[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, config/appconfig-standard/, config/appconfig-mls/, ... - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, config/appconfig-standard/, config/appconfig-mls/, ...
Date:	Thu, 31 Mar 2022 03:31:36
Message-Id:	`1648696319.c5fa13989512397b4ae3c75feb99a8f4cf4c5376.perfinion@gentoo`

1

commit:     c5fa13989512397b4ae3c75feb99a8f4cf4c5376

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Sun Mar 27 12:15:11 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar 31 03:11:59 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5fa1398

7

8

new sddm V2

9

10

This patch addresses all previous issues and I think it's ready to merge.

11

12

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 config/appconfig-mcs/seusers                   |  1 +

16

 config/appconfig-mcs/xdm_default_contexts      |  1 +

17

 config/appconfig-mls/seusers                   |  1 +

18

 config/appconfig-mls/xdm_default_contexts      |  1 +

19

 config/appconfig-standard/seusers              |  1 +

20

 config/appconfig-standard/xdm_default_contexts |  1 +

21

 policy/modules/services/xserver.te             | 11 +++++++++++

22

 7 files changed, 17 insertions(+)

23

24

diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers

25

index ce614b41..e87000a5 100644

26

--- a/config/appconfig-mcs/seusers

27

+++ b/config/appconfig-mcs/seusers

28

@@ -1,2 +1,3 @@

29

 root:root:s0-mcs_systemhigh

30

 __default__:user_u:s0

31

+sddm:xdm:s0

32

33

diff --git a/config/appconfig-mcs/xdm_default_contexts b/config/appconfig-mcs/xdm_default_contexts

34

new file mode 100644

35

index 00000000..08c88c0f

36

--- /dev/null

37

+++ b/config/appconfig-mcs/xdm_default_contexts

38

@@ -0,0 +1 @@

39

+system_r:xdm_t:s0		system_r:xdm_t:s0

40

41

diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers

42

index 4e500b09..38414fee 100644

43

--- a/config/appconfig-mls/seusers

44

+++ b/config/appconfig-mls/seusers

45

@@ -1,2 +1,3 @@

46

 root:root:s0-mls_systemhigh

47

 __default__:user_u:s0

48

+sddm:xdm:s0

49

50

diff --git a/config/appconfig-mls/xdm_default_contexts b/config/appconfig-mls/xdm_default_contexts

51

new file mode 100644

52

index 00000000..08c88c0f

53

--- /dev/null

54

+++ b/config/appconfig-mls/xdm_default_contexts

55

@@ -0,0 +1 @@

56

+system_r:xdm_t:s0		system_r:xdm_t:s0

57

58

diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers

59

index f7c5bd27..f6066b50 100644

60

--- a/config/appconfig-standard/seusers

61

+++ b/config/appconfig-standard/seusers

62

@@ -1,2 +1,3 @@

63

 root:root

64

 __default__:user_u

65

+sddm:xdm:s0

66

67

diff --git a/config/appconfig-standard/xdm_default_contexts b/config/appconfig-standard/xdm_default_contexts

68

new file mode 100644

69

index 00000000..af1cb2e7

70

--- /dev/null

71

+++ b/config/appconfig-standard/xdm_default_contexts

72

@@ -0,0 +1 @@

73

+system_r:xdm_t		system_r:xdm_t

74

75

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te

76

index 347e96c2..24cea45b 100644

77

--- a/policy/modules/services/xserver.te

78

+++ b/policy/modules/services/xserver.te

79

@@ -62,6 +62,10 @@ gen_tunable(xserver_object_manager, false)

80

 ## </desc>

81

 gen_tunable(xserver_allow_dri, false)

82

83

+# for sddm to use pam for greeter

84

+role xdm_r;

85

+allow system_r xdm_r;

86

+

87

 attribute x_domain;

88

89

 # X Events

90

@@ -145,6 +149,7 @@ fs_associate_tmpfs(xconsole_device_t)

91

 files_associate_tmp(xconsole_device_t)

92

93

 type xdm_t;

94

+role xdm_r types xdm_t;

95

 type xdm_exec_t;

96

 auth_login_pgm_domain(xdm_t)

97

 init_domain(xdm_t, xdm_exec_t)

98

@@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)

99

 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)

100

 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)

101

102

+# for sddm to use pam for greeter, sddm greeter needs execmod

103

+allow xdm_t xdm_tmpfs_t:file execmod;

104

+

105

 # Run Xorg.wrap

106

 can_exec(xserver_t, xserver_exec_t)

107

108

@@ -1046,3 +1054,6 @@ ifdef(`distro_gentoo',`

109

 		cgmanager_stream_connect(xdm_t)

