1 |
commit: 49ad0faa2ff66c2e975e47d2af27c15a8549ceaf |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 13:10:10 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:15 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=49ad0faa |
7 |
|
8 |
Changes to the xscreensaver policy module |
9 |
|
10 |
Role attribute |
11 |
Module cleanup |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/xscreensaver.if | 19 +++++++++++-------- |
17 |
policy/modules/contrib/xscreensaver.te | 11 ++++++----- |
18 |
2 files changed, 17 insertions(+), 13 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if |
21 |
index 1067bd1..2e0b29b 100644 |
22 |
--- a/policy/modules/contrib/xscreensaver.if |
23 |
+++ b/policy/modules/contrib/xscreensaver.if |
24 |
@@ -1,30 +1,33 @@ |
25 |
-## <summary>X Screensaver</summary> |
26 |
+## <summary>Modular screen saver and locker for X11.</summary> |
27 |
|
28 |
######################################## |
29 |
## <summary> |
30 |
-## Role access for xscreensaver |
31 |
+## Role access for xscreensaver. |
32 |
## </summary> |
33 |
## <param name="role"> |
34 |
## <summary> |
35 |
-## Role allowed access |
36 |
+## Role allowed access. |
37 |
## </summary> |
38 |
## </param> |
39 |
## <param name="domain"> |
40 |
## <summary> |
41 |
-## User domain for the role |
42 |
+## User domain for the role. |
43 |
## </summary> |
44 |
## </param> |
45 |
# |
46 |
interface(`xscreensaver_role',` |
47 |
gen_require(` |
48 |
- type xscreensaver_t, xscreensaver_exec_t; |
49 |
+ attribute_role xscreensaver_roles; |
50 |
+ type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t; |
51 |
') |
52 |
|
53 |
- role $1 types xscreensaver_t; |
54 |
+ roleattribute $1 xscreensaver_roles; |
55 |
|
56 |
domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) |
57 |
|
58 |
- # Allow the user domain to signal/ps. |
59 |
+ allow $2 xscreensaver_t:process { ptrace signal_perms }; |
60 |
ps_process_pattern($2, xscreensaver_t) |
61 |
- allow $2 xscreensaver_t:process signal_perms; |
62 |
+ |
63 |
+ allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; |
64 |
+ allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; |
65 |
') |
66 |
|
67 |
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te |
68 |
index 1487a4e..c9c9650 100644 |
69 |
--- a/policy/modules/contrib/xscreensaver.te |
70 |
+++ b/policy/modules/contrib/xscreensaver.te |
71 |
@@ -1,13 +1,16 @@ |
72 |
-policy_module(xscreensaver, 1.1.0) |
73 |
+policy_module(xscreensaver, 1.1.1) |
74 |
|
75 |
######################################## |
76 |
# |
77 |
# Declarations |
78 |
# |
79 |
|
80 |
+attribute_role xscreensaver_roles; |
81 |
+ |
82 |
type xscreensaver_t; |
83 |
type xscreensaver_exec_t; |
84 |
userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) |
85 |
+role xscreensaver_roles types xscreensaver_t; |
86 |
|
87 |
type xscreensaver_tmpfs_t; |
88 |
userdom_user_tmpfs_file(xscreensaver_tmpfs_t) |
89 |
@@ -17,8 +20,8 @@ userdom_user_tmpfs_file(xscreensaver_tmpfs_t) |
90 |
# Local policy |
91 |
# |
92 |
|
93 |
-allow xscreensaver_t self:fifo_file rw_fifo_file_perms; |
94 |
allow xscreensaver_t self:process signal; |
95 |
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms; |
96 |
|
97 |
kernel_read_system_state(xscreensaver_t) |
98 |
|
99 |
@@ -27,7 +30,6 @@ files_read_usr_files(xscreensaver_t) |
100 |
auth_use_nsswitch(xscreensaver_t) |
101 |
auth_domtrans_chk_passwd(xscreensaver_t) |
102 |
|
103 |
-#/var/run/utmp |
104 |
init_read_utmp(xscreensaver_t) |
105 |
|
106 |
logging_send_audit_msgs(xscreensaver_t) |
107 |
@@ -35,8 +37,7 @@ logging_send_syslog_msg(xscreensaver_t) |
108 |
|
109 |
miscfiles_read_localization(xscreensaver_t) |
110 |
|
111 |
-userdom_use_user_ptys(xscreensaver_t) |
112 |
-#access to .icons and ~/.xscreensaver |
113 |
+userdom_use_user_terminals(xscreensaver_t) |
114 |
userdom_read_user_home_content_files(xscreensaver_t) |
115 |
|
116 |
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) |