* [refpolicy] [Xserver 1/1] The xserver module is not in base.
@ 2010-09-03 10:53 Dominick Grift
2010-09-03 14:59 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2010-09-03 10:53 UTC (permalink / raw)
To: refpolicy
The xserver module is not in base.
That must mean its use is optional.
Move all external xserver interface to optional policy blocks.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
:100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
:100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
:100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
:100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
:100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
:100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
:100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
:100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
policy/modules/apps/mozilla.te | 10 ++++++----
policy/modules/apps/mplayer.te | 6 ++++--
policy/modules/apps/thunderbird.te | 10 ++++++----
policy/modules/apps/vmware.te | 4 +++-
policy/modules/apps/xscreensaver.te | 5 ++++-
policy/modules/services/rhgb.te | 20 +++++++++++---------
policy/modules/services/xserver.te | 2 +-
policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
9 files changed, 70 insertions(+), 43 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 5d3d45c..521f16d 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
mta_read_config(evolution_t)
-xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
-xserver_read_xdm_tmp_files(evolution_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_t)
fs_manage_nfs_files(evolution_t)
@@ -340,6 +337,11 @@ optional_policy(`
spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+ xserver_read_xdm_tmp_files(evolution_t)
+')
+
########################################
#
# Evolution alarm local policy
@@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
-xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_alarm_t)
@@ -408,6 +408,10 @@ optional_policy(`
nscd_socket_use(evolution_alarm_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+')
+
########################################
#
# Evolution exchange connector local policy
@@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
-xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(evolution_exchange_t)
@@ -488,6 +490,10 @@ optional_policy(`
nscd_socket_use(evolution_exchange_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+')
+
########################################
#
# Evolution data server local policy
@@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
# until properly implemented
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
-xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
-
optional_policy(`
nscd_socket_use(evolution_webcal_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..7266190 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
-xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
-xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-
tunable_policy(`allow_execmem',`
allow mozilla_t self:process { execmem execstack };
')
@@ -266,3 +262,9 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 815a467..e6dc43a 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
-xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable(mplayer_t)
@@ -309,3 +307,7 @@ optional_policy(`
pulseaudio_exec(mplayer_t)
pulseaudio_stream_connect(mplayer_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 794c0be..c75a7ce 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
# .kde/....gtkrc
userdom_read_user_home_content_files(thunderbird_t)
-xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
-xserver_read_xdm_tmp_files(thunderbird_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(thunderbird_t)
@@ -208,3 +204,9 @@ optional_policy(`
mozilla_domtrans(thunderbird_t)
mozilla_dbus_chat(thunderbird_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..8524075 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
sysnet_dns_name_resolve(vmware_t)
sysnet_read_config(vmware_t)
-xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..a4d2bc5 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
+
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..ca59bdb 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_user_home_content(rhgb_t)
-xserver_read_tmp_files(rhgb_t)
-xserver_kill(rhgb_t)
-# for running setxkbmap
-xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans(rhgb_t)
-xserver_signal(rhgb_t)
-xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect(rhgb_t)
-
optional_policy(`
consoletype_exec(rhgb_t)
')
@@ -135,6 +126,17 @@ optional_policy(`
udev_read_db(rhgb_t)
')
+optional_policy(`
+ xserver_read_tmp_files(rhgb_t)
+ xserver_kill(rhgb_t)
+ # for running setxkbmap
+ xserver_read_xkb_libs(rhgb_t)
+ xserver_domtrans(rhgb_t)
+ xserver_signal(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
+ xserver_stream_connect(rhgb_t)
+')
+
ifdef(`TODO',`
#this seems a bit much
allow domain rhgb_devpts_t:chr_file { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e226da4..5216d19 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-# xserver_rw_session_template(xdm,userdomain)
+ # xserver_rw_session_template(xdm,userdomain)
',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8b4f6d8..cf5f157 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ optional_policy(`
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_t)
+ ')
')
#######################################
@@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
- xserver_restricted_role($1_r, $1_t)
-
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
+
+ optional_policy(`
+ xserver_restricted_role($1_r, $1_t)
+ ')
')
#######################################
@@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
')
xserver_xsession_spec_domtrans($1, userdomain)
+
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
@@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/cfc0799d/attachment.bin
^ permalink raw reply related [flat|nested] 2+ messages in thread* [refpolicy] [Xserver 1/1] The xserver module is not in base.
