- Merge Upstream
This commit is contained in:
Daniel J Walsh
parent
8100ac0fba
commit
a4995d5c65
@ -1662,3 +1662,9 @@ guest = module
|
|||||||
#
|
#
|
||||||
xguest = module
|
xguest = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: courier
|
||||||
|
#
|
||||||
|
# IMAP and POP3 email servers
|
||||||
|
#
|
||||||
|
courier = module
|
||||||
|
|||||||
@ -4439,8 +4439,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.1/policy/modules/apps/nsplugin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.1/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 14:08:10.632900000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 16:08:40.343792000 -0400
|
||||||
@@ -0,0 +1,204 @@
|
@@ -0,0 +1,207 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin,1.0.0)
|
+policy_module(nsplugin,1.0.0)
|
||||||
+
|
+
|
||||||
@ -4541,7 +4541,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+
|
+
|
||||||
+miscfiles_read_localization(nsplugin_t)
|
+miscfiles_read_localization(nsplugin_t)
|
||||||
+miscfiles_read_fonts(nsplugin_t)
|
+miscfiles_read_fonts(nsplugin_t)
|
||||||
+miscfiles_manage_home_fonts(nsplugin_t)
|
|
||||||
+
|
+
|
||||||
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
+unprivuser_manage_tmp_dirs(nsplugin_t)
|
||||||
+unprivuser_manage_tmp_files(nsplugin_t)
|
+unprivuser_manage_tmp_files(nsplugin_t)
|
||||||
@ -4588,6 +4587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+ xserver_read_xdm_pid(nsplugin_t)
|
+ xserver_read_xdm_pid(nsplugin_t)
|
||||||
+ xserver_read_user_xauth(user, nsplugin_t)
|
+ xserver_read_user_xauth(user, nsplugin_t)
|
||||||
+ xserver_use_user_fonts(user, nsplugin_t)
|
+ xserver_use_user_fonts(user, nsplugin_t)
|
||||||
|
+ xserver_manage_home_fonts(nsplugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -4628,7 +4628,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+
|
+
|
||||||
+miscfiles_read_localization(nsplugin_config_t)
|
+miscfiles_read_localization(nsplugin_config_t)
|
||||||
+miscfiles_read_fonts(nsplugin_config_t)
|
+miscfiles_read_fonts(nsplugin_config_t)
|
||||||
+miscfiles_read_home_fonts(nsplugin_config_t)
|
|
||||||
+
|
+
|
||||||
+userdom_search_all_users_home_content(nsplugin_config_t)
|
+userdom_search_all_users_home_content(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
@ -4643,6 +4642,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+nsplugin_domtrans(nsplugin_config_t)
|
+nsplugin_domtrans(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ xserver_read_home_fonts(nsplugin_config_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
+ mozilla_read_user_home_files(user, nsplugin_config_t)
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.1/policy/modules/apps/openoffice.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.1/policy/modules/apps/openoffice.fc
|
||||||
@ -25721,8 +25724,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
|
|||||||
+miscfiles_read_certs(httpd_w3c_validator_script_t)
|
+miscfiles_read_certs(httpd_w3c_validator_script_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.4.1/policy/modules/services/xserver.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.4.1/policy/modules/services/xserver.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-05-19 10:26:37.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-05-19 10:26:37.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 15:38:19.179414000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 16:00:19.268636000 -0400
|
||||||
@@ -1,13 +1,13 @@
|
@@ -1,13 +1,12 @@
|
||||||
#
|
#
|
||||||
# HOME_DIR
|
# HOME_DIR
|
||||||
#
|
#
|
||||||
@ -25734,7 +25737,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0)
|
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0)
|
||||||
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
|
||||||
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
||||||
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0)
|
||||||
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
|
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
|
||||||
