Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Thu, 26 Jan 2017 03:32:09
Message-Id: 1485401465.b4d17da29d15421d2f67fbc484c343aec9ab572d.perfinion@gentoo
1 commit: b4d17da29d15421d2f67fbc484c343aec9ab572d
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Wed Jan 25 17:44:23 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 26 03:31:05 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4d17da2
7
8 xserver: allow X roles to read xkb libs to set keymaps
9
10 commit d76d9e13b188e9fd8df98e1e21d88aa45951860e
11 xserver: restrict executable memory permissions
12 changed XKB libs which made them no longer readable by users.
13 setting xkeymaps fails with the following errors:
14
15 $ setxkbmap -option "ctrl:nocaps"
16 Couldn't find rules file (evdev)
17
18 type=AVC msg=audit(1485357942.135:4458): avc: denied { search } for
19 pid=5359 comm="X" name="20990" dev="proc" ino=103804
20 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
21 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
22 type=AVC msg=audit(1485357942.136:4459): avc: denied { search } for
23 pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
24 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
25 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
26 type=AVC msg=audit(1485357942.136:4460): avc: denied { search } for
27 pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
28 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
29 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
30
31 policy/modules/services/xserver.if | 2 ++
32 1 file changed, 2 insertions(+)
33
34 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
35 index a054c9c..f0761c9 100644
36 --- a/policy/modules/services/xserver.if
37 +++ b/policy/modules/services/xserver.if
38 @@ -166,6 +166,8 @@ interface(`xserver_role',`
39 manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
40 relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
41 relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
42 +
43 + xserver_read_xkb_libs($2)
44 ')
45
46 #######################################
Report Message
Find on MARC Find on Google Groups