From: aranea@aixah.de (Luis Ressel) Date: Wed, 13 Sep 2017 05:14:13 +0200 Subject: [refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients In-Reply-To: References: <20170912021116.14272-1-aranea@aixah.de> Message-ID: <20170913051413.4cfa8ab0@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Sep 2017 18:47:50 -0400 Chris PeBenito via refpolicy wrote: > On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote: > > Note that dev_rw_dri already has the permission, it was just > > forgotten to add it to dev_manage_dri, too. > > --- > > policy/modules/kernel/devices.if | 1 + > > policy/modules/services/xserver.if | 4 +++- > > policy/modules/services/xserver.te | 2 ++ > > policy/modules/system/userdomain.if | 2 ++ > > 4 files changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/policy/modules/kernel/devices.if > > b/policy/modules/kernel/devices.if index 39069c177..b8f85c2ad 100644 > > --- a/policy/modules/kernel/devices.if > > +++ b/policy/modules/kernel/devices.if > > @@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',` > > ') > > > > manage_chr_files_pattern($1, device_t, dri_device_t) > > + allow $1 dri_device_t:chr_file map; > > ') > > > > ######################################## > > diff --git a/policy/modules/services/xserver.if > > b/policy/modules/services/xserver.if index d14bf3c0d..13f800936 > > 100644 --- a/policy/modules/services/xserver.if > > +++ b/policy/modules/services/xserver.if > > @@ -197,7 +197,7 @@ interface(`xserver_ro_session',` > > # Xserver read/write client shm > > allow xserver_t $1:fd use; > > allow xserver_t $1:shm rw_shm_perms; > > - allow xserver_t $2:file rw_file_perms; > > + allow xserver_t $2:file { rw_file_perms map }; > > > > # Connect to xserver > > allow $1 xserver_t:unix_stream_socket connectto; > > @@ -210,6 +210,8 @@ interface(`xserver_ro_session',` > > allow $1 xserver_t:fd use; > > allow $1 xserver_t:shm r_shm_perms; > > allow $1 xserver_tmpfs_t:file read_file_perms; > > + > > + allow $1 $2:file map; > > I think this should not go here, but in > xserver_user_x_domain_template instead. I can change that, but I wouldn't be surprised if it breaks xdm_t (which is the only other user of xserver_ro_session). Unfortunately, I don't have any login manager around, so I can't test that right now. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/7165a958/attachment.bin