- Merge Upstream
This commit is contained in:
Daniel J Walsh
parent
8100ac0fba
commit
a4995d5c65
@ -1662,3 +1662,9 @@ guest = module
|
||||
#
|
||||
xguest = module
|
||||
|
||||
# Layer: services
|
||||
# Module: courier
|
||||
#
|
||||
# IMAP and POP3 email servers
|
||||
#
|
||||
courier = module
|
||||
|
||||
@ -4439,8 +4439,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.1/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 14:08:10.632900000 -0400
|
||||
@@ -0,0 +1,204 @@
|
||||
+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 16:08:40.343792000 -0400
|
||||
@@ -0,0 +1,207 @@
|
||||
+
|
||||
+policy_module(nsplugin,1.0.0)
|
||||
+
|
||||
@ -4541,7 +4541,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+miscfiles_manage_home_fonts(nsplugin_t)
|
||||
+
|
||||
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
||||
+unprivuser_manage_tmp_files(nsplugin_t)
|
||||
@ -4588,6 +4587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+ xserver_read_xdm_pid(nsplugin_t)
|
||||
+ xserver_read_user_xauth(user, nsplugin_t)
|
||||
+ xserver_use_user_fonts(user, nsplugin_t)
|
||||
+ xserver_manage_home_fonts(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -4628,7 +4628,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_config_t)
|
||||
+miscfiles_read_fonts(nsplugin_config_t)
|
||||
+miscfiles_read_home_fonts(nsplugin_config_t)
|
||||
+
|
||||
+userdom_search_all_users_home_content(nsplugin_config_t)
|
||||
+
|
||||
@ -4643,6 +4642,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+nsplugin_domtrans(nsplugin_config_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_read_home_fonts(nsplugin_config_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.1/policy/modules/apps/openoffice.fc
|
||||
@ -25721,8 +25724,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
|
||||
+miscfiles_read_certs(httpd_w3c_validator_script_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.4.1/policy/modules/services/xserver.fc
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-05-19 10:26:37.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 15:38:19.179414000 -0400
|
||||
@@ -1,13 +1,13 @@
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 16:00:19.268636000 -0400
|
||||
@@ -1,13 +1,12 @@
|
||||
#
|
||||
# HOME_DIR
|
||||
#
|
||||
@ -25734,7 +25737,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0)
|
||||
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
||||
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
||||
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
||||
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
|
||||
@ -25743,7 +25745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
#
|
||||
# /dev
|
||||
@@ -32,11 +32,6 @@
|
||||
@@ -32,11 +31,6 @@
|
||||
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||
|
||||
@ -25755,7 +25757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
#
|
||||
# /opt
|
||||
#
|
||||
@@ -58,7 +53,8 @@
|
||||
@@ -58,7 +52,8 @@
|
||||
#
|
||||
|
||||
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
@ -25765,7 +25767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
@@ -78,7 +74,7 @@
|
||||
@@ -78,7 +73,7 @@
|
||||
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
@ -25774,7 +25776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
@@ -89,16 +85,23 @@
|
||||
@@ -89,17 +84,26 @@
|
||||
|
||||
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
@ -25800,9 +25802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
')
|
||||
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 15:21:13.276047000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:01:24.987195000 -0400
|
||||
@@ -128,18 +128,24 @@
|
||||
dev_rw_agp($1_xserver_t)
|
||||
dev_rw_framebuffer($1_xserver_t)
|
||||
@ -25850,7 +25855,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
term_setattr_unallocated_ttys($1_xserver_t)
|
||||
term_use_unallocated_ttys($1_xserver_t)
|
||||
|
||||
@@ -280,35 +290,25 @@
|
||||
@@ -270,6 +280,9 @@
|
||||
gen_require(`
|
||||
type iceauth_exec_t, xauth_exec_t;
|
||||
attribute fonts_type, fonts_cache_type, fonts_config_type;
|
||||
+ type fonts_home_t;
|
||||
+ type fonts_cache_home_t;
|
||||
+ type fonts_config_home_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -280,35 +293,25 @@
|
||||
xserver_common_domain_template($1)
|
||||
role $3 types $1_xserver_t;
|
||||
|
||||
@ -25893,7 +25908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -317,24 +317,24 @@
|
||||
@@ -317,24 +320,24 @@
|
||||
|
||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
@ -25928,7 +25943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
|
||||
|
||||
@@ -375,12 +375,12 @@
|
||||
@@ -375,12 +378,12 @@
|
||||
allow $1_xauth_t self:process signal;
|
||||
