- Fix rpm_dontaudit_leaks
This commit is contained in:
Daniel J Walsh
parent
4aaa022742
commit
ef4ca2d5e7
@ -626,7 +626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
|
|||||||
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if
|
||||||
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-22 10:22:49.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-28 10:15:39.000000000 -0500
|
||||||
@@ -13,11 +13,34 @@
|
@@ -13,11 +13,34 @@
|
||||||
interface(`rpm_domtrans',`
|
interface(`rpm_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -699,16 +699,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
|
|||||||
+ dontaudit $1 rpm_t:shm rw_shm_perms;
|
+ dontaudit $1 rpm_t:shm rw_shm_perms;
|
||||||
+
|
+
|
||||||
+ dontaudit $1 rpm_script_t:fd use;
|
+ dontaudit $1 rpm_script_t:fd use;
|
||||||
+ dontaudit $1 rpm_script_t:fifo_file { read write };
|
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
|
||||||
+
|
+
|
||||||
+ dontaudit $1 rpm_var_run_t:file write;
|
+ dontaudit $1 rpm_var_run_t:file write;
|
||||||
+
|
+
|
||||||
+ dontaudit $1 rpm_tmp_t:file { read write };
|
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
|
||||||
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
|
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
|
||||||
+ dontaudit $1 rpm_tmpfs_t:file { read write };
|
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
|
||||||
+ dontaudit $1 rpm_script_tmp_t:file { read write };
|
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
|
||||||
+ dontaudit $1 rpm_var_lib_t:file { read write };
|
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
|
||||||
+ dontaudit $1 rpm_var_cache_t:file { read write };
|
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
|||||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
|
||||||
+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-21 13:49:10.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-28 08:42:36.000000000 -0500
|
||||||
@@ -932,10 +932,8 @@
|
@@ -932,10 +932,8 @@
|
||||||
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
|
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
|
||||||
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
|
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
|
||||||
@ -20815,7 +20815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
|
||||||
+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-25 12:24:39.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-28 09:30:05.000000000 -0500
|
||||||
@@ -36,11 +36,12 @@
|
@@ -36,11 +36,12 @@
|
||||||
# policykit local policy
|
# policykit local policy
|
||||||
#
|
#
|
||||||
@ -20869,7 +20869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gnome_dontaudit_search_config(policykit_t)
|
+ gnome_read_config(policykit_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -27017,7 +27017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
|
|||||||
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-18 15:18:03.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-28 08:44:25.000000000 -0500
|
||||||
@@ -3,12 +3,21 @@
|
@@ -3,12 +3,21 @@
|
||||||
#
|
#
|
||||||
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||||
@ -27079,7 +27079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
@@ -89,17 +94,37 @@
|
@@ -89,17 +94,40 @@
|
||||||
|
|
||||||
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
@ -27120,6 +27120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+
|
+
|
||||||
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
|
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
|
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
|
||||||
+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-01-18 15:18:03.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-01-18 15:18:03.000000000 -0500
|
||||||
@ -27586,7 +27589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
|
||||||
+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-25 12:06:19.000000000 -0500
|
+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-28 08:43:20.000000000 -0500
|
||||||
@@ -36,6 +36,13 @@
|
@@ -36,6 +36,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -27749,7 +27752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files(iceauth_t)
|
fs_manage_nfs_files(iceauth_t)
|
||||||
@@ -250,30 +274,48 @@
|
@@ -250,30 +274,49 @@
|
||||||
fs_manage_cifs_files(iceauth_t)
|
fs_manage_cifs_files(iceauth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27796,13 +27799,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
+files_read_usr_files(xauth_t)
|
+files_read_usr_files(xauth_t)
|
||||||
files_search_pids(xauth_t)
|
files_search_pids(xauth_t)
|
||||||
+files_dontaudit_getattr_all_dirs(xauth_t)
|
+files_dontaudit_getattr_all_dirs(xauth_t)
|
||||||
|
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
|
||||||
|
|
||||||
-fs_getattr_xattr_fs(xauth_t)
|
-fs_getattr_xattr_fs(xauth_t)
|
||||||
+fs_getattr_all_fs(xauth_t)
|
+fs_getattr_all_fs(xauth_t)
|
||||||
fs_search_auto_mountpoints(xauth_t)
|
fs_search_auto_mountpoints(xauth_t)
