From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 17 Dec 2016 17:49:08 +0100
Subject: [refpolicy] [PATCH] xserver: curb on execheap and execmem
	permissions
Message-ID: <1481993348.5458.6.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The X Display Manager (XDM) does not normally require execheap
and execmem permissions.

Modify the current xserver module so that execheap and/or
execmem are enabled only when the global booleans allow_execheap
and/or allow_execmem are enabled.

This applies only to systems other than RedHat.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.te |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/policy/modules/services/xserver.te	2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.te	2016-12-17 17:23:59.955264997 +0100
@@ -584,7 +584,14 @@ optional_policy(`
 	unconfined_domtrans(xdm_t)
 
 	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
+		tunable_policy(`allow_execheap',`
+			allow xdm_t self:process execheap;
+		')
+
+		# gnome-shell in gdm mode requires execmem
+		tunable_policy(`allow_execmem',`
+			allow xdm_t self:process execmem;
+		')
 	')
 ')