Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
On my system, I use XFCE and start X from the commandline (using "startx")
rather than through a graphical DM. During the start-up, XFCE4 creates
temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later
read in by iceauth and at some point X.
I'm not that good at the entire ICE stuff, but without this, I was unable to
shut down my session ("log off").
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On an Xorg 1.9 system with evdev driver (for keyboard InputClass), the
xserver_t domain needs to be able to read from the proper device nodes as
well as query the udev_tbl_t directory and udev itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them. But since the
default user type is unconfined this problem has gone away for now.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
X Object Manager policy revisions to xserver.te.
This commit consists of three main parts:
1. Code movement. There were X object manager-related statements
scattered somewhat throughout the file; these have been consolidated,
which resulted in some other statements moving (e.g. iceauth_t).
2. Type changes. Many of the specific event, extension, and property
types have been dropped for the time being. The rootwindow_t and
remote_xclient_t types have been renamed, and a root_xcolormap_t
type has been (re-)added. This is for naming consistency.
An "xserver_unprotected" alias has been added for use in labeling
clients whose resources should be globally accessible (e.g. xdm_t).
3. Policy changes. These are mostly related to devices, which now have
separate x_keyboard and x_pointer classes. The "Hacks" section
has been cleaned up, and various other classes have had the default
permissions tweaked.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role(). Deprecate
the former and put the rules into the latter.
For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.