@ -25743,7 +25745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /dev
|
# /dev
|
||||||
@@ -32,11 +32,6 @@
|
@@ -32,11 +31,6 @@
|
||||||
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
||||||
|
|
||||||
@ -25755,7 +25757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
@@ -58,7 +53,8 @@
|
@@ -58,7 +52,8 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
@ -25765,7 +25767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||||
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
@@ -78,7 +74,7 @@
|
@@ -78,7 +73,7 @@
|
||||||
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||||
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
@ -25774,7 +25776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||||
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||||
@@ -89,16 +85,23 @@
|
@@ -89,17 +84,26 @@
|
||||||
|
|
||||||
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
@ -25800,9 +25802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
|
')
|
||||||
|
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
||||||
|
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 15:21:13.276047000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:01:24.987195000 -0400
|
||||||
@@ -128,18 +128,24 @@
|
@@ -128,18 +128,24 @@
|
||||||
dev_rw_agp($1_xserver_t)
|
dev_rw_agp($1_xserver_t)
|
||||||
dev_rw_framebuffer($1_xserver_t)
|
dev_rw_framebuffer($1_xserver_t)
|
||||||
@ -25850,7 +25855,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
term_setattr_unallocated_ttys($1_xserver_t)
|
term_setattr_unallocated_ttys($1_xserver_t)
|
||||||
term_use_unallocated_ttys($1_xserver_t)
|
term_use_unallocated_ttys($1_xserver_t)
|
||||||
|
|
||||||
@@ -280,35 +290,25 @@
|
@@ -270,6 +280,9 @@
|
||||||
|
gen_require(`
|
||||||
|
type iceauth_exec_t, xauth_exec_t;
|
||||||
|
attribute fonts_type, fonts_cache_type, fonts_config_type;
|
||||||
|
+ type fonts_home_t;
|
||||||
|
+ type fonts_cache_home_t;
|
||||||
|
+ type fonts_config_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
##############################
|
||||||
|
@@ -280,35 +293,25 @@
|
||||||
xserver_common_domain_template($1)
|
xserver_common_domain_template($1)
|
||||||
role $3 types $1_xserver_t;
|
role $3 types $1_xserver_t;
|
||||||
|
|
||||||
@ -25893,7 +25908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -317,24 +317,24 @@
|
@@ -317,24 +320,24 @@
|
||||||
|
|
||||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
|
||||||
@ -25928,7 +25943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
|
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
|
||||||
|
|
||||||
@@ -375,12 +375,12 @@
|
@@ -375,12 +378,12 @@
|
||||||
allow $1_xauth_t self:process signal;
|
allow $1_xauth_t self:process signal;
|
||||||
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@ -25946,7 +25961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||||
|
|
||||||
@@ -389,11 +389,11 @@
|
@@ -389,11 +392,11 @@
|
||||||
# allow ps to show xauth
|
# allow ps to show xauth
|
||||||
ps_process_pattern($2,$1_xauth_t)
|
ps_process_pattern($2,$1_xauth_t)
|
||||||
|
|
||||||
@ -25962,7 +25977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
domain_use_interactive_fds($1_xauth_t)
|
domain_use_interactive_fds($1_xauth_t)
|
||||||
|
|
||||||
@@ -435,16 +435,16 @@
|
@@ -435,16 +438,16 @@
|
||||||
|
|
||||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||||
|
|
||||||
@ -25984,7 +25999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
fs_search_auto_mountpoints($1_iceauth_t)
|
fs_search_auto_mountpoints($1_iceauth_t)
|
||||||
|
|
||||||
@@ -610,7 +610,7 @@
|
@@ -610,7 +613,7 @@
|
||||||
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
@ -25993,7 +26008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $2 self:shm create_shm_perms;
|
allow $2 self:shm create_shm_perms;
|
||||||
@@ -618,8 +618,8 @@
|
@@ -618,8 +621,8 @@
|
||||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
@ -26004,7 +26019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $2 xdm_t:fd use;
|
allow $2 xdm_t:fd use;