2010-09-03 10:53 [refpolicy] [Xserver 1/1] The xserver module is not in base Dominick Grift
@ 2010-09-03 14:59 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2010-09-03 14:59 UTC (permalink / raw)
To: refpolicy
On 09/03/10 06:53, Dominick Grift wrote:
> The xserver module is not in base.
> That must mean its use is optional.
> Move all external xserver interface to optional policy blocks.
Not being required in base doesn't necessarily mean that it should be
optional in all policies that call it. For example, Evolution won't
work without it, thus its mandatory for the Evolution and not optional.
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
> :100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
> :100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
> :100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
> :100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
> :100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
> :100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
> :100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
> :100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
> policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
> policy/modules/apps/mozilla.te | 10 ++++++----
> policy/modules/apps/mplayer.te | 6 ++++--
> policy/modules/apps/thunderbird.te | 10 ++++++----
> policy/modules/apps/vmware.te | 4 +++-
> policy/modules/apps/xscreensaver.te | 5 ++++-
> policy/modules/services/rhgb.te | 20 +++++++++++---------
> policy/modules/services/xserver.te | 2 +-
> policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
> 9 files changed, 70 insertions(+), 43 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index 5d3d45c..521f16d 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
>
> mta_read_config(evolution_t)
>
> -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> -xserver_read_xdm_tmp_files(evolution_t)
> -
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(evolution_t)
> fs_manage_nfs_files(evolution_t)
> @@ -340,6 +337,11 @@ optional_policy(`
> spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> + xserver_read_xdm_tmp_files(evolution_t)
> +')
> +
> ########################################
> #
> # Evolution alarm local policy
> @@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
>
> -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_alarm_t)
> @@ -408,6 +408,10 @@ optional_policy(`
> nscd_socket_use(evolution_alarm_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution exchange connector local policy
> @@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
>
> -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_exchange_t)
> @@ -488,6 +490,10 @@ optional_policy(`
> nscd_socket_use(evolution_exchange_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution data server local policy
> @@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
>
> -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> -
> optional_policy(`
> nscd_socket_use(evolution_webcal_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index cbf4bec..7266190 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
>
> -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> -xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> -
> tunable_policy(`allow_execmem',`
> allow mozilla_t self:process { execmem execstack };
> ')
> @@ -266,3 +262,9 @@ optional_policy(`
> optional_policy(`
> thunderbird_domtrans(mozilla_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> + xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> +')
> diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
> index 815a467..e6dc43a 100644
> --- a/policy/modules/apps/mplayer.te
> +++ b/policy/modules/apps/mplayer.te
> @@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
> userdom_read_user_home_content_symlinks(mplayer_t)
> userdom_write_user_tmp_sockets(mplayer_t)
>
> -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> -
> # Read songs
> ifdef(`enable_mls',`',`
> fs_search_removable(mplayer_t)
> @@ -309,3 +307,7 @@ optional_policy(`
> pulseaudio_exec(mplayer_t)
> pulseaudio_stream_connect(mplayer_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
> index 794c0be..c75a7ce 100644
> --- a/policy/modules/apps/thunderbird.te
> +++ b/policy/modules/apps/thunderbird.te
> @@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
> # .kde/....gtkrc
> userdom_read_user_home_content_files(thunderbird_t)
>
> -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> -xserver_read_xdm_tmp_files(thunderbird_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> -
