Grant all permissions neccessary for Xorg and basic X clients

Note that dev_rw_dri already has the permission, it was just forgotten to add it to dev_manage_dri, too.
2017-09-12 04:11:15 +02:00 · 2017-09-12 04:11:15 +02:00 · 65bfd23fbb
parent 3548e3b3fe
commit 65bfd23fbb
4 changed files with 8 additions and 1 deletions
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
 	')

 	manage_chr_files_pattern($1, device_t, dri_device_t)
+	allow $1 dri_device_t:chr_file map;
 ')

 ########################################
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
 	# Xserver read/write client shm
 	allow xserver_t $1:fd use;
 	allow xserver_t $1:shm rw_shm_perms;
-	allow xserver_t $2:file rw_file_perms;
+	allow xserver_t $2:file { rw_file_perms map };

 	# Connect to xserver
 	allow $1 xserver_t:unix_stream_socket connectto;
@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:fd use;
 	allow $1 xserver_t:shm r_shm_perms;
 	allow $1 xserver_tmpfs_t:file read_file_perms;
+
+	allow $1 $2:file map;
 ')

 #######################################
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow xserver_t xserver_tmpfs_t:file map;

 # Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
 userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)

 xserver_use_user_fonts(xserver_t)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
 	userdom_exec_user_tmp_files($1_t)
 	userdom_exec_user_home_content_files($1_t)

+	userdom_map_user_tmpfs_files($1_t)
+
 	userdom_change_password_template($1)

 	##############################