From: dac.override@gmail.com (Dominick Grift) Date: Sat, 13 Aug 2016 15:31:03 +0200 Subject: [refpolicy] [PATCH] Update the policy and file contexts for the xserver module In-Reply-To: <1471094827.21480.13.camel@trentalancia.net> References: <1471094827.21480.13.camel@trentalancia.net> Message-ID: <33a71ee1-1b72-25ed-70df-13bfba27eb36@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/13/2016 03:27 PM, Guido Trentalancia wrote: > Update for the xserver module: > > - updated the file contexts for the Xsession script; > - created an interface for chatting over dbus with > xdm; > - added permission to chat over dbus with colord. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.fc | 1 + > policy/modules/services/xserver.if | 21 +++++++++++++++++++++ > policy/modules/services/xserver.te | 4 ++++ > 3 files changed, 26 insertions(+) > > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc 2016-08-06 21:26:43.295774282 +0200 > +++ refpolicy-git-06082016/policy/modules/services/xserver.fc 2016-08-13 01:46:34.809322974 +0200 > @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) > /usr/lib/xorg-server/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) > /usr/lib/xorg-server/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) > +/usr/lib(64)?/X11/xdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) Not sure but I do not think that the (64)? is needed anymore as per: https://github.com/TresysTechnology/refpolicy/blob/master/config/file_contexts.subs_dist#L18 > > /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) > > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if 2016-08-06 21:26:43.295774282 +0200 > +++ refpolicy-git-06082016/policy/modules/services/xserver.if 2016-08-13 15:01:34.028150851 +0200 > @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## > +## Send and receive messages from > +## xdm over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdm_dbus_chat',` > + gen_require(` > + type xdm_t; > + class dbus send_msg; > + ') > + > + allow $1 xdm_t:dbus send_msg; > + allow xdm_t $1:dbus send_msg; > +') > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te 2016-08-06 21:26:43.296774294 +0200 > +++ refpolicy-git-06082016/policy/modules/services/xserver.te 2016-08-13 12:48:32.475827426 +0200 > @@ -507,6 +507,10 @@ optional_policy(` > ') > > optional_policy(` > + colord_dbus_chat(xdm_t) > +') > + > +optional_policy(` > consolekit_dbus_chat(xdm_t) > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/b42f0b58/attachment-0001.bin