110

')

111

')

112

+

113

+# for sddm to use pam for greeter

114

+gen_user(xdm,, xdm_r, s0, s0)

1	commit: c5fa13989512397b4ae3c75feb99a8f4cf4c5376
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Sun Mar 27 12:15:11 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 31 03:11:59 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5fa1398
7
8	new sddm V2
9
10	This patch addresses all previous issues and I think it's ready to merge.
11
12	Signed-off-by: Russell Coker <russell <AT> coker.com.au>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	config/appconfig-mcs/seusers \| 1 +
16	config/appconfig-mcs/xdm_default_contexts \| 1 +
17	config/appconfig-mls/seusers \| 1 +
18	config/appconfig-mls/xdm_default_contexts \| 1 +
19	config/appconfig-standard/seusers \| 1 +
20	config/appconfig-standard/xdm_default_contexts \| 1 +
21	policy/modules/services/xserver.te \| 11 +++++++++++
22	7 files changed, 17 insertions(+)
23
24	diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
25	index ce614b41..e87000a5 100644
26	--- a/config/appconfig-mcs/seusers
27	+++ b/config/appconfig-mcs/seusers
28	@@ -1,2 +1,3 @@
29	root:root:s0-mcs_systemhigh
30	__default__:user_u:s0
31	+sddm:xdm:s0
32
33	diff --git a/config/appconfig-mcs/xdm_default_contexts b/config/appconfig-mcs/xdm_default_contexts
34	new file mode 100644
35	index 00000000..08c88c0f
36	--- /dev/null
37	+++ b/config/appconfig-mcs/xdm_default_contexts
38	@@ -0,0 +1 @@
39	+system_r:xdm_t:s0 system_r:xdm_t:s0
40
41	diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
42	index 4e500b09..38414fee 100644
43	--- a/config/appconfig-mls/seusers
44	+++ b/config/appconfig-mls/seusers
45	@@ -1,2 +1,3 @@
46	root:root:s0-mls_systemhigh
47	__default__:user_u:s0
48	+sddm:xdm:s0
49
50	diff --git a/config/appconfig-mls/xdm_default_contexts b/config/appconfig-mls/xdm_default_contexts
51	new file mode 100644
52	index 00000000..08c88c0f
53	--- /dev/null
54	+++ b/config/appconfig-mls/xdm_default_contexts
55	@@ -0,0 +1 @@
56	+system_r:xdm_t:s0 system_r:xdm_t:s0
57
58	diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
59	index f7c5bd27..f6066b50 100644
60	--- a/config/appconfig-standard/seusers
61	+++ b/config/appconfig-standard/seusers
62	@@ -1,2 +1,3 @@
63	root:root
64	__default__:user_u
65	+sddm:xdm:s0
66
67	diff --git a/config/appconfig-standard/xdm_default_contexts b/config/appconfig-standard/xdm_default_contexts
68	new file mode 100644
69	index 00000000..af1cb2e7
70	--- /dev/null
71	+++ b/config/appconfig-standard/xdm_default_contexts
72	@@ -0,0 +1 @@
73	+system_r:xdm_t system_r:xdm_t
74
75	diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
76	index 347e96c2..24cea45b 100644
77	--- a/policy/modules/services/xserver.te
78	+++ b/policy/modules/services/xserver.te
79	@@ -62,6 +62,10 @@ gen_tunable(xserver_object_manager, false)
80	## </desc>
81	gen_tunable(xserver_allow_dri, false)
82
83	+# for sddm to use pam for greeter
84	+role xdm_r;
85	+allow system_r xdm_r;
86	+
87	attribute x_domain;
88
89	# X Events
90	@@ -145,6 +149,7 @@ fs_associate_tmpfs(xconsole_device_t)
91	files_associate_tmp(xconsole_device_t)
92
93	type xdm_t;
94	+role xdm_r types xdm_t;
95	type xdm_exec_t;
96	auth_login_pgm_domain(xdm_t)
97	init_domain(xdm_t, xdm_exec_t)
98	@@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
99	manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
100	manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
101
102	+# for sddm to use pam for greeter, sddm greeter needs execmod
103	+allow xdm_t xdm_tmpfs_t:file execmod;
104	+
105	# Run Xorg.wrap
106	can_exec(xserver_t, xserver_exec_t)
107
108	@@ -1046,3 +1054,6 @@ ifdef(`distro_gentoo',`
109	cgmanager_stream_connect(xdm_t)
110	')
111	')
112	+
113	+# for sddm to use pam for greeter
114	+gen_user(xdm,, xdm_r, s0, s0)

Gentoo Archives: gentoo-commits