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -25946,7 +25961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
@@ -389,11 +389,11 @@
|
||||
@@ -389,11 +392,11 @@
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2,$1_xauth_t)
|
||||
|
||||
@ -25962,7 +25977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
domain_use_interactive_fds($1_xauth_t)
|
||||
|
||||
@@ -435,16 +435,16 @@
|
||||
@@ -435,16 +438,16 @@
|
||||
|
||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||
|
||||
@ -25984,7 +25999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
fs_search_auto_mountpoints($1_iceauth_t)
|
||||
|
||||
@@ -610,7 +610,7 @@
|
||||
@@ -610,7 +613,7 @@
|
||||
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
@ -25993,7 +26008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
allow $2 self:shm create_shm_perms;
|
||||
@@ -618,8 +618,8 @@
|
||||
@@ -618,8 +621,8 @@
|
||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
@ -26004,7 +26019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -880,7 +880,7 @@
|
||||
@@ -880,7 +883,7 @@
|
||||
template(`xserver_user_x_domain_template',`
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
@ -26013,7 +26028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
allow $3 self:shm create_shm_perms;
|
||||
@@ -888,8 +888,8 @@
|
||||
@@ -888,8 +891,8 @@
|
||||
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
@ -26024,19 +26039,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $3 xdm_t:fd use;
|
||||
@@ -952,26 +952,44 @@
|
||||
@@ -952,26 +955,43 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
|
||||
+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
|
||||
+ type fonts_cache_home_t, fonts_config_home_t;
|
||||
')
|
||||
|
||||
# Read per user fonts
|
||||
- allow $2 $1_fonts_t:dir list_dir_perms;
|
||||
- allow $2 $1_fonts_t:file read_file_perms;
|
||||
+ allow $2 fonts_home_t:dir list_dir_perms;
|
||||
+ allow $2 fonts_home_t:file read_file_perms;
|
||||
+ read_files_pattern($2, fonts_home_t, fonts_home_t)
|
||||
|
||||
# Manipulate the global font cache
|
||||
- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
|
||||
@ -26076,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1005,6 +1023,73 @@
|
||||
@@ -1005,6 +1025,73 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26150,7 +26164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1030,10 +1115,10 @@
|
||||
@@ -1030,10 +1117,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -26163,7 +26177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1219,6 +1304,25 @@
|
||||
@@ -1219,6 +1306,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26189,7 +26203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1273,6 +1377,7 @@
|
||||
@@ -1273,6 +1379,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
@ -26197,7 +26211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1291,7 +1396,7 @@
|
||||
@@ -1291,7 +1398,7 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -26206,7 +26220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1314,6 +1419,24 @@
|
||||
@@ -1314,6 +1421,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26231,7 +26245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1324,15 +1447,47 @@
|
||||
@@ -1324,15 +1449,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
@ -26280,7 +26294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1482,7 +1637,7 @@
|
||||
@@ -1482,7 +1639,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -26289,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1674,6 +1829,65 @@
|
||||
@@ -1674,6 +1831,65 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26355,7 +26369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1691,3 +1905,41 @@
|
||||
@@ -1691,3 +1907,82 @@
|
||||
|
||||
typeattribute $1 xserver_unconfined_type;
|
||||
')
|
||||
@ -26397,9 +26411,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ files_search_pids($1)
|
||||
+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`xserver_manage_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`xserver_read_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,fonts_home_t,fonts_home_t)
|
||||
+ read_lnk_files_pattern($1,fonts_home_t,fonts_home_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 15:12:02.166012000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:11:13.428347000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
@ -26451,13 +26506,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
type xdm_tmp_t;
|
||||
files_tmp_file(xdm_tmp_t)
|
||||
typealias xdm_tmp_t alias ice_tmp_t;
|
||||
@@ -122,6 +143,27 @@
|
||||
@@ -122,6 +143,24 @@
|
||||
type xserver_log_t;
|
||||
logging_log_file(xserver_log_t)
|
||||
|
||||
+type fonts_home_t, fonts_type;
|
||||
