* [refpolicy] [PATCH]: xauth label and module request
@ 2011-02-28 19:38 Guido Trentalancia
2011-03-16 12:48 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Guido Trentalancia @ 2011-02-28 19:38 UTC (permalink / raw)
To: refpolicy
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
--- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.te 2011-02-20 06:35:17.092746837 +0100
+++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.te 2011-02-28 20:34:42.602106786 +0100
@@ -269,6 +269,8 @@ domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
files_search_pids(xauth_t)
+kernel_request_load_module(xauth_t)
+
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
--- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.fc 2011-01-08 19:07:21.343757306 +0100
+++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.fc 2011-02-27 21:11:12.475768819 +0100
@@ -8,6 +8,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH]: xauth label and module request
2011-02-28 19:38 [refpolicy] [PATCH]: xauth label and module request Guido Trentalancia
@ 2011-03-16 12:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2011-03-16 12:48 UTC (permalink / raw)
To: refpolicy
On 02/28/11 14:38, Guido Trentalancia wrote:
> When starting the X server from the console (using the startx script
> that is being shipped with package xinit from X.Org), a few more
> permissions are needed from the reference policy.
>
> The label is for a file created by the startx script (from X.Org) and
> the module being requested is ipv6 (which can be disabled by other
> means).
Merged.
> --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.te 2011-02-20 06:35:17.092746837 +0100
> +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.te 2011-02-28 20:34:42.602106786 +0100
> @@ -269,6 +269,8 @@ domain_use_interactive_fds(xauth_t)
> files_read_etc_files(xauth_t)
> files_search_pids(xauth_t)
>
> +kernel_request_load_module(xauth_t)
> +
> fs_getattr_xattr_fs(xauth_t)
> fs_search_auto_mountpoints(xauth_t)
>
> --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.fc 2011-01-08 19:07:21.343757306 +0100
> +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.fc 2011-02-27 21:11:12.475768819 +0100
> @@ -8,6 +8,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> # /dev
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-03-16 12:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-28 19:38 [refpolicy] [PATCH]: xauth label and module request Guido Trentalancia
2011-03-16 12:48 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.