RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-02-21 23:16:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

xserver: remove unneeded user content permissions

Browse Source 
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This commit is contained in:
Guido Trentalancia 2016-12-02 14:44:07 +01:00 committed by Chris PeBenito
parent 433d5da402
commit 58e5ce24ae
3 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/services/xserver.fc
View File

@ -1,6 +1,7 @@
# #
# HOME_DIR # HOME_DIR
# #
HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0)
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)

19
policy/modules/services/xserver.if
View File

@ -600,6 +600,25 @@ interface(`xserver_read_user_xauth',`
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
') ')
########################################
## <summary>
## Read all users .dmrc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_read_user_dmrc',`
gen_require(`
type dmrc_home_t;
')
allow $1 dmrc_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
')
######################################## ########################################
## <summary> ## <summary>
## Set the attributes of the X windows console named pipes. ## Set the attributes of the X windows console named pipes.

9
policy/modules/services/xserver.te
View File

@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
type xserver_log_t; type xserver_log_t;
logging_log_file(xserver_log_t) logging_log_file(xserver_log_t)
type dmrc_home_t;
userdom_user_home_content(dmrc_home_t)
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t) userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes. # Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t) userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t) userdom_signal_all_users(xdm_t)
# for .dmrc: this was used by the Gnome Display Manager (gdm)
# and it is now obsolete in Gnome3
xserver_read_user_dmrc(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t) xserver_unconfined(xdm_t)