Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
This patch fixes the xserver module so that the hidden .ICEauthority
file is created with the proper context (file transition).
It also optimizes a similar interface used for xauth home files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory. With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...
As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.
This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.
This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.
The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.
This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
I do apologize for the broken interface in the previous version
of this patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
Chris PeBenito
Jason Zaman
Guido Trentalancia
Luis Ressel
cgzones
Guido Trentalancia via refpolicy
Nicolas Iooss
Guido Trentalancia