- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context
This commit is contained in:
Dan Walsh
parent
b1cbbd0768
commit
f73c8ed42e
@ -36142,7 +36142,7 @@ index da2601a..f963642 100644
|
||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index e226da4..44cd738 100644
|
||||
index e226da4..edd7260 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,27 +26,43 @@ gen_require(`
|
||||
@ -36347,7 +36347,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(iceauth_t)
|
||||
@@ -246,50 +292,110 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -246,50 +292,109 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(iceauth_t)
|
||||
')
|
||||
|
||||
@ -36439,7 +36439,6 @@ index e226da4..44cd738 100644
|
||||
+
|
||||
+tunable_policy(`use_fusefs_home_dirs',`
|
||||
+ fs_manage_fusefs_files(xauth_t)
|
||||
+ fs_read_fusefs_symlinks(xauth_t)
|
||||
+')
|
||||
+
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -36463,7 +36462,7 @@ index e226da4..44cd738 100644
|
||||
optional_policy(`
|
||||
ssh_sigchld(xauth_t)
|
||||
ssh_read_pipes(xauth_t)
|
||||
@@ -301,20 +407,32 @@ optional_policy(`
|
||||
@@ -301,20 +406,32 @@ optional_policy(`
|
||||
# XDM Local policy
|
||||
#
|
||||
|
||||
@ -36500,7 +36499,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
# Allow gdm to run gdm-binary
|
||||
can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -322,43 +440,69 @@ can_exec(xdm_t, xdm_exec_t)
|
||||
@@ -322,43 +439,69 @@ can_exec(xdm_t, xdm_exec_t)
|
||||
allow xdm_t xdm_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(xdm_t, xdm_lock_t, file)
|
||||
|
||||
@ -36577,7 +36576,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
# connect to xdm xserver over stream socket
|
||||
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
@@ -367,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
@@ -367,18 +510,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
|
||||
|
||||
@ -36605,7 +36604,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
corenet_all_recvfrom_unlabeled(xdm_t)
|
||||
corenet_all_recvfrom_netlabel(xdm_t)
|
||||
@@ -390,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||
@@ -390,18 +541,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
|
||||
corenet_udp_sendrecv_all_ports(xdm_t)
|
||||
corenet_tcp_bind_generic_node(xdm_t)
|
||||
corenet_udp_bind_generic_node(xdm_t)
|
||||
@ -36629,7 +36628,7 @@ index e226da4..44cd738 100644
|
||||
dev_setattr_apm_bios_dev(xdm_t)
|
||||
dev_rw_dri(xdm_t)
|
||||
dev_rw_agp(xdm_t)
|
||||
@@ -410,18 +566,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
||||
@@ -410,18 +565,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
|
||||
dev_getattr_misc_dev(xdm_t)
|
||||
dev_setattr_misc_dev(xdm_t)
|
||||
dev_dontaudit_rw_misc(xdm_t)
|
||||
@ -36656,7 +36655,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
@@ -432,9 +593,17 @@ files_list_mnt(xdm_t)
|
||||
@@ -432,9 +592,17 @@ files_list_mnt(xdm_t)
|
||||
files_read_usr_files(xdm_t)
|
||||
# Poweroff wants to create the /poweroff file when run from xdm
|
||||
files_create_boot_flag(xdm_t)
|
||||
@ -36674,7 +36673,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -443,28 +612,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
@@ -443,28 +611,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -36713,7 +36712,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -473,9 +650,32 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
@@ -473,9 +649,30 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -36740,13 +36739,11 @@ index e226da4..44cd738 100644
|
||||
+tunable_policy(`use_fusefs_home_dirs',`
|
||||
+ fs_manage_fusefs_dirs(xdm_t)
|
||||
+ fs_manage_fusefs_files(xdm_t)
|
||||
+ fs_manage_fusefs_symlinks(xdm_t)
|
||||
+ fs_exec_fusefs_files(xdm_t)
|
||||
+')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
@@ -504,11 +704,17 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
@@ -504,11 +701,17 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36764,7 +36761,7 @@ index e226da4..44cd738 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -516,12 +722,49 @@ optional_policy(`
|
||||
@@ -516,12 +719,49 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36814,7 +36811,7 @@ index e226da4..44cd738 100644
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -539,28 +782,63 @@ optional_policy(`
|
||||
@@ -539,28 +779,63 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36887,7 +36884,7 @@ index e226da4..44cd738 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -572,6 +850,10 @@ optional_policy(`
|
||||
@@ -572,6 +847,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36898,7 +36895,7 @@ index e226da4..44cd738 100644
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -596,7 +878,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
