From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 16 Mar 2011 08:48:52 -0400
Subject: [refpolicy] [PATCH]: xauth label and module request
In-Reply-To: <1298921881.3123.22.camel@tesla.lan>
References: <1298921881.3123.22.camel@tesla.lan>
Message-ID: <4D80B1B4.8030708@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/28/11 14:38, Guido Trentalancia wrote:
> When starting the X server from the console (using the startx script
> that is being shipped with package xinit from X.Org), a few more
> permissions are needed from the reference policy.
> 
> The label is for a file created by the startx script (from X.Org) and
> the module being requested is ipv6 (which can be disabled by other
> means).

Merged.

> --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.te	2011-02-20 06:35:17.092746837 +0100
> +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.te	2011-02-28 20:34:42.602106786 +0100
> @@ -269,6 +269,8 @@ domain_use_interactive_fds(xauth_t)
>  files_read_etc_files(xauth_t)
>  files_search_pids(xauth_t)
>  
> +kernel_request_load_module(xauth_t)
> +
>  fs_getattr_xattr_fs(xauth_t)
>  fs_search_auto_mountpoints(xauth_t)
>  
> --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.fc	2011-01-08 19:07:21.343757306 +0100
> +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.fc	2011-02-27 21:11:12.475768819 +0100
> @@ -8,6 +8,7 @@ HOME_DIR/\.fonts\.cache-.* --	gen_contex
>  HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
>  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  
>  #
>  # /dev
> 
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com