $1 xserver_tmpfs_t:file read_file_perms;
> > +
> > + allow $1 $2:file map;
>
> I think this should not go here, but in
> xserver_user_x_domain_template instead.
I can change that, but I wouldn't be surprised if it breaks xdm_t
(which is the only other user of xserver_ro_session). Unfortunately, I
don't have any login manager around, so I can't test that right now.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/7165a958/attachment.bin
On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote:
> Note that dev_rw_dri already has the permission, it was just forgotten
> to add it to dev_manage_dri, too.
> ---
> policy/modules/kernel/devices.if | 1 +
> policy/modules/services/xserver.if | 4 +++-
> policy/modules/services/xserver.te | 2 ++
> policy/modules/system/userdomain.if | 2 ++
> 4 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 39069c177..b8f85c2ad 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
> ')
>
> manage_chr_files_pattern($1, device_t, dri_device_t)
> + allow $1 dri_device_t:chr_file map;
> ')
>
> ########################################
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index d14bf3c0d..13f800936 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
> # Xserver read/write client shm
> allow xserver_t $1:fd use;
> allow xserver_t $1:shm rw_shm_perms;
> - allow xserver_t $2:file rw_file_perms;
> + allow xserver_t $2:file { rw_file_perms map };
>
> # Connect to xserver
> allow $1 xserver_t:unix_stream_socket connectto;
> @@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
> allow $1 xserver_t:fd use;
> allow $1 xserver_t:shm r_shm_perms;
> allow $1 xserver_tmpfs_t:file read_file_perms;
> +
> + allow $1 $2:file map;
> ')
>
> #######################################
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 0a9c8731e..e89e1535b 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
> fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +allow xserver_t xserver_tmpfs_t:file map;
>
> # Run xkbcomp
> manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
> @@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
> userdom_use_user_ttys(xserver_t)
> userdom_setattr_user_ttys(xserver_t)
> userdom_read_user_tmp_files(xserver_t)
> +userdom_map_user_tmpfs_files(xserver_t)
> userdom_rw_user_tmpfs_files(xserver_t)
>
> xserver_use_user_fonts(xserver_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 78e821eb2..849f9b6a7 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
> userdom_exec_user_tmp_files($1_t)
> userdom_exec_user_home_content_files($1_t)
>
> + userdom_map_user_tmpfs_files($1_t)
> +
> userdom_change_password_template($1)
>
> ##############################
Merged.
--
Chris PeBenito