From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 4 Dec 2016 08:00:18 -0500
Subject: [refpolicy] [PATCH v2] xserver: remove unneeded user content
 permissions
In-Reply-To: <1480686247.12925.1.camel@trentalancia.net>
References: <1480604438.3101.0.camel@trentalancia.net>
	<1480686247.12925.1.camel@trentalancia.net>
Message-ID: <41e1bc9e-c3ec-70fc-8c3f-6aef8f386715@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote:
> Remove unneeded permissions to read user content from the
> xserver module (xserver and xdm domains).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
[...]
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.te	2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.te	2016-12-02 14:38:12.002579001 +0100
> @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
>  type xserver_log_t;
>  logging_log_file(xserver_log_t)
>
> +type dmrc_home_t;
> +userdom_user_home_content(dmrc_home_t)
> +
>  ifdef(`enable_mcs',`
>  	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
>  	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
>
>  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
>  userdom_create_all_users_keys(xdm_t)
> -# for .dmrc
> -userdom_read_user_home_content_files(xdm_t)
>  # Search /proc for any user domain processes.
>  userdom_read_all_users_state(xdm_t)
>  userdom_signal_all_users(xdm_t)
>
> +# for .dmrc: this was used by the Gnome Display Manager (gdm)
> +# and it is now obsolete in Gnome3
> +xserver_read_user_dmrc(xdm_t)

Why not completely remove the rules if they're no longer needed?


-- 
Chris PeBenito