From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 04 Dec 2016 14:03:41 +0100 Subject: [refpolicy] [PATCH v2] xserver: remove unneeded user content permissions In-Reply-To: <41e1bc9e-c3ec-70fc-8c3f-6aef8f386715@ieee.org> References: <1480604438.3101.0.camel@trentalancia.net> <1480686247.12925.1.camel@trentalancia.net> <41e1bc9e-c3ec-70fc-8c3f-6aef8f386715@ieee.org> Message-ID: <2795712F-C05F-438C-9FDB-63EDA1B7B74B@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher! I have not (yet) removed the rules completely in order to provide backward compatibility with Gnome2. Best regards, Guido On the 4th of December 2016 14:00:18 CET, Chris PeBenito wrote: >On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote: >> Remove unneeded permissions to read user content from the >> xserver module (xserver and xdm domains). >> >> Signed-off-by: Guido Trentalancia >[...] >> diff -pruN >refpolicy-git-25112016-orig/policy/modules/services/xserver.te >refpolicy-git-25112016/policy/modules/services/xserver.te >> --- >refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 >16:29:13.454156211 +0200 >> +++ >refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 >14:38:12.002579001 +0100 >> @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t) >> type xserver_log_t; >> logging_log_file(xserver_log_t) >> >> +type dmrc_home_t; >> +userdom_user_home_content(dmrc_home_t) >> + >> ifdef(`enable_mcs',` >> init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) >> init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) >> @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t) >> >> userdom_dontaudit_use_unpriv_user_fds(xdm_t) >> userdom_create_all_users_keys(xdm_t) >> -# for .dmrc >> -userdom_read_user_home_content_files(xdm_t) >> # Search /proc for any user domain processes. >> userdom_read_all_users_state(xdm_t) >> userdom_signal_all_users(xdm_t) >> >> +# for .dmrc: this was used by the Gnome Display Manager (gdm) >> +# and it is now obsolete in Gnome3 >> +xserver_read_user_dmrc(xdm_t) > >Why not completely remove the rules if they're no longer needed?