work on xdm
This commit is contained in:
parent
955019421b
commit
5a975c1e44
|
@ -448,6 +448,39 @@ interface(`xserver_stream_connect_xdm',`
|
|||
allow $1 xdm_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_read_xdm_rw_config',`
|
||||
gen_require(`
|
||||
type xdm_rw_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 xdm_rw_etc_t:dir { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of XDM temporary directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_setattr_xdm_tmp_dirs',`
|
||||
gen_require(`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_tmp_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a named socket in a XDM
|
||||
|
@ -570,3 +603,22 @@ interface(`xserver_dontaudit_write_log',`
|
|||
|
||||
dontaudit $1 xserver_log_t:file { append write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write the X server
|
||||
## log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_delete_log',`
|
||||
gen_require(`
|
||||
type xserver_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 xserver_log_t:dir rw_dir_perms;
|
||||
allow $1 xserver_log_t:file unlink;
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xserver,1.0.1)
|
||||
policy_module(xserver,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -368,53 +368,53 @@ optional_policy(`xfs',`
|
|||
# XDM Xserver local policy
|
||||
#
|
||||
|
||||
allow xdm_xserver_t xdm_t:process signal;
|
||||
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
|
||||
|
||||
# Run xkbcomp.
|
||||
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
fs_search_auto_mountpoints(xdm_xserver_t)
|
||||
|
||||
init_use_fd(xdm_xserver_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
fs_manage_nfs_symlinks(xdm_xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(xdm_xserver_t)
|
||||
fs_manage_cifs_files(xdm_xserver_t)
|
||||
fs_manage_cifs_symlinks(xdm_xserver_t)
|
||||
')
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
allow xdm_xserver_t xdm_t:process signal;
|
||||
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
|
||||
allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
|
||||
|
||||
# Run xkbcomp.
|
||||
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xdm_xserver_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
corenet_tcp_bind_vnc_port(xdm_xserver_t)
|
||||
|
||||
fs_search_auto_mountpoints(xdm_xserver_t)
|
||||
|
||||
init_use_fd(xdm_xserver_t)
|
||||
|
||||
# FIXME: After per user fonts are properly working
|
||||
# xdm_xserver_t may no longer have any reason
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_unpriv_user_home_files(xdm_xserver_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_xserver_t)
|
||||
fs_manage_nfs_files(xdm_xserver_t)
|
||||
fs_manage_nfs_symlinks(xdm_xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(xdm_xserver_t)
|
||||
fs_manage_cifs_files(xdm_xserver_t)
|
||||
fs_manage_cifs_symlinks(xdm_xserver_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Read all global and per user fonts
|
||||
read_fonts(xdm_xserver_t, sysadm)
|
||||
|
@ -431,14 +431,6 @@ ifdef(`targeted_policy',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# cjp: TODO: integrate strict policy:
|
||||
# init script wants to check if it needs to update windowmanagerlist
|
||||
allow initrc_t xdm_rw_etc_t:file { getattr read };
|
||||
ifdef(`distro_suse', `
|
||||
# set permissions on /tmp/.X11-unix
|
||||
allow initrc_t xdm_tmp_t:dir setattr;
|
||||
')
|
||||
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
|
||||
can_resmgrd_connect(xdm_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.2.1)
|
||||
policy_module(init,1.2.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -428,30 +428,46 @@ ifdef(`distro_redhat',`
|
|||
storage_raw_read_fixed_disk(initrc_t)
|
||||
storage_raw_write_fixed_disk(initrc_t)
|
||||
|
||||
fs_rw_tmpfs_chr_files(initrc_t)
|
||||
|
||||
storage_create_fixed_disk(initrc_t)
|
||||
storage_getattr_removable_dev(initrc_t)
|
||||
|
||||
files_create_boot_flag(initrc_t)
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
fs_rw_tmpfs_chr_files(initrc_t)
|
||||
|
||||
storage_create_fixed_disk(initrc_t)
|
||||
storage_getattr_removable_dev(initrc_t)
|
||||
|
||||
# readahead asks for these
|
||||
auth_dontaudit_read_shadow(initrc_t)
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
|
||||
optional_policy(`bind',`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpc',`
|
||||
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
||||
rpc_write_exports(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork',`
|
||||
sysnet_rw_dhcp_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver',`
|
||||
xserver_delete_log(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
optional_policy(`xserver',`
|
||||
# set permissions on /tmp/.X11-unix
|
||||
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
@ -484,12 +500,6 @@ optional_policy(`bind',`
|
|||
|
||||
# for chmod in start script
|
||||
bind_setattr_pid_dirs(initrc_t)
|
||||
|
||||
# for /etc/rndc.key
|
||||
ifdef(`distro_redhat',`
|
||||
# Allow init script to cp localtime to named_conf_t
|
||||
bind_write_config(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`bluetooth',`
|
||||
|
@ -668,10 +678,6 @@ optional_policy(`su',`
|
|||
')
|
||||
|
||||
optional_policy(`sysnetwork',`
|
||||
ifdef(`distro_redhat',`
|
||||
sysnet_rw_dhcp_config(initrc_t)
|
||||
')
|
||||
|
||||
sysnet_read_dhcpc_state(initrc_t)
|
||||
')
|
||||
|
||||
|
@ -682,6 +688,11 @@ optional_policy(`xfs',`
|
|||
xfs_read_sockets(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver',`
|
||||
# init s cript wants to check if it needs to update windowmanagerlist
|
||||
xserver_read_xdm_rw_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`zebra',`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
@ -690,17 +701,7 @@ ifdef(`TODO',`
|
|||
# Set device ownerships/modes.
|
||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||
|
||||
# during boot up initrc needs to do the following
|
||||
allow initrc_t default_t:dir write;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
allow initrc_t device_t:dir create;
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
# wants to cleanup xserver log dir
|
||||
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
||||
allow initrc_t xserver_log_t:file unlink;
|
||||
')
|
||||
|
||||
')
|
||||
') dnl end TODO
|
||||
|
|
Loading…
Reference in New Issue