From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 31 Dec 2016 17:38:52 +0100
Subject: [refpolicy] [PATCH v5] xserver: restrict executable memory
 permissions
In-Reply-To: <63133c4e-ec11-517c-eae4-bd6a768a0a8b@ieee.org>
References: <1482945627.7302.8.camel@trentalancia.net>
	<1482954976.2738.9.camel@trentalancia.net>
	<1483058219.31174.0.camel@trentalancia.net>
	<f298ca3b-0866-48d8-ed16-75109c89369f@ieee.org>
	<2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it>
	<6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org>
	<1483200178.3041.3.camel@trentalancia.net>
	<63133c4e-ec11-517c-eae4-bd6a768a0a8b@ieee.org>
Message-ID: <1483202332.14835.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 31/12/2016 at 11.27 -0500, Chris PeBenito wrote:
> On 12/31/16 11:02, Guido Trentalancia via refpolicy wrote:
> > 
> > @@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
> > ?term_use_unallocated_ttys(xdm_t)
> > ?term_setattr_unallocated_ttys(xdm_t)
> > 
> > +# for xconsole
> > +term_use_ptmx(xdm_t)
> > +term_use_generic_ptys(xdm_t)
> > +term_relabel_all_ptys(xdm_t)
> > +
> > ?auth_domtrans_pam_console(xdm_t)
> > ?auth_manage_pam_pid(xdm_t)
> > ?auth_manage_pam_console_data(xdm_t)
> 
> I've asked a couple times.??What creates this pty???It should be?
> properly labeled.??Generic pty use should be avoided if possible.

Perhaps, I misunderstood your question, I am sorry about that !

I think it is a bug in the patch. It shouldn't need those term
interfaces.

I am now testing an improved patch, it should be ready shortly...

Regards,

Guido