From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 4 Dec 2016 08:00:18 -0500 Subject: [refpolicy] [PATCH v2] xserver: remove unneeded user content permissions In-Reply-To: <1480686247.12925.1.camel@trentalancia.net> References: <1480604438.3101.0.camel@trentalancia.net> <1480686247.12925.1.camel@trentalancia.net> Message-ID: <41e1bc9e-c3ec-70fc-8c3f-6aef8f386715@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote: > Remove unneeded permissions to read user content from the > xserver module (xserver and xdm domains). > > Signed-off-by: Guido Trentalancia [...] > diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200 > +++ refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 14:38:12.002579001 +0100 > @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t) > type xserver_log_t; > logging_log_file(xserver_log_t) > > +type dmrc_home_t; > +userdom_user_home_content(dmrc_home_t) > + > ifdef(`enable_mcs',` > init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t) > > userdom_dontaudit_use_unpriv_user_fds(xdm_t) > userdom_create_all_users_keys(xdm_t) > -# for .dmrc > -userdom_read_user_home_content_files(xdm_t) > # Search /proc for any user domain processes. > userdom_read_all_users_state(xdm_t) > userdom_signal_all_users(xdm_t) > > +# for .dmrc: this was used by the Gnome Display Manager (gdm) > +# and it is now obsolete in Gnome3 > +xserver_read_user_dmrc(xdm_t) Why not completely remove the rules if they're no longer needed? -- Chris PeBenito