> # Access ~/.thunderbird
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(thunderbird_t)
> @@ -208,3 +204,9 @@ optional_policy(`
> mozilla_domtrans(thunderbird_t)
> mozilla_dbus_chat(thunderbird_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> + xserver_read_xdm_tmp_files(thunderbird_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> +')
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 1f803bb..8524075 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
> sysnet_dns_name_resolve(vmware_t)
> sysnet_read_config(vmware_t)
>
> -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
> index 1bdeb16..a4d2bc5 100644
> --- a/policy/modules/apps/xscreensaver.te
> +++ b/policy/modules/apps/xscreensaver.te
> @@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
> #access to .icons and ~/.xscreensaver
> userdom_read_user_home_content_files(xscreensaver_t)
>
> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +')
> +
> diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
> index 0f262a7..ca59bdb 100644
> --- a/policy/modules/services/rhgb.te
> +++ b/policy/modules/services/rhgb.te
> @@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
> userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
> userdom_dontaudit_search_user_home_content(rhgb_t)
>
> -xserver_read_tmp_files(rhgb_t)
> -xserver_kill(rhgb_t)
> -# for running setxkbmap
> -xserver_read_xkb_libs(rhgb_t)
> -xserver_domtrans(rhgb_t)
> -xserver_signal(rhgb_t)
> -xserver_read_xdm_tmp_files(rhgb_t)
> -xserver_stream_connect(rhgb_t)
> -
> optional_policy(`
> consoletype_exec(rhgb_t)
> ')
> @@ -135,6 +126,17 @@ optional_policy(`
> udev_read_db(rhgb_t)
> ')
>
> +optional_policy(`
> + xserver_read_tmp_files(rhgb_t)
> + xserver_kill(rhgb_t)
> + # for running setxkbmap
> + xserver_read_xkb_libs(rhgb_t)
> + xserver_domtrans(rhgb_t)
> + xserver_signal(rhgb_t)
> + xserver_read_xdm_tmp_files(rhgb_t)
> + xserver_stream_connect(rhgb_t)
> +')
> +
> ifdef(`TODO',`
> #this seems a bit much
> allow domain rhgb_devpts_t:chr_file { read write };
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index e226da4..5216d19 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
> tunable_policy(`xdm_sysadm_login',`
> userdom_xsession_spec_domtrans_all_users(xdm_t)
> # FIXME:
> -# xserver_rw_session_template(xdm,userdomain)
> + # xserver_rw_session_template(xdm,userdomain)
> ',`
> userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
> # FIXME:
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..cf5f157 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
> # GNOME checks for usb and other devices:
> dev_rw_usbfs($1_t)
>
> - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> - xserver_xsession_entry_type($1_t)
> - xserver_dontaudit_write_log($1_t)
> - xserver_stream_connect_xdm($1_t)
> - # certain apps want to read xdm.pid file
> - xserver_read_xdm_pid($1_t)
> - # gnome-session creates socket under /tmp/.ICE-unix/
> - xserver_create_xdm_tmp_sockets($1_t)
> - # Needed for escd, remove if we get escd policy
> - xserver_manage_xdm_tmp_files($1_t)
> + optional_policy(`
> + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> + xserver_xsession_entry_type($1_t)
> + xserver_dontaudit_write_log($1_t)
> + xserver_stream_connect_xdm($1_t)
> + # certain apps want to read xdm.pid file
> + xserver_read_xdm_pid($1_t)
> + # gnome-session creates socket under /tmp/.ICE-unix/
> + xserver_create_xdm_tmp_sockets($1_t)
> + # Needed for escd, remove if we get escd policy
> + xserver_manage_xdm_tmp_files($1_t)
> + ')
> ')
>
> #######################################
> @@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
> logging_send_audit_msgs($1_t)
> selinux_get_enforce_mode($1_t)
>
> - xserver_restricted_role($1_r, $1_t)
> -
> optional_policy(`
> alsa_read_rw_config($1_t)
> ')
> @@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
> optional_policy(`
> setroubleshoot_dontaudit_stream_connect($1_t)
> ')
> +
> + optional_policy(`
> + xserver_restricted_role($1_r, $1_t)
> + ')
> ')
>
> #######################################
> @@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, userdomain)
> +
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> @@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, unpriv_userdomain)
> +
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-03 14:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03 10:53 [refpolicy] [Xserver 1/1] The xserver module is not in base Dominick Grift
2010-09-03 14:59 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.