+userdom_user_home_content(user,fonts_home_t)
|
||||
+
|
||||
+type fonts_cache_home_t, fonts_cache_type;
|
||||
+userdom_user_home_content(user,fonts_cache_home_t)
|
||||
+
|
||||
@ -26479,7 +26531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
xserver_common_domain_template(xdm)
|
||||
xserver_common_x_domain_template(xdm,xdm,xdm_t)
|
||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||
@@ -142,6 +184,7 @@
|
||||
@@ -142,6 +181,7 @@
|
||||
|
||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||
@ -26487,7 +26539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xdm_t self:shm create_shm_perms;
|
||||
allow xdm_t self:sem create_sem_perms;
|
||||
@@ -154,6 +197,8 @@
|
||||
@@ -154,6 +194,8 @@
|
||||
allow xdm_t self:key { search link write };
|
||||
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
@ -26496,7 +26548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -169,6 +214,8 @@
|
||||
@@ -169,6 +211,8 @@
|
||||
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||
@ -26505,7 +26557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
@@ -176,15 +223,22 @@
|
||||
@@ -176,15 +220,24 @@
|
||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
@ -26513,6 +26565,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+fs_getattr_all_fs(xdm_t)
|
||||
+fs_search_inotifyfs(xdm_t)
|
||||
+fs_list_all(xdm_t)
|
||||
+
|
||||
+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
|
||||
|
||||
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
||||
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
||||
@ -26530,7 +26584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@@ -198,6 +252,7 @@
|
||||
@@ -198,6 +251,7 @@
|
||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||
|
||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||
@ -26538,7 +26592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
@@ -229,6 +284,7 @@
|
||||
@@ -229,6 +283,7 @@
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_all_nodes(xdm_t)
|
||||
corenet_udp_bind_all_nodes(xdm_t)
|
||||
@ -26546,7 +26600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
corenet_tcp_connect_all_ports(xdm_t)
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
@@ -241,6 +297,7 @@
|
||||
@@ -241,6 +296,7 @@
|
||||
dev_getattr_mouse_dev(xdm_t)
|
||||
dev_setattr_mouse_dev(xdm_t)
|
||||
dev_rw_apm_bios(xdm_t)
|
||||
@ -26554,7 +26608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -253,14 +310,15 @@
|
||||
@@ -253,14 +309,15 @@
|
||||
dev_setattr_video_dev(xdm_t)
|
||||
dev_getattr_scanner_dev(xdm_t)
|
||||
dev_setattr_scanner_dev(xdm_t)
|
||||
@ -26572,7 +26626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -271,9 +329,13 @@
|
||||
@@ -271,9 +328,13 @@
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
@ -26586,7 +26640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -282,6 +344,7 @@
|
||||
@@ -282,6 +343,7 @@
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -26594,7 +26648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
term_setattr_console(xdm_t)
|
||||
term_use_unallocated_ttys(xdm_t)
|
||||
@@ -290,6 +353,7 @@
|
||||
@@ -290,6 +352,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
@ -26602,18 +26656,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -301,21 +365,25 @@
|
||||
@@ -301,21 +364,25 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
+logging_send_audit_msgs(xdm_t)
|
||||
|
||||
miscfiles_read_localization(xdm_t)
|
||||
-miscfiles_read_fonts(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
-
|
||||
-sysnet_read_config(xdm_t)
|
||||
+miscfiles_manage_fonts(xdm_t)
|
||||
+miscfiles_dontaudit_write_locale(xdm_t)
|
||||
+miscfiles_manage_localization(xdm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@ -26634,24 +26687,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
@@ -348,10 +416,15 @@
|
||||
@@ -348,10 +415,12 @@
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(xdm_t)
|
||||
+ alsa_read_rw_config(xdm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ bootloader_domtrans(xdm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- consolekit_dbus_chat(xdm_t)
|
||||
consolekit_dbus_chat(xdm_t)
|
||||
+ consolekit_read_log(xdm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -359,6 +432,23 @@
|
||||
@@ -359,6 +428,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26659,10 +26708,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ dbus_system_bus_client_template(xdm, xdm_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ consolekit_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ hal_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
+
|
||||
@ -26675,7 +26720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
gpm_setattr_gpmctl(xdm_t)
|
||||
@@ -369,6 +459,10 @@
|
||||