|
||||||
@@ -880,7 +880,7 @@
|
@@ -880,7 +883,7 @@
|
||||||
template(`xserver_user_x_domain_template',`
|
template(`xserver_user_x_domain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xdm_t, xdm_tmp_t;
|
type xdm_t, xdm_tmp_t;
|
||||||
@ -26013,7 +26028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $3 self:shm create_shm_perms;
|
allow $3 self:shm create_shm_perms;
|
||||||
@@ -888,8 +888,8 @@
|
@@ -888,8 +891,8 @@
|
||||||
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
|
||||||
# Read .Xauthority file
|
# Read .Xauthority file
|
||||||
@ -26024,19 +26039,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# for when /tmp/.X11-unix is created by the system
|
# for when /tmp/.X11-unix is created by the system
|
||||||
allow $3 xdm_t:fd use;
|
allow $3 xdm_t:fd use;
|
||||||
@@ -952,26 +952,44 @@
|
@@ -952,26 +955,43 @@
|
||||||
#
|
#
|
||||||
template(`xserver_use_user_fonts',`
|
template(`xserver_use_user_fonts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
|
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
|
||||||
+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
|
+ type fonts_cache_home_t, fonts_config_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Read per user fonts
|
# Read per user fonts
|
||||||
- allow $2 $1_fonts_t:dir list_dir_perms;
|
- allow $2 $1_fonts_t:dir list_dir_perms;
|
||||||
- allow $2 $1_fonts_t:file read_file_perms;
|
- allow $2 $1_fonts_t:file read_file_perms;
|
||||||
+ allow $2 fonts_home_t:dir list_dir_perms;
|
+ read_files_pattern($2, fonts_home_t, fonts_home_t)
|
||||||
+ allow $2 fonts_home_t:file read_file_perms;
|
|
||||||
|
|
||||||
# Manipulate the global font cache
|
# Manipulate the global font cache
|
||||||
- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
|
- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
|
||||||
@ -26076,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -1005,6 +1023,73 @@
|
@@ -1005,6 +1025,73 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26150,7 +26164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Transition to a user Xauthority domain.
|
## Transition to a user Xauthority domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
@@ -1030,10 +1115,10 @@
|
@@ -1030,10 +1117,10 @@
|
||||||
#
|
#
|
||||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26163,7 +26177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1219,6 +1304,25 @@
|
@@ -1219,6 +1306,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26189,7 +26203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Read xdm-writable configuration files.
|
## Read xdm-writable configuration files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1273,6 +1377,7 @@
|
@@ -1273,6 +1379,7 @@
|
||||||
files_search_tmp($1)
|
files_search_tmp($1)
|
||||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||||
@ -26197,7 +26211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1291,7 +1396,7 @@
|
@@ -1291,7 +1398,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
@ -26206,7 +26220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1314,6 +1419,24 @@
|
@@ -1314,6 +1421,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26231,7 +26245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Execute the X server in the XDM X server domain.
|
## Execute the X server in the XDM X server domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1324,15 +1447,47 @@
|
@@ -1324,15 +1449,47 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_domtrans_xdm_xserver',`
|
interface(`xserver_domtrans_xdm_xserver',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26280,7 +26294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1482,7 +1637,7 @@
|
@@ -1482,7 +1639,7 @@
|
||||||
type xdm_xserver_tmp_t;
|
type xdm_xserver_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26289,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1674,6 +1829,65 @@
|
@@ -1674,6 +1831,65 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26355,7 +26369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
