rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Prevent applications from reading x_device

This commit is contained in:
Daniel J Walsh 2008-06-12 19:57:12 +00:00
parent 5608a9da69
commit f4ff8bb944
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
policy-20080509.patch
View File

@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 12:10:32.884486000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 14:55:38.413681000 -0400
@@ -16,7 +16,8 @@ @@ -16,7 +16,8 @@
gen_require(` gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t; type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -26151,8 +26151,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints($1_iceauth_t) fs_search_auto_mountpoints($1_iceauth_t)
@@ -470,31 +472,9 @@ @@ -467,34 +469,12 @@
allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell }; #
# Device rules
- allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
+ allow $1_x_domain $1_xserver_t:x_device { getattr use setattr setfocus grab bell };
allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send; allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
+ allow $2 $1_input_xevent_type:x_event send; + allow $2 $1_input_xevent_type:x_event send;
@ -26266,7 +26270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # manage: xhost X11:ChangeHosts + # manage: xhost X11:ChangeHosts
+ # freeze: metacity X11:GrabKey + # freeze: metacity X11:GrabKey
+ # force_cursor: metacity X11:GrabPointer + # force_cursor: metacity X11:GrabPointer
+ allow $3 $1_xserver_t:x_device { read manage freeze force_cursor }; + allow $3 $1_xserver_t:x_device { manage freeze force_cursor };
+ allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell }; + allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
+ +
+ # gnome-settings-daemon XKEYBOARD:SetControls + # gnome-settings-daemon XKEYBOARD:SetControls

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.4.2 Version: 3.4.2
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -375,6 +375,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-3
- Prevent applications from reading x_device
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-2 * Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-2
- Add /var/lib/selinux context - Add /var/lib/selinux context