rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Prevent applications from reading x_device

This commit is contained in:
Daniel J Walsh 2008-06-12 19:57:12 +00:00
parent 5608a9da69
commit f4ff8bb944
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
policy-20080509.patch
View File

@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 12:10:32.884486000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 14:55:38.413681000 -0400
@@ -16,7 +16,8 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -26151,8 +26151,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints($1_iceauth_t)
@@ -470,31 +472,9 @@
allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
@@ -467,34 +469,12 @@
#
# Device rules
- allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
+ allow $1_x_domain $1_xserver_t:x_device { getattr use setattr setfocus grab bell };
allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
+ allow $2 $1_input_xevent_type:x_event send;
@ -26266,7 +26270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # manage: xhost X11:ChangeHosts
+ # freeze: metacity X11:GrabKey
+ # force_cursor: metacity X11:GrabPointer
+ allow $3 $1_xserver_t:x_device { read manage freeze force_cursor };
+ allow $3 $1_xserver_t:x_device { manage freeze force_cursor };
+ allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
+
+ # gnome-settings-daemon XKEYBOARD:SetControls

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.4.2
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -375,6 +375,9 @@ exit 0
%endif
%changelog
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-3
- Prevent applications from reading x_device
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-2
- Add /var/lib/selinux context