Below is my final boinc patch. It runs well on several systems.
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
--- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te 2016-11-02 14:53:37.763215655 +1100
+++ ./policy/modules/contrib/boinc.te 2016-12-31 21:14:18.482560122 +1100
@@ -85,6 +85,7 @@
kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
+kernel_read_crypto_sysctls(boinc_t)
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -143,6 +144,10 @@
miscfiles_read_fonts(boinc_t)
miscfiles_read_localization(boinc_t)
+xserver_list_xdm_tmp(boinc_t)
+corenet_tcp_connect_xserver_port(boinc_t)
+xserver_non_drawing_client(boinc_t)
+
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
')
diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
--- /home/rjc/src/pol-git/policy/modules/services/xserver.if 2016-12-31 21:09:24.677504879 +1100
+++ ./policy/modules/services/xserver.if 2016-12-31 21:14:18.486560245 +1100
@@ -1236,6 +1236,24 @@
########################################
## <summary>
+## list xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`xserver_list_xdm_tmp',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Execute the X server in the X server domain.
## </summary>
## <param name="domain">
On 12/31/16 05:16, Russell Coker via refpolicy wrote:
> Below is my final boinc patch. It runs well on several systems.
>
> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te 2016-11-02 14:53:37.763215655 +1100
> +++ ./policy/modules/contrib/boinc.te 2016-12-31 21:14:18.482560122 +1100
> @@ -85,6 +85,7 @@
>
> kernel_read_system_state(boinc_t)
> kernel_search_vm_sysctl(boinc_t)
> +kernel_read_crypto_sysctls(boinc_t)
>
> corenet_all_recvfrom_unlabeled(boinc_t)
> corenet_all_recvfrom_netlabel(boinc_t)
> @@ -143,6 +144,10 @@
> miscfiles_read_fonts(boinc_t)
> miscfiles_read_localization(boinc_t)
>
> +xserver_list_xdm_tmp(boinc_t)
> +corenet_tcp_connect_xserver_port(boinc_t)
> +xserver_non_drawing_client(boinc_t)
It's been a long time since I used boinc. IIRC it can be headless? If
so then these should be optional.
> tunable_policy(`boinc_execmem',`
> allow boinc_t self:process { execstack execmem };
> ')
> diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
> --- /home/rjc/src/pol-git/policy/modules/services/xserver.if 2016-12-31 21:09:24.677504879 +1100
> +++ ./policy/modules/services/xserver.if 2016-12-31 21:14:18.486560245 +1100
> @@ -1236,6 +1236,24 @@
>
> ########################################
> ## <summary>
> +## list xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_list_xdm_tmp',`
> + gen_require(`
> + type xdm_tmp_t;
> + ')
> +
> + allow $1 xdm_tmp_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute the X server in the X server domain.
> ## </summary>
> ## <param name="domain">
--
Chris PeBenito
On 12/31/16 11:48, Russell Coker wrote:
> On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
>>> miscfiles_read_localization(boinc_t)
>>>
>>> +xserver_list_xdm_tmp(boinc_t)
>>> +corenet_tcp_connect_xserver_port(boinc_t)
>>> +xserver_non_drawing_client(boinc_t)
>>
>> It's been a long time since I used boinc. IIRC it can be headless? If
>> so then these should be optional.
>
> Correct. Shall I submit a new patch or do you just want to change it while
> applying?
I've merged it and made the change.
--
Chris PeBenito
On Monday, 2 January 2017 1:08:36 PM AEDT Chris PeBenito wrote:
> On 12/31/16 11:48, Russell Coker wrote:
> > On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
> >>> miscfiles_read_localization(boinc_t)
> >>>
> >>> +xserver_list_xdm_tmp(boinc_t)
> >>> +corenet_tcp_connect_xserver_port(boinc_t)
> >>> +xserver_non_drawing_client(boinc_t)
> >>
> >> It's been a long time since I used boinc. IIRC it can be headless? If
> >> so then these should be optional.
> >
> > Correct. Shall I submit a new patch or do you just want to change it
> > while
> > applying?
>
> I've merged it and made the change.
Great thanks!
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
> > miscfiles_read_localization(boinc_t)
> >
> > +xserver_list_xdm_tmp(boinc_t)
> > +corenet_tcp_connect_xserver_port(boinc_t)
> > +xserver_non_drawing_client(boinc_t)
>
> It's been a long time since I used boinc. IIRC it can be headless? If
> so then these should be optional.
Correct. Shall I submit a new patch or do you just want to change it while
applying?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/