From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 13 Sep 2017 18:33:18 -0400 Subject: [refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients In-Reply-To: <20170912021116.14272-1-aranea@aixah.de> References: <20170912021116.14272-1-aranea@aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/11/2017 10:11 PM, Luis Ressel via refpolicy wrote: > Note that dev_rw_dri already has the permission, it was just forgotten > to add it to dev_manage_dri, too. > --- > policy/modules/kernel/devices.if | 1 + > policy/modules/services/xserver.if | 4 +++- > policy/modules/services/xserver.te | 2 ++ > policy/modules/system/userdomain.if | 2 ++ > 4 files changed, 8 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 39069c177..b8f85c2ad 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',` > ') > > manage_chr_files_pattern($1, device_t, dri_device_t) > + allow $1 dri_device_t:chr_file map; > ') > > ######################################## > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index d14bf3c0d..13f800936 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -197,7 +197,7 @@ interface(`xserver_ro_session',` > # Xserver read/write client shm > allow xserver_t $1:fd use; > allow xserver_t $1:shm rw_shm_perms; > - allow xserver_t $2:file rw_file_perms; > + allow xserver_t $2:file { rw_file_perms map }; > > # Connect to xserver > allow $1 xserver_t:unix_stream_socket connectto; > @@ -210,6 +210,8 @@ interface(`xserver_ro_session',` > allow $1 xserver_t:fd use; > allow $1 xserver_t:shm r_shm_perms; > allow $1 xserver_tmpfs_t:file read_file_perms; > + > + allow $1 $2:file map; > ') > > ####################################### > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 0a9c8731e..e89e1535b 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) > manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) > manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) > fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > +allow xserver_t xserver_tmpfs_t:file map; > > # Run xkbcomp > manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) > @@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t) > userdom_use_user_ttys(xserver_t) > userdom_setattr_user_ttys(xserver_t) > userdom_read_user_tmp_files(xserver_t) > +userdom_map_user_tmpfs_files(xserver_t) > userdom_rw_user_tmpfs_files(xserver_t) > > xserver_use_user_fonts(xserver_t) > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 78e821eb2..849f9b6a7 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -804,6 +804,8 @@ template(`userdom_login_user_template', ` > userdom_exec_user_tmp_files($1_t) > userdom_exec_user_home_content_files($1_t) > > + userdom_map_user_tmpfs_files($1_t) > + > userdom_change_password_template($1) > > ############################## Merged. -- Chris PeBenito