From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 18 Dec 2016 17:29:05 -0500 Subject: [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions In-Reply-To: <1481993348.5458.6.camel@trentalancia.net> References: <1481993348.5458.6.camel@trentalancia.net> Message-ID: <449b0f9a-77a4-aa50-782a-17a1b3f26725@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote: > The X Display Manager (XDM) does not normally require execheap > and execmem permissions. > > Modify the current xserver module so that execheap and/or > execmem are enabled only when the global booleans allow_execheap > and/or allow_execmem are enabled. > > This applies only to systems other than RedHat. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.te | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > --- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100 > +++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100 > @@ -584,7 +584,14 @@ optional_policy(` > unconfined_domtrans(xdm_t) > > ifndef(`distro_redhat',` > - allow xdm_t self:process { execheap execmem }; > + tunable_policy(`allow_execheap',` > + allow xdm_t self:process execheap; > + ') > + > + # gnome-shell in gdm mode requires execmem > + tunable_policy(`allow_execmem',` > + allow xdm_t self:process execmem; > + ') > ') > ') I't probably should just be removed from the ifndef, if the rules are conditional. A more important question is if xserver actually still needs these perms. -- Chris PeBenito