Gentoo Archives: gentoo-commits

From: "Anthony G. Basile (blueness)" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-xserver/files: fix-xserver.patch fix-services-xserver-r1.patch fix-services-xserver-r2.patch
Date: Sat, 05 Feb 2011 20:42:28
Message-Id: 20110205204105.0B11520069@flycatcher.gentoo.org
1 blueness 11/02/05 20:41:05
2
3 Added: fix-xserver.patch fix-services-xserver-r1.patch
4 fix-services-xserver-r2.patch
5 Log:
6 Bulk addition of new selinux policies.
7
8 (Portage version: 2.1.9.25/cvs/Linux x86_64)
9
10 Revision Changes Path
11 1.1 sec-policy/selinux-xserver/files/fix-xserver.patch
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-xserver.patch?rev=1.1&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-xserver.patch?rev=1.1&content-type=text/plain
15
16 Index: fix-xserver.patch
17 ===================================================================
18 --- services/xserver.te 2010-12-13 15:11:02.000000000 +0100
19 +++ ../../../refpolicy/policy/modules/services/xserver.te 2011-01-02 18:21:17.682000037 +0100
20 @@ -279,6 +279,7 @@
21
22 userdom_use_user_terminals(xauth_t)
23 userdom_read_user_tmp_files(xauth_t)
24 +userdom_read_user_tmp_files(xserver_t)
25
26 xserver_rw_xdm_tmp_files(xauth_t)
27
28 @@ -588,6 +589,9 @@
29 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
30 allow xserver_t input_xevent_t:x_event send;
31
32 +# Allow X to process keyboard events
33 +udev_read_db(xserver_t)
34 +
35 # setuid/setgid for the wrapper program to change UID
36 # sys_rawio is for iopl access - should not be needed for frame-buffer
37 # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
38 @@ -610,6 +614,7 @@
39 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
40 allow xserver_t self:tcp_socket create_stream_socket_perms;
41 allow xserver_t self:udp_socket create_socket_perms;
42 +allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
43
44 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
45 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
46 --- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200
47 +++ ../../../refpolicy/policy/modules/services/xserver.fc 2011-01-03 23:07:16.852000013 +0100
48 @@ -5,6 +5,7 @@
49 HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
50 HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
51 HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
52 +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
53 HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
54 HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
55 HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
56
57
58
59 1.1 sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch
60
61 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch?rev=1.1&view=markup
62 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch?rev=1.1&content-type=text/plain
63
64 Index: fix-services-xserver-r1.patch
65 ===================================================================
66 --- services/xserver.te 2010-12-13 15:11:02.000000000 +0100
67 +++ services/xserver.te 2011-01-30 15:04:32.722000186 +0100
68 @@ -234,9 +234,11 @@
69
70 allow xdm_t iceauth_home_t:file read_file_perms;
71
72 +files_search_tmp(iceauth_t)
73 fs_search_auto_mountpoints(iceauth_t)
74
75 userdom_use_user_terminals(iceauth_t)
76 +userdom_read_user_tmp_files(iceauth_t)
77
78 tunable_policy(`use_nfs_home_dirs',`
79 fs_manage_nfs_files(iceauth_t)
80 @@ -279,6 +281,7 @@
81
82 userdom_use_user_terminals(xauth_t)
83 userdom_read_user_tmp_files(xauth_t)
84 +userdom_read_user_tmp_files(xserver_t)
85
86 xserver_rw_xdm_tmp_files(xauth_t)
87
88 @@ -588,6 +591,9 @@
89 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
90 allow xserver_t input_xevent_t:x_event send;
91
92 +# Allow X to process keyboard events
93 +udev_read_db(xserver_t)
94 +
95 # setuid/setgid for the wrapper program to change UID
96 # sys_rawio is for iopl access - should not be needed for frame-buffer
97 # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
98 @@ -610,6 +616,7 @@
99 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
100 allow xserver_t self:tcp_socket create_stream_socket_perms;
101 allow xserver_t self:udp_socket create_socket_perms;
102 +allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
103
104 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
105 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
106 --- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200
107 +++ services/xserver.fc 2011-01-03 23:07:16.852000013 +0100
108 @@ -5,6 +5,7 @@
109 HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
110 HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
111 HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
112 +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
113 HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
114 HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
115 HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
116
117
118
119 1.1 sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch
120
121 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch?rev=1.1&view=markup
122 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch?rev=1.1&content-type=text/plain
123
124 Index: fix-services-xserver-r2.patch
125 ===================================================================
126 --- services/xserver.te 2010-12-13 15:11:02.000000000 +0100
127 +++ services/xserver.te 2011-02-01 18:16:07.421000056 +0100
128 @@ -234,9 +234,13 @@
129
130 allow xdm_t iceauth_home_t:file read_file_perms;
131
132 +files_search_tmp(iceauth_t)
133 fs_search_auto_mountpoints(iceauth_t)
134
135 userdom_use_user_terminals(iceauth_t)
136 +userdom_read_user_tmp_files(iceauth_t)
137 +
138 +getty_use_fds(iceauth_t)
139
140 tunable_policy(`use_nfs_home_dirs',`
141 fs_manage_nfs_files(iceauth_t)
142 @@ -279,6 +283,7 @@
143
144 userdom_use_user_terminals(xauth_t)
145 userdom_read_user_tmp_files(xauth_t)
146 +userdom_read_user_tmp_files(xserver_t)
147
148 xserver_rw_xdm_tmp_files(xauth_t)
149
150 @@ -588,6 +593,9 @@
151 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
152 allow xserver_t input_xevent_t:x_event send;
153
154 +# Allow X to process keyboard events
155 +udev_read_db(xserver_t)
156 +
157 # setuid/setgid for the wrapper program to change UID
158 # sys_rawio is for iopl access - should not be needed for frame-buffer
159 # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
160 @@ -610,6 +618,7 @@
161 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
162 allow xserver_t self:tcp_socket create_stream_socket_perms;
163 allow xserver_t self:udp_socket create_socket_perms;
164 +allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
165
166 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
167 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
168 --- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200
169 +++ services/xserver.fc 2011-01-03 23:07:16.852000013 +0100
170 @@ -5,6 +5,7 @@
171 HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
172 HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
173 HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
174 +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
175 HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
176 HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
177 HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)