@@ -596,7 +875,7 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -36907,7 +36904,7 @@ index e226da4..44cd738 100644
|
||||
dontaudit xserver_t self:capability chown;
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:fd use;
|
||||
@@ -610,6 +892,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -610,6 +889,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -36922,7 +36919,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
@@ -629,12 +919,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -629,12 +916,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -36944,7 +36941,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -642,6 +939,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
@@ -642,6 +936,7 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
# Xorg wants to check if kernel is tainted
|
||||
kernel_read_kernel_sysctls(xserver_t)
|
||||
kernel_write_proc_files(xserver_t)
|
||||
@ -36952,7 +36949,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
# Run helper programs in xserver_t.
|
||||
corecmd_exec_bin(xserver_t)
|
||||
@@ -668,7 +966,6 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -668,7 +963,6 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -36960,7 +36957,7 @@ index e226da4..44cd738 100644
|
||||
dev_create_generic_dirs(xserver_t)
|
||||
dev_setattr_generic_dirs(xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
@@ -678,11 +975,17 @@ dev_wx_raw_memory(xserver_t)
|
||||
@@ -678,11 +972,17 @@ dev_wx_raw_memory(xserver_t)
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -36978,7 +36975,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -693,8 +996,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
@@ -693,8 +993,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -36992,7 +36989,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -716,11 +1024,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
@@ -716,11 +1021,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -37007,7 +37004,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -773,12 +1084,28 @@ optional_policy(`
|
||||
@@ -773,12 +1081,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37037,7 +37034,7 @@ index e226da4..44cd738 100644
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1114,10 @@ optional_policy(`
|
||||
@@ -787,6 +1111,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -37048,7 +37045,7 @@ index e226da4..44cd738 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -802,10 +1133,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -802,10 +1130,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -37062,7 +37059,7 @@ index e226da4..44cd738 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1144,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1141,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -37071,7 +37068,7 @@ index e226da4..44cd738 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -826,6 +1157,9 @@ init_use_fds(xserver_t)
|
||||
@@ -826,6 +1154,9 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -37081,20 +37078,19 @@ index e226da4..44cd738 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
@@ -833,6 +1167,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
@@ -833,6 +1164,11 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_symlinks(xserver_t)
|
||||
')
|
||||
|
||||
+tunable_policy(`use_fusefs_home_dirs',`
|
||||
+ fs_manage_fusefs_dirs(xserver_t)
|
||||
+ fs_manage_fusefs_files(xserver_t)
|
||||
+ fs_manage_fusefs_symlinks(xserver_t)
|
||||
+')
|
||||
+
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(xserver_t)
|
||||
fs_manage_cifs_files(xserver_t)
|
||||
@@ -841,11 +1181,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -841,11 +1177,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -37111,7 +37107,7 @@ index e226da4..44cd738 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -853,6 +1196,10 @@ optional_policy(`
|
||||
@@ -853,6 +1192,10 @@ optional_policy(`
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -37122,7 +37118,7 @@ index e226da4..44cd738 100644
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -896,7 +1243,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -896,7 +1239,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -37131,7 +37127,7 @@ index e226da4..44cd738 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -950,11 +1297,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -950,11 +1293,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -37163,7 +37159,7 @@ index e226da4..44cd738 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -976,18 +1343,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -976,18 +1339,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user