tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them. But since the
default user type is unconfined this problem has gone away for now.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
X Object Manager policy revisions to xserver.te.
This commit consists of three main parts:
1. Code movement. There were X object manager-related statements
scattered somewhat throughout the file; these have been consolidated,
which resulted in some other statements moving (e.g. iceauth_t).
2. Type changes. Many of the specific event, extension, and property
types have been dropped for the time being. The rootwindow_t and
remote_xclient_t types have been renamed, and a root_xcolormap_t
type has been (re-)added. This is for naming consistency.
An "xserver_unprotected" alias has been added for use in labeling
clients whose resources should be globally accessible (e.g. xdm_t).
3. Policy changes. These are mostly related to devices, which now have
separate x_keyboard and x_pointer classes. The "Hacks" section
has been cleaned up, and various other classes have had the default
permissions tweaked.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role(). Deprecate
the former and put the rules into the latter.
For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().