From 23a4442bf1d0d61a7c9b8b832ab8dad8891fb092 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 21 2005 17:55:15 +0000 Subject: add xdm --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 74dcdcc..1e4714c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -6,6 +6,7 @@ cyrus dovecot distcc + xdm * Wed Oct 19 2005 Chris PeBenito - 20051019 - Many fixes to make loadable modules build. diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 6e1c358..70c39b2 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -54,22 +54,26 @@ attribute mlsrangetrans; type getty_t; type login_exec_t; +type init_t; type init_exec_t; type initrc_t; type sshd_exec_t; type su_exec_t; type udev_exec_t; type unconfined_t; +type xdm_exec_t; -ifdef(`enable_mcs', ` +ifdef(`enable_mcs',` range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition init_t xdm_exec_t s0 - s0:c0.c255; range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; ') -ifdef(`enable_mls', ` +ifdef(`enable_mls',` # run init with maximum MLS range range_transition kernel_t init_exec_t s0 - s9:c0.c255; ') diff --git a/refpolicy/policy/modules/services/xdm.fc b/refpolicy/policy/modules/services/xdm.fc new file mode 100644 index 0000000..f175401 --- /dev/null +++ b/refpolicy/policy/modules/services/xdm.fc @@ -0,0 +1,38 @@ + +/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + +/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) + +/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) +/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) + +/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0) + +/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) + +/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + +/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + +ifdef(`distro_suse',` +/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) +') + +/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + +/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/xdm.if b/refpolicy/policy/modules/services/xdm.if new file mode 100644 index 0000000..4c29517 --- /dev/null +++ b/refpolicy/policy/modules/services/xdm.if @@ -0,0 +1 @@ +## X windows login display manager diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te new file mode 100644 index 0000000..5e9ad2e --- /dev/null +++ b/refpolicy/policy/modules/services/xdm.te @@ -0,0 +1,420 @@ + +policy_module(xdm,1.0) + +######################################## +# +# Declarations +# + +# hack until all of strict is converted +#type xdm_t; +gen_require(` + type unconfined_t; +') +typealias unconfined_t alias xdm_t; + +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type xdm_exec_t; +') +init_domain(xdm_t,xdm_exec_t) +init_daemon_domain(xdm_t,xdm_exec_t) + +type xsession_exec_t; +files_type(xsession_exec_t) + +type xserver_log_t; +files_type(xserver_log_t) + +type xdm_xserver_tmp_t; +files_type(xdm_xserver_tmp_t) + +type xdm_lock_t; +files_lock_file(xdm_lock_t) + +type xdm_rw_etc_t; +files_type(xdm_rw_etc_t) + +type xdm_var_run_t; +files_type(xdm_var_run_t) + +type xdm_var_lib_t; +files_type(xdm_var_lib_t) + +type xdm_tmp_t; +files_tmp_file(xdm_tmp_t) + +type xdm_tmpfs_t; +files_tmpfs_file(xdm_tmpfs_t) + +######################################## +# +# Local policy +# + +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { setexec setpgid setsched setrlimit }; +allow xdm_t self:fifo_file rw_file_perms; +allow xdm_t self:shm create_shm_perms; +allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:unix_dgram_socket create_socket_perms; + +allow xdm_t xdm_lock_t:file create_file_perms; +files_create_lock(xdm_t,xdm_lock_t) + +allow xdm_t xdm_tmp_t:dir create_dir_perms; +allow xdm_t xdm_tmp_t:file create_file_perms; +allow xdm_t xdm_tmp_t:file create_file_perms; +files_create_tmp_files(xdm_t, xdm_tmp_t, { file dir sock_file }) + +allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; +allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +fs_create_tmpfs_data(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +allow xdm_t xdm_var_lib_t:file create_file_perms; +allow xdm_t xdm_var_lib_t:dir create_dir_perms; +files_create_var_lib(xdm_t,xdm_var_lib_t) + +kernel_read_system_state(xdm_t) +kernel_read_kernel_sysctl(xdm_t) + +dev_read_rand(xdm_t) +dev_read_urand(xdm_t) + +selinux_get_fs_mount(xdm_t) +selinux_validate_context(xdm_t) +selinux_compute_access_vector(xdm_t) +selinux_compute_create_context(xdm_t) +selinux_compute_relabel_context(xdm_t) +selinux_compute_user_contexts(xdm_t) + +files_read_etc_runtime_files(xdm_t) + +ifdef(`targeted_policy',` + unconfined_domain_template(xdm_t) +') + +ifdef(`TODO',` +# cjp: TODO: integrate strict policy: +daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') + +allow