## an X client domain. Gives the domain complete control over the
|
## an X client domain. Gives the domain complete control over the
|
||||||
## display.
|
## display.
|
||||||
@@ -1691,3 +1905,41 @@
|
@@ -1691,3 +1907,82 @@
|
||||||
|
|
||||||
typeattribute $1 xserver_unconfined_type;
|
typeattribute $1 xserver_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -26397,9 +26411,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
|
+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read user homedir fonts.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_manage_home_fonts',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type fonts_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
|
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
|
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read user homedir fonts.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_read_home_fonts',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type fonts_home_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ read_files_pattern($1,fonts_home_t,fonts_home_t)
|
||||||
|
+ read_lnk_files_pattern($1,fonts_home_t,fonts_home_t)
|
||||||
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 15:12:02.166012000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:11:13.428347000 -0400
|
||||||
@@ -8,6 +8,14 @@
|
@@ -8,6 +8,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -26451,13 +26506,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
files_tmp_file(xdm_tmp_t)
|
files_tmp_file(xdm_tmp_t)
|
||||||
typealias xdm_tmp_t alias ice_tmp_t;
|
typealias xdm_tmp_t alias ice_tmp_t;
|
||||||
@@ -122,6 +143,27 @@
|
@@ -122,6 +143,24 @@
|
||||||
type xserver_log_t;
|
type xserver_log_t;
|
||||||
logging_log_file(xserver_log_t)
|
logging_log_file(xserver_log_t)
|
||||||
|
|
||||||
+type fonts_home_t, fonts_type;
|
|
||||||
+userdom_user_home_content(user,fonts_home_t)
|
|
||||||
+
|
|
||||||
+type fonts_cache_home_t, fonts_cache_type;
|
+type fonts_cache_home_t, fonts_cache_type;
|
||||||
+userdom_user_home_content(user,fonts_cache_home_t)
|
+userdom_user_home_content(user,fonts_cache_home_t)
|
||||||
+
|
+
|
||||||
@ -26479,7 +26531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
xserver_common_domain_template(xdm)
|
xserver_common_domain_template(xdm)
|
||||||
xserver_common_x_domain_template(xdm,xdm,xdm_t)
|
xserver_common_x_domain_template(xdm,xdm,xdm_t)
|
||||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||||
@@ -142,6 +184,7 @@
|
@@ -142,6 +181,7 @@
|
||||||
|
|
||||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||||
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||||
@ -26487,7 +26539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xdm_t self:shm create_shm_perms;
|
allow xdm_t self:shm create_shm_perms;
|
||||||
allow xdm_t self:sem create_sem_perms;
|
allow xdm_t self:sem create_sem_perms;
|
||||||
@@ -154,6 +197,8 @@
|
@@ -154,6 +194,8 @@
|
||||||
allow xdm_t self:key { search link write };
|
allow xdm_t self:key { search link write };
|
||||||
|
|
||||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||||
@ -26496,7 +26548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -169,6 +214,8 @@
|
@@ -169,6 +211,8 @@
|
||||||
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||||
@ -26505,7 +26557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
@@ -176,15 +223,22 @@
|
@@ -176,15 +220,24 @@
|
||||||
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
|
||||||
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
@ -26513,6 +26565,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+fs_getattr_all_fs(xdm_t)
|
+fs_getattr_all_fs(xdm_t)
|
||||||
+fs_search_inotifyfs(xdm_t)
|
+fs_search_inotifyfs(xdm_t)
|
||||||
+fs_list_all(xdm_t)
|
+fs_list_all(xdm_t)
|
||||||
|
+
|
||||||
|
+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
|
||||||
|
|
||||||
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
||||||
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
|
||||||
@ -26530,7 +26584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
allow xdm_t xdm_xserver_t:process signal;
|
allow xdm_t xdm_xserver_t:process signal;
|
||||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
@@ -198,6 +252,7 @@
|
@@ -198,6 +251,7 @@
|
||||||
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||||
|
|
||||||
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
|
||||||
@ -26538,7 +26592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||||
@@ -229,6 +284,7 @@
|
@@ -229,6 +283,7 @@
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_all_nodes(xdm_t)
|
corenet_tcp_bind_all_nodes(xdm_t)
|
||||||
corenet_udp_bind_all_nodes(xdm_t)
|
corenet_udp_bind_all_nodes(xdm_t)
|
||||||
@ -26546,7 +26600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
corenet_tcp_connect_all_ports(xdm_t)
|
corenet_tcp_connect_all_ports(xdm_t)
|
||||||
corenet_sendrecv_all_client_packets(xdm_t)
|
corenet_sendrecv_all_client_packets(xdm_t)
|
||||||
# xdm tries to bind to biff_port_t
|
# xdm tries to bind to biff_port_t
|
||||||
@@ -241,6 +297,7 @@
|
@@ -241,6 +296,7 @@
|
||||||
dev_getattr_mouse_dev(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse_dev(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
@ -26554,7 +26608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -253,14 +310,15 @@
|
@@ -253,14 +309,15 @@
|
||||||
dev_setattr_video_dev(xdm_t)
|
dev_setattr_video_dev(xdm_t)
|
||||||
dev_getattr_scanner_dev(xdm_t)
|
dev_getattr_scanner_dev(xdm_t)
|
||||||
dev_setattr_scanner_dev(xdm_t)
|
dev_setattr_scanner_dev(xdm_t)
|
||||||
@ -26572,7 +26626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -271,9 +329,13 @@
|
@@ -271,9 +328,13 @@
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -26586,7 +26640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -282,6 +344,7 @@
