- Allow XServer to read /proc/self/cmdline
This commit is contained in:
Daniel J Walsh
parent
30dfdc7f05
commit
d0649e9167
@ -766,7 +766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
|
||||
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
|
||||
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-29 14:10:59.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-10-03 11:10:24.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-10-22 10:19:13.000000000 -0400
|
||||
@@ -74,3 +74,39 @@
|
||||
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
@ -7735,7 +7735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-19 15:06:33.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-22 10:00:45.000000000 -0400
|
||||
@@ -49,6 +49,9 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -7780,11 +7780,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
allow hald_acl_t self:fifo_file read_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
|
||||
@@ -341,9 +348,12 @@
|
||||
@@ -340,10 +347,14 @@
|
||||
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
|
||||
files_search_var_lib(hald_mac_t)
|
||||
|
||||
+dev_read_raw_memory(hald_mac_t)
|
||||
dev_write_raw_memory(hald_mac_t)
|
||||
+dev_read_sysfs(hald_t)
|
||||
+dev_read_sysfs(hald_mac_t)
|
||||
|
||||
files_read_usr_files(hald_mac_t)
|
||||
|
||||
@ -11707,7 +11709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-19 16:57:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-22 10:05:16.000000000 -0400
|
||||
@@ -126,6 +126,8 @@
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev($1_xserver_t)
|
||||
@ -11740,7 +11742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
type $1_iceauth_t;
|
||||
domain_type($1_iceauth_t)
|
||||
@@ -282,6 +286,7 @@
|
||||
@@ -282,11 +286,14 @@
|
||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
@ -11748,7 +11750,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||
allow $1_xserver_t $2:process signal;
|
||||
@@ -353,12 +358,6 @@
|
||||
|
||||
allow $1_xserver_t $2:shm rw_shm_perms;
|
||||
+ # Certain X Libraries want to read /proc/self/cmdline when started with startx
|
||||
+ allow $1_xserver_t $2:file r_file_perms;
|
||||
|
||||
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||
@@ -316,6 +323,7 @@
|
||||
userdom_use_user_ttys($1,$1_xserver_t)
|
||||
userdom_setattr_user_ttys($1,$1_xserver_t)
|
||||
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
||||
+ userdom_rw_user_tmp_files($1,$1_xserver_t)
|
||||
|
||||
xserver_use_user_fonts($1,$1_xserver_t)
|
||||
xserver_rw_xdm_tmp_files($1_xauth_t)
|
||||
@@ -353,12 +361,6 @@
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2,$1_xauth_t)
|
||||
|
||||
@ -11761,7 +11778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
domain_use_interactive_fds($1_xauth_t)
|
||||
|
||||
files_read_etc_files($1_xauth_t)
|
||||
@@ -387,6 +386,14 @@
|
||||
@@ -387,6 +389,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11776,7 +11793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
nis_use_ypbind($1_xauth_t)
|
||||
')
|
||||
|
||||
@@ -537,16 +544,14 @@
|
||||
@@ -537,16 +547,14 @@
|
||||
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
@ -11798,7 +11815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -555,25 +560,53 @@
|
||||
@@ -555,25 +563,53 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -11860,7 +11877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
')
|
||||
|
||||
@@ -626,6 +659,24 @@
|
||||
@@ -626,6 +662,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11885,7 +11902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -659,6 +710,73 @@
|
||||
@@ -659,6 +713,73 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11959,7 +11976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -927,6 +1045,7 @@
|
||||
@@ -927,6 +1048,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
@ -11967,7 +11984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -987,6 +1106,37 @@
|
||||
@@ -987,6 +1109,37 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -12005,7 +12022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1136,7 +1286,7 @@
|
||||
@@ -1136,7 +1289,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -12014,7 +12031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1325,3 +1475,63 @@
|
||||
@@ -1325,3 +1478,63 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
@ -12080,7 +12097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-19 14:06:25.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-22 10:06:42.000000000 -0400
|
||||
@@ -16,6 +16,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -15565,7 +15582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
|
||||
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-18 17:22:34.000000000 -0400
|
||||
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-22 10:19:23.000000000 -0400
|
||||
@@ -132,6 +132,7 @@
|
||||
|
||||
init_read_utmp(udev_t)
|
||||
@ -15574,20 +15591,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
|
||||
|
||||
libs_use_ld_so(udev_t)
|
||||
libs_use_shared_libs(udev_t)
|
||||
@@ -184,6 +185,12 @@
|
||||
@@ -184,6 +185,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ alsa_domtrans(udev_t)
|
||||
+ alsa_search_lib(udev_t)
|
||||
+ alsa_read_lib(udev_t)
|
||||
+ alsa_read_rw_config(udev_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
brctl_domtrans(udev_t)
|
||||
')
|
||||
|
||||
@@ -220,6 +227,10 @@
|
||||
@@ -220,6 +228,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.8
|
||||
Release: 28%{?dist}
|
||||
Release: 29%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -373,6 +373,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-29
|
||||
- Allow XServer to read /proc/self/cmdline
|
||||
|
||||
* Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-28
|
||||
- Fixes for hald_mac
|
||||
- Treat unconfined_home_dir_t as a home dir
|
||||
|
||||
Loading…
Reference in New Issue
Block a user