|
||||||
|
|
||||||
# cjp: why?
|
# cjp: why?
|
||||||
@@ -283,6 +325,14 @@
|
@@ -283,6 +326,14 @@
|
||||||
|
|
||||||
userdom_use_user_terminals(xauth_t)
|
userdom_use_user_terminals(xauth_t)
|
||||||
userdom_read_user_tmp_files(xauth_t)
|
userdom_read_user_tmp_files(xauth_t)
|
||||||
@ -27817,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_xdm_tmp_files(xauth_t)
|
xserver_rw_xdm_tmp_files(xauth_t)
|
||||||
|
|
||||||
@@ -294,6 +344,15 @@
|
@@ -294,6 +345,15 @@
|
||||||
fs_manage_cifs_files(xauth_t)
|
fs_manage_cifs_files(xauth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27833,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_sigchld(xauth_t)
|
ssh_sigchld(xauth_t)
|
||||||
ssh_read_pipes(xauth_t)
|
ssh_read_pipes(xauth_t)
|
||||||
@@ -305,20 +364,31 @@
|
@@ -305,20 +365,31 @@
|
||||||
# XDM Local policy
|
# XDM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -27868,7 +27872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Allow gdm to run gdm-binary
|
# Allow gdm to run gdm-binary
|
||||||
can_exec(xdm_t, xdm_exec_t)
|
can_exec(xdm_t, xdm_exec_t)
|
||||||
@@ -334,22 +404,40 @@
|
@@ -334,22 +405,40 @@
|
||||||
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
|
||||||
@ -27912,7 +27916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
allow xdm_t xserver_t:process signal;
|
allow xdm_t xserver_t:process signal;
|
||||||
allow xdm_t xserver_t:unix_stream_socket connectto;
|
allow xdm_t xserver_t:unix_stream_socket connectto;
|
||||||
@@ -363,6 +451,7 @@
|
@@ -363,6 +452,7 @@
|
||||||
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
|
||||||
|
|
||||||
allow xdm_t xserver_t:shm rw_shm_perms;
|
allow xdm_t xserver_t:shm rw_shm_perms;
|
||||||
@ -27920,7 +27924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# connect to xdm xserver over stream socket
|
# connect to xdm xserver over stream socket
|
||||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||||
@@ -371,10 +460,14 @@
|
@@ -371,10 +461,14 @@
|
||||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
|
|
||||||
@ -27936,7 +27940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
kernel_read_system_state(xdm_t)
|
kernel_read_system_state(xdm_t)
|
||||||
kernel_read_kernel_sysctls(xdm_t)
|
kernel_read_kernel_sysctls(xdm_t)
|
||||||
@@ -394,11 +487,13 @@
|
@@ -394,11 +488,13 @@
|
||||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||||
corenet_tcp_bind_generic_node(xdm_t)
|
corenet_tcp_bind_generic_node(xdm_t)
|
||||||
corenet_udp_bind_generic_node(xdm_t)
|
corenet_udp_bind_generic_node(xdm_t)
|
||||||
@ -27950,7 +27954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_read_rand(xdm_t)
|
dev_read_rand(xdm_t)
|
||||||
dev_read_sysfs(xdm_t)
|
dev_read_sysfs(xdm_t)
|
||||||
dev_getattr_framebuffer_dev(xdm_t)
|
dev_getattr_framebuffer_dev(xdm_t)
|
||||||
@@ -406,6 +501,7 @@
|
@@ -406,6 +502,7 @@
|
||||||
dev_getattr_mouse_dev(xdm_t)
|
dev_getattr_mouse_dev(xdm_t)
|
||||||
dev_setattr_mouse_dev(xdm_t)
|
dev_setattr_mouse_dev(xdm_t)
|
||||||
dev_rw_apm_bios(xdm_t)
|
dev_rw_apm_bios(xdm_t)
|
||||||
@ -27958,7 +27962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_setattr_apm_bios_dev(xdm_t)
|
dev_setattr_apm_bios_dev(xdm_t)
|
||||||
dev_rw_dri(xdm_t)
|
dev_rw_dri(xdm_t)
|
||||||
dev_rw_agp(xdm_t)
|
dev_rw_agp(xdm_t)
|
||||||
@@ -414,18 +510,21 @@
|
@@ -414,18 +511,21 @@
|
||||||
dev_getattr_misc_dev(xdm_t)
|
dev_getattr_misc_dev(xdm_t)
|
||||||
dev_setattr_misc_dev(xdm_t)
|
dev_setattr_misc_dev(xdm_t)
|
||||||
dev_dontaudit_rw_misc(xdm_t)
|
dev_dontaudit_rw_misc(xdm_t)
|
||||||
@ -27983,7 +27987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_var_files(xdm_t)
|
files_read_var_files(xdm_t)
|
||||||
@@ -436,9 +535,15 @@
|
@@ -436,9 +536,15 @@
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
# Poweroff wants to create the /poweroff file when run from xdm
|
# Poweroff wants to create the /poweroff file when run from xdm
|
||||||
files_create_boot_flag(xdm_t)
|
files_create_boot_flag(xdm_t)
|
||||||
@ -27999,7 +28003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||||
@@ -447,6 +552,7 @@
|
@@ -447,6 +553,7 @@
|
||||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||||
@ -28007,7 +28011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
term_setattr_console(xdm_t)
|
term_setattr_console(xdm_t)
|
||||||
term_use_unallocated_ttys(xdm_t)
|
term_use_unallocated_ttys(xdm_t)
|
||||||
@@ -455,6 +561,7 @@
|
@@ -455,6 +562,7 @@
|
||||||
auth_domtrans_pam_console(xdm_t)
|
auth_domtrans_pam_console(xdm_t)
|
||||||
auth_manage_pam_pid(xdm_t)
|
auth_manage_pam_pid(xdm_t)
|
||||||
auth_manage_pam_console_data(xdm_t)