|
@@ -282,6 +343,7 @@
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -26594,7 +26648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
term_setattr_console(xdm_t)
|
term_setattr_console(xdm_t)
|
||||||
term_use_unallocated_ttys(xdm_t)
|
term_use_unallocated_ttys(xdm_t)
|
||||||
@@ -290,6 +353,7 @@
|
@@ -290,6 +352,7 @@
|
||||||
auth_domtrans_pam_console(xdm_t)
|
auth_domtrans_pam_console(xdm_t)
|
||||||
auth_manage_pam_pid(xdm_t)
|
auth_manage_pam_pid(xdm_t)
|
||||||
auth_manage_pam_console_data(xdm_t)
|
auth_manage_pam_console_data(xdm_t)
|
||||||
@ -26602,18 +26656,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -301,21 +365,25 @@
|
@@ -301,21 +364,25 @@
|
||||||
libs_exec_lib_files(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
+logging_send_audit_msgs(xdm_t)
|
+logging_send_audit_msgs(xdm_t)
|
||||||
|
|
||||||
miscfiles_read_localization(xdm_t)
|
miscfiles_read_localization(xdm_t)
|
||||||
-miscfiles_read_fonts(xdm_t)
|
miscfiles_read_fonts(xdm_t)
|
||||||
-
|
-
|
||||||
-sysnet_read_config(xdm_t)
|
-sysnet_read_config(xdm_t)
|
||||||
+miscfiles_manage_fonts(xdm_t)
|
+miscfiles_manage_localization(xdm_t)
|
||||||
+miscfiles_dontaudit_write_locale(xdm_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@ -26634,24 +26687,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||||
xserver_unconfined(xdm_t)
|
xserver_unconfined(xdm_t)
|
||||||
@@ -348,10 +416,15 @@
|
@@ -348,10 +415,12 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(xdm_t)
|
alsa_domtrans(xdm_t)
|
||||||
+ alsa_read_rw_config(xdm_t)
|
+ alsa_read_rw_config(xdm_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ bootloader_domtrans(xdm_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- consolekit_dbus_chat(xdm_t)
|
consolekit_dbus_chat(xdm_t)
|
||||||
+ consolekit_read_log(xdm_t)
|
+ consolekit_read_log(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -359,6 +432,23 @@
|
@@ -359,6 +428,19 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26659,10 +26708,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+ dbus_system_bus_client_template(xdm, xdm_t)
|
+ dbus_system_bus_client_template(xdm, xdm_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ consolekit_dbus_chat(xdm_t)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ hal_dbus_chat(xdm_t)
|
+ hal_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -26675,7 +26720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
gpm_setattr_gpmctl(xdm_t)
|
gpm_setattr_gpmctl(xdm_t)
|
||||||
@@ -369,6 +459,10 @@
|
@@ -369,6 +451,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26686,7 +26731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
loadkeys_exec(xdm_t)
|
loadkeys_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -382,16 +476,25 @@
|
@@ -382,16 +468,25 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26713,7 +26758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -427,7 +530,7 @@
|
@@ -427,7 +522,7 @@
|
||||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -26722,7 +26767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||||
@@ -439,6 +542,15 @@
|
@@ -439,6 +534,15 @@
|
||||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xdm_xserver_t)
|
files_search_var_lib(xdm_xserver_t)
|
||||||
|
|
||||||
@ -26738,7 +26783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
# VNC v4 module in X server
|
# VNC v4 module in X server
|
||||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||||
|
|
||||||
@@ -450,10 +562,19 @@
|
@@ -450,10 +554,19 @@
|
||||||
# xdm_xserver_t may no longer have any reason
|
# xdm_xserver_t may no longer have any reason
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
@ -26759,7 +26804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||||
fs_manage_nfs_files(xdm_xserver_t)
|
fs_manage_nfs_files(xdm_xserver_t)
|
||||||
@@ -467,6 +588,22 @@
|
@@ -467,6 +580,22 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -26782,7 +26827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
resmgr_stream_connect(xdm_t)
|
resmgr_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -476,16 +613,32 @@
|
@@ -476,16 +605,32 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -29095,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.4.1/policy/modules/system/miscfiles.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.4.1/policy/modules/system/miscfiles.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-05-19 10:26:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-05-19 10:26:42.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 14:08:12.108651000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 16:00:01.493565000 -0400
|
||||||
@@ -11,6 +11,7 @@
|
@@ -11,6 +11,7 @@
|
||||||
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||||
@ -29104,98 +29149,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@@ -80,3 +81,4 @@
|
|
||||||
/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
|
||||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
|
||||||
')
|
|
||||||
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.4.1/policy/modules/system/miscfiles.if
|
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-05-19 10:26:42.000000000 -0400
|
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.if 2008-05-30 14:08:12.112653000 -0400
|
|
||||||
@@ -490,3 +490,65 @@
|
|
||||||
manage_lnk_files_pattern($1,locale_t,locale_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Read user homedir fonts.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
|
||||||
+interface(`miscfiles_read_home_fonts',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type user_fonts_home_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
|
||||||
+ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Read user homedir fonts.
