1 |
blueness 11/02/05 20:41:05 |
2 |
|
3 |
Added: fix-xserver.patch fix-services-xserver-r1.patch |
4 |
fix-services-xserver-r2.patch |
5 |
Log: |
6 |
Bulk addition of new selinux policies. |
7 |
|
8 |
(Portage version: 2.1.9.25/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 sec-policy/selinux-xserver/files/fix-xserver.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-xserver.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-xserver.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: fix-xserver.patch |
17 |
=================================================================== |
18 |
--- services/xserver.te 2010-12-13 15:11:02.000000000 +0100 |
19 |
+++ ../../../refpolicy/policy/modules/services/xserver.te 2011-01-02 18:21:17.682000037 +0100 |
20 |
@@ -279,6 +279,7 @@ |
21 |
|
22 |
userdom_use_user_terminals(xauth_t) |
23 |
userdom_read_user_tmp_files(xauth_t) |
24 |
+userdom_read_user_tmp_files(xserver_t) |
25 |
|
26 |
xserver_rw_xdm_tmp_files(xauth_t) |
27 |
|
28 |
@@ -588,6 +589,9 @@ |
29 |
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; |
30 |
allow xserver_t input_xevent_t:x_event send; |
31 |
|
32 |
+# Allow X to process keyboard events |
33 |
+udev_read_db(xserver_t) |
34 |
+ |
35 |
# setuid/setgid for the wrapper program to change UID |
36 |
# sys_rawio is for iopl access - should not be needed for frame-buffer |
37 |
# sys_admin, locking shared mem? chowning IPC message queues or semaphores? |
38 |
@@ -610,6 +614,7 @@ |
39 |
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
40 |
allow xserver_t self:tcp_socket create_stream_socket_perms; |
41 |
allow xserver_t self:udp_socket create_socket_perms; |
42 |
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; |
43 |
|
44 |
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
45 |
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
46 |
--- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200 |
47 |
+++ ../../../refpolicy/policy/modules/services/xserver.fc 2011-01-03 23:07:16.852000013 +0100 |
48 |
@@ -5,6 +5,7 @@ |
49 |
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) |
50 |
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
51 |
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) |
52 |
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
53 |
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) |
54 |
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
55 |
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
56 |
|
57 |
|
58 |
|
59 |
1.1 sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch |
60 |
|
61 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch?rev=1.1&view=markup |
62 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r1.patch?rev=1.1&content-type=text/plain |
63 |
|
64 |
Index: fix-services-xserver-r1.patch |
65 |
=================================================================== |
66 |
--- services/xserver.te 2010-12-13 15:11:02.000000000 +0100 |
67 |
+++ services/xserver.te 2011-01-30 15:04:32.722000186 +0100 |
68 |
@@ -234,9 +234,11 @@ |
69 |
|
70 |
allow xdm_t iceauth_home_t:file read_file_perms; |
71 |
|
72 |
+files_search_tmp(iceauth_t) |
73 |
fs_search_auto_mountpoints(iceauth_t) |
74 |
|
75 |
userdom_use_user_terminals(iceauth_t) |
76 |
+userdom_read_user_tmp_files(iceauth_t) |
77 |
|
78 |
tunable_policy(`use_nfs_home_dirs',` |
79 |
fs_manage_nfs_files(iceauth_t) |
80 |
@@ -279,6 +281,7 @@ |
81 |
|
82 |
userdom_use_user_terminals(xauth_t) |
83 |
userdom_read_user_tmp_files(xauth_t) |
84 |
+userdom_read_user_tmp_files(xserver_t) |
85 |
|
86 |
xserver_rw_xdm_tmp_files(xauth_t) |
87 |
|
88 |
@@ -588,6 +591,9 @@ |
89 |
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; |
90 |
allow xserver_t input_xevent_t:x_event send; |
91 |
|
92 |
+# Allow X to process keyboard events |
93 |
+udev_read_db(xserver_t) |
94 |
+ |
95 |
# setuid/setgid for the wrapper program to change UID |
96 |
# sys_rawio is for iopl access - should not be needed for frame-buffer |
97 |
# sys_admin, locking shared mem? chowning IPC message queues or semaphores? |
98 |
@@ -610,6 +616,7 @@ |
99 |
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
100 |
allow xserver_t self:tcp_socket create_stream_socket_perms; |
101 |
allow xserver_t self:udp_socket create_socket_perms; |
102 |
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; |
103 |
|
104 |
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
105 |
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
106 |
--- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200 |
107 |
+++ services/xserver.fc 2011-01-03 23:07:16.852000013 +0100 |
108 |
@@ -5,6 +5,7 @@ |
109 |
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) |
110 |
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
111 |
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) |
112 |
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
113 |
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) |
114 |
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
115 |
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
116 |
|
117 |
|
118 |
|
119 |
1.1 sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch |
120 |
|
121 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch?rev=1.1&view=markup |
122 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-xserver/files/fix-services-xserver-r2.patch?rev=1.1&content-type=text/plain |
123 |
|
124 |
Index: fix-services-xserver-r2.patch |
125 |
=================================================================== |
126 |
--- services/xserver.te 2010-12-13 15:11:02.000000000 +0100 |
127 |
+++ services/xserver.te 2011-02-01 18:16:07.421000056 +0100 |
128 |
@@ -234,9 +234,13 @@ |
129 |
|
130 |
allow xdm_t iceauth_home_t:file read_file_perms; |
131 |
|
132 |
+files_search_tmp(iceauth_t) |
133 |
fs_search_auto_mountpoints(iceauth_t) |
134 |
|
135 |
userdom_use_user_terminals(iceauth_t) |
136 |
+userdom_read_user_tmp_files(iceauth_t) |
137 |
+ |
138 |
+getty_use_fds(iceauth_t) |
139 |
|
140 |
tunable_policy(`use_nfs_home_dirs',` |
141 |
fs_manage_nfs_files(iceauth_t) |
142 |
@@ -279,6 +283,7 @@ |
143 |
|
144 |
userdom_use_user_terminals(xauth_t) |
145 |
userdom_read_user_tmp_files(xauth_t) |
146 |
+userdom_read_user_tmp_files(xserver_t) |
147 |
|
148 |
xserver_rw_xdm_tmp_files(xauth_t) |
149 |
|
150 |
@@ -588,6 +593,9 @@ |
151 |
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; |
152 |
allow xserver_t input_xevent_t:x_event send; |
153 |
|
154 |
+# Allow X to process keyboard events |
155 |
+udev_read_db(xserver_t) |
156 |
+ |
157 |
# setuid/setgid for the wrapper program to change UID |
158 |
# sys_rawio is for iopl access - should not be needed for frame-buffer |
159 |
# sys_admin, locking shared mem? chowning IPC message queues or semaphores? |
160 |
@@ -610,6 +618,7 @@ |
161 |
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
162 |
allow xserver_t self:tcp_socket create_stream_socket_perms; |
163 |
allow xserver_t self:udp_socket create_socket_perms; |
164 |
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; |
165 |
|
166 |
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
167 |
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |
168 |
--- services/xserver.fc 2010-08-03 15:11:09.000000000 +0200 |
169 |
+++ services/xserver.fc 2011-01-03 23:07:16.852000013 +0100 |
170 |
@@ -5,6 +5,7 @@ |
171 |
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) |
172 |
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
173 |
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) |
174 |
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) |
175 |
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) |
176 |
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
177 |
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) |