|
auth_manage_pam_console_data(xdm_t)
|
||||||
@ -28015,7 +28019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
auth_rw_faillog(xdm_t)
|
auth_rw_faillog(xdm_t)
|
||||||
auth_write_login_records(xdm_t)
|
auth_write_login_records(xdm_t)
|
||||||
|
|
||||||
@@ -465,10 +572,12 @@
|
@@ -465,10 +573,12 @@
|
||||||
|
|
||||||
logging_read_generic_logs(xdm_t)
|
logging_read_generic_logs(xdm_t)
|
||||||
|
|
||||||
@ -28030,7 +28034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||||
userdom_create_all_users_keys(xdm_t)
|
userdom_create_all_users_keys(xdm_t)
|
||||||
@@ -477,6 +586,11 @@
|
@@ -477,6 +587,11 @@
|
||||||
# Search /proc for any user domain processes.
|
# Search /proc for any user domain processes.
|
||||||
userdom_read_all_users_state(xdm_t)
|
userdom_read_all_users_state(xdm_t)
|
||||||
userdom_signal_all_users(xdm_t)
|
userdom_signal_all_users(xdm_t)
|
||||||
@ -28042,7 +28046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
xserver_rw_session(xdm_t, xdm_tmpfs_t)
|
xserver_rw_session(xdm_t, xdm_tmpfs_t)
|
||||||
xserver_unconfined(xdm_t)
|
xserver_unconfined(xdm_t)
|
||||||
@@ -509,10 +623,12 @@
|
@@ -509,10 +624,12 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(xdm_t)
|
alsa_domtrans(xdm_t)
|
||||||
@ -28055,7 +28059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -520,12 +636,49 @@
|
@@ -520,12 +637,49 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28105,7 +28109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -543,9 +696,42 @@
|
@@ -543,9 +697,42 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28148,7 +28152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
@@ -555,8 +741,9 @@
|
@@ -555,8 +742,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28160,7 +28164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -565,7 +752,6 @@
|
@@ -565,7 +753,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -28168,7 +28172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_dontaudit_search_config(xdm_t)
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
@@ -576,6 +762,10 @@
|
@@ -576,6 +763,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28179,7 +28183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -600,10 +790,9 @@
|
@@ -600,10 +791,9 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -28191,7 +28195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xserver_t self:sock_file read_sock_file_perms;
|
allow xserver_t self:sock_file read_sock_file_perms;
|
||||||
@@ -615,6 +804,18 @@
|
@@ -615,6 +805,18 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -28210,7 +28214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||||
@@ -634,12 +835,19 @@
|
@@ -634,12 +836,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -28232,7 +28236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -673,7 +881,6 @@
|
@@ -673,7 +882,6 @@
|
||||||
dev_rw_agp(xserver_t)
|
dev_rw_agp(xserver_t)
|
||||||
dev_rw_framebuffer(xserver_t)
|
dev_rw_framebuffer(xserver_t)
|
||||||
dev_manage_dri_dev(xserver_t)
|
dev_manage_dri_dev(xserver_t)
|
||||||
@ -28240,7 +28244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
dev_create_generic_dirs(xserver_t)
|
dev_create_generic_dirs(xserver_t)
|
||||||
dev_setattr_generic_dirs(xserver_t)
|
dev_setattr_generic_dirs(xserver_t)
|
||||||
# raw memory access is needed if not using the frame buffer
|
# raw memory access is needed if not using the frame buffer
|
||||||
@@ -683,9 +890,12 @@
|
@@ -683,9 +891,12 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -28254,7 +28258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -700,8 +910,12 @@
|
@@ -700,8 +911,12 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -28267,7 +28271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -723,6 +937,7 @@
|
@@ -723,6 +938,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -28275,7 +28279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -779,12 +994,20 @@
|
@@ -779,12 +995,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28297,7 +28301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -811,7 +1034,7 @@
|
@@ -811,7 +1035,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -28306,7 +28310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -832,9 +1055,14 @@
|
@@ -832,9 +1056,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -28321,7 +28325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -849,11 +1077,14 @@
|
@@ -849,11 +1078,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -28338,7 +28342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1000,17 +1231,32 @@
|
@@ -1000,17 +1232,32 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user