- Merge Upstream
This commit is contained in:
Daniel J Walsh
parent
accaa35926
commit
9ed55bda90
@ -26444,7 +26444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:11:13.428347000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:26:02.967410000 -0400
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -26496,13 +26496,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
files_tmp_file(xdm_tmp_t)
|
files_tmp_file(xdm_tmp_t)
|
||||||
typealias xdm_tmp_t alias ice_tmp_t;
|
typealias xdm_tmp_t alias ice_tmp_t;
|
||||||
@@ -122,6 +143,24 @@
|
@@ -122,6 +143,27 @@
|
||||||
type xserver_log_t;
|
type xserver_log_t;
|
||||||
logging_log_file(xserver_log_t)
|
logging_log_file(xserver_log_t)
|
||||||
|
|
||||||
+type fonts_cache_home_t, fonts_cache_type;
|
+type fonts_cache_home_t, fonts_cache_type;
|
||||||
+userdom_user_home_content(user,fonts_cache_home_t)
|
+userdom_user_home_content(user,fonts_cache_home_t)
|
||||||
+
|
+
|
||||||
|
+type fonts_home_t, fonts_type;
|
||||||
|
+userdom_user_home_content(user,fonts_home_t)
|
||||||
|
+
|
||||||
+type fonts_config_home_t, fonts_config_type;
|
+type fonts_config_home_t, fonts_config_type;
|
||||||
+userdom_user_home_content(user,fonts_config_home_t)
|
+userdom_user_home_content(user,fonts_config_home_t)
|
||||||
+
|
+
|
||||||
@ -26521,7 +26524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
xserver_common_domain_template(xdm)
|
xserver_common_domain_template(xdm)
|
||||||
xserver_common_x_domain_template(xdm,xdm,xdm_t)
|
xserver_common_x_domain_template(xdm,xdm,xdm_t)
|
||||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||||
@@ -142,6 +181,7 @@
|
@@ -142,6 +184,7 @@
|
||||||
|
|
||||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||||
@ -26529,7 +26532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xdm_t self:shm create_shm_perms;
|
allow xdm_t self:shm create_shm_perms;
|
||||||
allow xdm_t self:sem create_sem_perms;
|
allow xdm_t self:sem create_sem_perms;
|
||||||
@@ -154,6 +194,8 @@
|
@@ -154,6 +197,8 @@
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
|
|
||||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
@ -26538,7 +26541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -169,6 +211,8 @@
|
@@ -169,6 +214,8 @@
|
||||||
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||||
@ -26547,7 +26550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
@@ -176,15 +220,24 @@
|
@@ -176,15 +223,24 @@
|
||||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
@ -26574,7 +26577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
allow xdm_t xdm_xserver_t:process signal;
|
allow xdm_t xdm_xserver_t:process signal;
|
||||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
@@ -198,6 +251,7 @@
|
@@ -198,6 +254,7 @@
|
||||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||||
|
|
||||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||||
@ -26582,7 +26585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
@@ -229,6 +283,7 @@
|
@@ -229,6 +286,7 @@
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_all_nodes(xdm_t)
|
corenet_tcp_bind_all_nodes(xdm_t)
|
||||||
corenet_udp_bind_all_nodes(xdm_t)
|
corenet_udp_bind_all_nodes(xdm_t)
|
||||||
@ -26590,7 +26593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
corenet_tcp_connect_all_ports(xdm_t)
|
corenet_tcp_connect_all_ports(xdm_t)
|
||||||
corenet_sendrecv_all_client_packets(xdm_t)
|
corenet_sendrecv_all_client_packets(xdm_t)
|
||||||
# xdm tries to bind to biff_port_t
|
# xdm tries to bind to biff_port_t
|
||||||
@@ -241,6 +296,7 @@
|
@@ -241,6 +299,7 @@
|
||||||
dev_getattr_mouse_dev(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse_dev(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
@ -26598,7 +26601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -253,14 +309,15 @@
|
@@ -253,14 +312,15 @@
|
||||||
dev_setattr_video_dev(xdm_t)
|
dev_setattr_video_dev(xdm_t)
|
||||||
dev_getattr_scanner_dev(xdm_t)
|
dev_getattr_scanner_dev(xdm_t)
|
||||||
dev_setattr_scanner_dev(xdm_t)
|
dev_setattr_scanner_dev(xdm_t)
|
||||||
@ -26616,7 +26619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -271,9 +328,13 @@
|
@@ -271,9 +331,13 @@
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -26630,7 +26633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -282,6 +343,7 @@
|
@@ -282,6 +346,7 @@
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -26638,7 +26641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
term_setattr_console(xdm_t)
|
term_setattr_console(xdm_t)
|
||||||
term_use_unallocated_ttys(xdm_t)
|
term_use_unallocated_ttys(xdm_t)
|
||||||
@@ -290,6 +352,7 @@
|
@@ -290,6 +355,7 @@
|
||||||
auth_domtrans_pam_console(xdm_t)
|
auth_domtrans_pam_console(xdm_t)
|
||||||
auth_manage_pam_pid(xdm_t)
|
auth_manage_pam_pid(xdm_t)
|
||||||
auth_manage_pam_console_data(xdm_t)
|
auth_manage_pam_console_data(xdm_t)
|
||||||
@ -26646,7 +26649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -301,21 +364,25 @@
|
@@ -301,21 +367,25 @@
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
@ -26677,7 +26680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||||
xserver_unconfined(xdm_t)
|
xserver_unconfined(xdm_t)
|
||||||
@@ -348,10 +415,12 @@
|
@@ -348,10 +418,12 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(xdm_t)
|
alsa_domtrans(xdm_t)
|
||||||
@ -26690,7 +26693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -359,6 +428,19 @@
|
@@ -359,6 +431,19 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26710,7 +26713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
gpm_setattr_gpmctl(xdm_t)
|
gpm_setattr_gpmctl(xdm_t)
|
||||||
@@ -369,6 +451,10 @@
|
@@ -369,6 +454,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26721,7 +26724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
loadkeys_exec(xdm_t)
|
loadkeys_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -382,16 +468,25 @@
|
@@ -382,16 +471,25 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26748,7 +26751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -427,7 +522,7 @@
|
@@ -427,7 +525,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -26757,7 +26760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -439,6 +534,15 @@
|
@@ -439,6 +537,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -26773,7 +26776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -450,10 +554,19 @@
|
@@ -450,10 +557,19 @@
|
||||||
# xdm_xserver_t may no longer have any reason
|
# xdm_xserver_t may no longer have any reason
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
@ -26794,7 +26797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||||
fs_manage_nfs_files(xdm_xserver_t)
|
fs_manage_nfs_files(xdm_xserver_t)
|
||||||
@@ -467,6 +580,22 @@
|
@@ -467,6 +583,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26817,7 +26820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -476,16 +605,32 @@
|
@@ -476,16 +608,32 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user