Separate the tunable permissions to write xserver
tmpfs files from the tunable permissions to write X server shared memory. Indeed some applications such as vlc (media player) only require the former, so this change opts for a stricter, yet more customizable policy. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if | 7 +++++++ policy/modules/services/xserver.te | 8 ++++++++ 2 files changed, 15 insertions(+)
This commit is contained in:
parent
f3f761c4a8
commit
ad1f2d2ae3
@ -125,8 +125,12 @@ template(`xserver_restricted_role',`
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_write_xserver_tmpfs',`
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`xserver_allow_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
@ -482,6 +486,9 @@ template(`xserver_user_x_domain_template',`
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_write_xserver_tmpfs',`
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
')
|
||||
|
@ -33,6 +33,14 @@ gen_require(`
|
||||
## </desc>
|
||||
gen_tunable(allow_write_xshm, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allows clients to write to the X server tmpfs
|
||||
## files.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_write_xserver_tmpfs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
|
Loading…
Reference in New Issue
Block a user