commit d76d9e13b188e9fd8df98e1e21d88aa45951860e
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:
$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)
type=AVC msg=audit(1485357942.135:4458): avc: denied { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc: denied { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc: denied { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
---
policy/modules/services/xserver.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index a054c9c..f0761c9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -166,6 +166,8 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+ xserver_read_xkb_libs($2)
')
#######################################
--
2.10.2
On 01/25/17 12:48, Jason Zaman wrote:
> commit d76d9e13b188e9fd8df98e1e21d88aa45951860e
> xserver: restrict executable memory permissions
> changed XKB libs which made them no longer readable by users.
> setting xkeymaps fails with the following errors:
>
> $ setxkbmap -option "ctrl:nocaps"
> Couldn't find rules file (evdev)
>
> type=AVC msg=audit(1485357942.135:4458): avc: denied { search } for
> pid=5359 comm="X" name="20990" dev="proc" ino=103804
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
> type=AVC msg=audit(1485357942.136:4459): avc: denied { search } for
> pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1485357942.136:4460): avc: denied { search } for
> pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
> ---
> policy/modules/services/xserver.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index a054c9c..f0761c9 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -166,6 +166,8 @@ interface(`xserver_role',`
> manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> +
> + xserver_read_xkb_libs($2)
> ')
>
> #######################################
Merged.
--
Chris PeBenito