- Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes
This commit is contained in:
Daniel J Walsh
parent
0879f489ab
commit
e9fce44302
@ -23429,7 +23429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 22:20:09.000000000 -0400
|
||||
@@ -12,9 +12,15 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -23896,7 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -542,25 +543,541 @@
|
||||
@@ -542,25 +543,533 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -24023,6 +24023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
|
||||
+ type disallowed_xext_t;
|
||||
+ type output_xext_t;
|
||||
+ type accelgraphics_xext_t;
|
||||
+
|
||||
+ attribute x_server_domain, x_domain;
|
||||
+ attribute xproperty_type;
|
||||
@ -24069,12 +24070,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ allow $1 { x_domain x_server_domain }:x_device read;
|
||||
+ ')
|
||||
+
|
||||
+ # everyone can grab the server
|
||||
+ # everyone does it, it is basically a free DOS attack
|
||||
+ allow $1 x_server_domain:x_server grab;
|
||||
+ # everyone can get the font path, etc.
|
||||
+ # this could leak out sensitive information
|
||||
+ allow $1 x_server_domain:x_server { getattr manage };
|
||||
+ # everyone can do override-redirect windows.
|
||||
+ # this could be used to spoof labels
|
||||
+ allow $1 $1:x_drawable override;
|
||||
@ -24082,24 +24077,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ # allows to know when new windows appear, among other things
|
||||
+ allow $1 manage_xevent_t:x_event receive;
|
||||
+
|
||||
+ allow $1 accelgraphics_xext_t:x_extension use;
|
||||
+ allow $1 xextension_type:x_extension use;
|
||||
+
|
||||
+ # X Server
|
||||
+ # can read server-owned resources
|
||||
+ allow $1 x_server_domain:x_resource read;
|
||||
+ # everyone can grab the server
|
||||
+ # everyone does it, it is basically a free DOS attack
|
||||
+ allow $1 x_server_domain:x_server grab;
|
||||
+ # everyone can get the font path, etc.
|
||||
+ # this could leak out sensitive information
|
||||
+ allow $1 x_server_domain:x_server { getattr manage };
|
||||
+
|
||||
+ # can mess with own clients
|
||||
+ allow $1 $1:x_client { manage destroy };
|
||||
+
|
||||
+ # X Protocol Extensions
|
||||
+ allow $1 std_xext_t:x_extension { use };
|
||||
+ allow $1 shmem_xext_t:x_extension { use };
|
||||
+ allow $1 xextension_type:x_extension query;
|
||||
+
|
||||
+ # X Properties
|
||||
+ # can read and write client properties
|
||||
+ allow $1 $1:x_property { create destroy read write };
|
||||
+ allow $1 default_xproperty_t:x_property { read write destroy create };
|
||||
+ allow $1 output_xext_t:x_extension { use };
|
||||
+ allow $1 output_xext_t:x_property read;
|
||||
+ allow $1 xserver_unconfined_type:x_property read;
|
||||
+
|
||||
@ -24163,16 +24162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+ # can read and write own objects
|
||||
+ allow $1 $1:x_resource { read write };
|
||||
+
|
||||
+ allow $1 screensaver_xext_t:x_extension { use };
|
||||
+ allow $1 unknown_xext_t:x_extension { use };
|
||||
+
|
||||
+ allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
|
||||
+
|
||||
+ allow $1 disallowed_xext_t:x_extension { use };
|
||||
+
|
||||
+ allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
|
||||
+ allow $1 xdm_xserver_t:x_resource read;
|
||||
+ allow $1 xdm_xserver_t:x_server grab;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -24444,7 +24436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
')
|
||||
|
||||
@@ -593,26 +1110,44 @@
|
||||
@@ -593,26 +1102,44 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
@ -24496,7 +24488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -638,10 +1173,77 @@
|
||||
@@ -638,10 +1165,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -24576,7 +24568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -671,10 +1273,10 @@
|
||||
@@ -671,10 +1265,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -24589,7 +24581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -760,7 +1362,7 @@
|
||||
@@ -760,7 +1354,7 @@
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
@ -24598,7 +24590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -860,6 +1462,25 @@
|
||||
@@ -860,6 +1454,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24624,7 +24616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -914,6 +1535,7 @@
|
||||
@@ -914,6 +1527,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
@ -24632,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -955,6 +1577,24 @@
|
||||
@@ -955,6 +1569,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -24657,7 +24649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -965,15 +1605,47 @@
|
||||
@@ -965,15 +1597,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
@ -24706,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1123,7 +1795,7 @@
|
||||
@@ -1123,7 +1787,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -24715,7 +24707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1312,3 +1984,83 @@
|
||||
@@ -1312,3 +1976,83 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user