From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 17 Dec 2016 17:49:08 +0100 Subject: [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions Message-ID: <1481993348.5458.6.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The X Display Manager (XDM) does not normally require execheap and execmem permissions. Modify the current xserver module so that execheap and/or execmem are enabled only when the global booleans allow_execheap and/or allow_execmem are enabled. This applies only to systems other than RedHat. Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.te | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100 +++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100 @@ -584,7 +584,14 @@ optional_policy(` unconfined_domtrans(xdm_t) ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; + tunable_policy(`allow_execheap',` + allow xdm_t self:process execheap; + ') + + # gnome-shell in gdm mode requires execmem + tunable_policy(`allow_execmem',` + allow xdm_t self:process execmem; + ') ') ')