1 |
commit: ac6f15396ffcc42417bec54cec8f02233d133f1f |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Nov 28 16:45:11 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 28 20:20:18 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ac6f1539 |
7 |
|
8 |
Changes to the accountsd policy module |
9 |
|
10 |
Callers of accountsd_read_lib_files() can list accountsd_var_lib_t |
11 |
directories |
12 |
|
13 |
On initial boot for first user, accountsd could be handed a photo from |
14 |
xdm_tmp_t directory |
15 |
|
16 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
17 |
|
18 |
--- |
19 |
policy/modules/contrib/accountsd.if | 1 + |
20 |
policy/modules/contrib/accountsd.te | 6 +++++- |
21 |
2 files changed, 6 insertions(+), 1 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/contrib/accountsd.if b/policy/modules/contrib/accountsd.if |
24 |
index 0bb2658..bd5ec9a 100644 |
25 |
--- a/policy/modules/contrib/accountsd.if |
26 |
+++ b/policy/modules/contrib/accountsd.if |
27 |
@@ -95,6 +95,7 @@ interface(`accountsd_read_lib_files',` |
28 |
') |
29 |
|
30 |
files_search_var_lib($1) |
31 |
+ allow $1 accountsd_var_lib_t:dir list_dir_perms; |
32 |
read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) |
33 |
') |
34 |
|
35 |
|
36 |
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te |
37 |
index 9534a32..313b33f 100644 |
38 |
--- a/policy/modules/contrib/accountsd.te |
39 |
+++ b/policy/modules/contrib/accountsd.te |
40 |
@@ -1,4 +1,4 @@ |
41 |
-policy_module(accountsd, 1.0.4) |
42 |
+policy_module(accountsd, 1.0.6) |
43 |
|
44 |
gen_require(` |
45 |
class passwd all_passwd_perms; |
46 |
@@ -67,3 +67,7 @@ optional_policy(` |
47 |
optional_policy(` |
48 |
policykit_dbus_chat(accountsd_t) |
49 |
') |
50 |
+ |
51 |
+optional_policy(` |
52 |
+ xserver_read_xdm_tmp_files(accountsd_t) |
53 |
+') |