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
|
||||||
+interface(`miscfiles_manage_home_fonts',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type user_fonts_home_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
|
||||||
+ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
|
||||||
+ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## dontaudit_attempts to write locale files
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+## <rolecap/>
|
|
||||||
+#
|
|
||||||
+interface(`miscfiles_dontaudit_write_locale',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type locale_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ dontaudit $1 locale_t:dir write;
|
|
||||||
+ dontaudit $1 locale_t:file write;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.4.1/policy/modules/system/miscfiles.te
|
|
||||||
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2008-05-19 10:26:42.000000000 -0400
|
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.te 2008-05-30 14:08:12.127651000 -0400
|
|
||||||
@@ -20,6 +20,14 @@
|
|
||||||
files_type(fonts_t)
|
|
||||||
|
|
||||||
#
|
|
||||||
+# fonts_t is the type of various font
|
|
||||||
+# files in /usr
|
|
||||||
+#
|
|
||||||
+type user_fonts_home_t;
|
|
||||||
+userdom_user_home_type(user_fonts_home_t)
|
|
||||||
+files_type(user_fonts_home_t)
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
# type for /usr/share/hwdata
|
|
||||||
#
|
|
||||||
type hwdata_t;
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.4.1/policy/modules/system/modutils.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.4.1/policy/modules/system/modutils.if
|
||||||
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-05-19 10:26:42.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-05-19 10:26:42.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/modutils.if 2008-05-30 14:08:12.131651000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/system/modutils.if 2008-05-30 14:08:12.131651000 -0400
|
||||||
@ -30477,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.1/policy/modules/system/selinuxutil.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.1/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:07:02.678597000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:45:01.953760000 -0400
|
||||||
@@ -1,5 +1,5 @@
|
@@ -1,5 +1,5 @@
|
||||||
|
|
||||||
-policy_module(selinuxutil, 1.9.2)
|
-policy_module(selinuxutil, 1.9.2)
|
||||||
@ -30678,14 +30631,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
',`
|
',`
|
||||||
# Handle pp files created in homedir and /tmp
|
# Handle pp files created in homedir and /tmp
|
||||||
- sysadm_read_home_content_files(semanage_t)
|
- sysadm_read_home_content_files(semanage_t)
|
||||||
- sysadm_read_tmp_files(semanage_t)
|
+ userdom_read_sysadm_home_content_files(semanage_t)
|
||||||
|
sysadm_read_tmp_files(semanage_t)
|
||||||
-
|
-
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- unconfined_read_home_content_files(semanage_t)
|
- unconfined_read_home_content_files(semanage_t)
|
||||||
- unconfined_read_tmp_files(semanage_t)
|
- unconfined_read_tmp_files(semanage_t)
|
||||||
- ')
|
- ')
|
||||||
+ userdom_read_sysadm_home_content_files(semanage_t)
|
|
||||||
+ userdom_read_sysadm_tmp_files(semanage_t)
|
|
||||||
+ userdom_read_unpriv_users_home_content_files(semanage_t)
|
+ userdom_read_unpriv_users_home_content_files(semanage_t)
|
||||||
+ userdom_read_unpriv_users_tmp_files(semanage_t)
|
+ userdom_read_unpriv_users_tmp_files(semanage_t)
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user