@@ -369,6 +451,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26686,7 +26731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
loadkeys_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -382,16 +476,25 @@
|
||||
@@ -382,16 +468,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26713,7 +26758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -427,7 +530,7 @@
|
||||
@@ -427,7 +522,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -26722,7 +26767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||
@@ -439,6 +542,15 @@
|
||||
@@ -439,6 +534,15 @@
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
@ -26738,7 +26783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
@@ -450,10 +562,19 @@
|
||||
@@ -450,10 +554,19 @@
|
||||
# xdm_xserver_t may no longer have any reason
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
@ -26759,7 +26804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
@@ -467,6 +588,22 @@
|
||||
@@ -467,6 +580,22 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26782,7 +26827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -476,16 +613,32 @@
|
||||
@@ -476,16 +605,32 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29095,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.4.1/policy/modules/system/miscfiles.fc
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-05-19 10:26:42.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 14:08:12.108651000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 16:00:01.493565000 -0400
|
||||
@@ -11,6 +11,7 @@
|
||||
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
@ -29104,98 +29149,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
||||
|
||||
#
|
||||
# /opt
|
||||
@@ -80,3 +81,4 @@
|
||||
/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.4.1/policy/modules/system/miscfiles.if
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-05-19 10:26:42.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.if 2008-05-30 14:08:12.112653000 -0400
|
||||
@@ -490,3 +490,65 @@
|
||||
manage_lnk_files_pattern($1,locale_t,locale_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_read_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type user_fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read user homedir fonts.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_manage_home_fonts',`
|
||||
+ gen_require(`
|
||||
+ type user_fonts_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## dontaudit_attempts to write locale files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_dontaudit_write_locale',`
|
||||
+ gen_require(`
|
||||
+ type locale_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 locale_t:dir write;
|
||||
+ dontaudit $1 locale_t:file write;
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.4.1/policy/modules/system/miscfiles.te
|
||||
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2008-05-19 10:26:42.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.te 2008-05-30 14:08:12.127651000 -0400
|
||||
@@ -20,6 +20,14 @@
|
||||
files_type(fonts_t)
|
||||
|
||||
#
|
||||
+# fonts_t is the type of various font
|
||||
+# files in /usr
|
||||
+#
|
||||
+type user_fonts_home_t;
|
||||
+userdom_user_home_type(user_fonts_home_t)
|
||||
+files_type(user_fonts_home_t)
|
||||
+
|
||||
+#
|
||||
# type for /usr/share/hwdata
|
||||
#
|
||||
type hwdata_t;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.4.1/policy/modules/system/modutils.if
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-05-19 10:26:42.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/modutils.if 2008-05-30 14:08:12.131651000 -0400
|
||||
@ -30477,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.1/policy/modules/system/selinuxutil.te
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:07:02.678597000 -0400
|
||||
+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:45:01.953760000 -0400
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-policy_module(selinuxutil, 1.9.2)
|
||||
@ -30678,14 +30631,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
',`
|
||||
# Handle pp files created in homedir and /tmp
|
||||
- sysadm_read_home_content_files(semanage_t)
|
||||
- sysadm_read_tmp_files(semanage_t)
|
||||
+ userdom_read_sysadm_home_content_files(semanage_t)
|
||||
sysadm_read_tmp_files(semanage_t)
|
||||
-
|
||||
- optional_policy(`
|
||||
- unconfined_read_home_content_files(semanage_t)
|
||||
- unconfined_read_tmp_files(semanage_t)
|
||||
- ')
|
||||
+ userdom_read_sysadm_home_content_files(semanage_t)
|
||||
+ userdom_read_sysadm_tmp_files(semanage_t)
|
||||
+ userdom_read_unpriv_users_home_content_files(semanage_t)
|
||||
+ userdom_read_unpriv_users_tmp_files(semanage_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user