xdm_t xdm_var_run_t:dir setattr; + +# for xdmctl +allow xdm_t xdm_var_run_t:fifo_file create_file_perms; +allow initrc_t xdm_var_run_t:fifo_file unlink; +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) +file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) + +# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open +# handle of a file inside the dir!!! +allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; +dontaudit xdm_xserver_t xdm_var_lib_t:dir search; +allow xdm_xserver_t xdm_var_run_t:file { getattr read }; + +allow xdm_t default_context_t:dir search; +allow xdm_t default_context_t:{ file lnk_file } { read getattr }; + +can_network(xdm_t) +allow xdm_t port_type:tcp_socket name_connect; + +allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; +allow xdm_t xdm_xserver_t:process signal; +can_unix_connect(xdm_t, xdm_xserver_t) +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; +allow xdm_xserver_t xdm_t:process signal; +# for reboot +allow xdm_t initctl_t:fifo_file write; + +# init script wants to check if it needs to update windowmanagerlist +allow initrc_t xdm_rw_etc_t:file { getattr read }; +ifdef(`distro_suse', ` +# set permissions on /tmp/.X11-unix +allow initrc_t xdm_tmp_t:dir setattr; +') + +# Transition to user domains for user sessions. +domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) +allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; +allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; +allow unpriv_userdomain xdm_xserver_t:fd use; +allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; +allow xdm_xserver_t unpriv_userdomain:fd use; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# gnome-session creates socket under /tmp/.ICE-unix/ +allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; +allow unpriv_userdomain xdm_tmp_t:sock_file create; + +# Allow xdm logins as sysadm_r:sysadm_t +bool xdm_sysadm_login false; +if (xdm_sysadm_login) { +domain_trans(xdm_t, xsession_exec_t, sysadm_t) +allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; +allow sysadm_t xdm_xserver_t:shm r_shm_perms; +allow sysadm_t xdm_xserver_t:fd use; +allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t sysadm_t:shm rw_shm_perms; +allow xdm_xserver_t sysadm_t:fd use; +} + +# Label pid and temporary files with derived types. +rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) +allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; + +# Run helper programs. +allow xdm_t etc_t:file { getattr read }; +allow xdm_t bin_t:dir { getattr search }; +# lib_t is for running cpp +can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) +allow xdm_t { bin_t sbin_t }:lnk_file read; +ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') +ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') +allow xdm_t xdm_xserver_t:process sigkill; +allow xdm_t xdm_xserver_tmp_t:file unlink; + +# Access devices. +allow xdm_t device_t:dir { read search }; +allow xdm_t console_device_t:chr_file setattr; +allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t framebuf_device_t:chr_file { getattr setattr }; +allow xdm_t mouse_device_t:chr_file { getattr setattr }; +allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; +allow xdm_t dri_device_t:chr_file rw_file_perms; +allow xdm_t device_t:dir rw_dir_perms; +allow xdm_t agp_device_t:chr_file rw_file_perms; +allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; +allow xdm_t v4l_device_t:chr_file { setattr getattr }; +allow xdm_t scanner_device_t:chr_file { setattr getattr }; +allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; +allow xdm_t device_t:lnk_file read; +can_resmgrd_connect(xdm_t) + +# Access xdm log files. +file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) +allow xdm_t xserver_log_t:dir rw_dir_perms; +allow xdm_t xserver_log_t:dir setattr; +# Access /var/gdm/.gdmfifo. +allow xdm_t xserver_log_t:fifo_file create_file_perms; + +allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; +allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; +allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; +allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; + +# Remove /tmp/.X11-unix/X0. +allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; +allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + +ifdef(`gpm.te', ` +# Talk to the console mouse server. +allow xdm_t gpmctl_t:sock_file { getattr setattr write }; +allow xdm_t gpm_t:unix_stream_socket connectto; +') + +allow xdm_t sysfs_t:dir search; + +# Update utmp and wtmp. +allow xdm_t initrc_var_run_t: file { read write lock }; +allow xdm_t wtmp_t:file append; + +# Update lastlog. +allow xdm_t lastlog_t:file rw_file_perms; + +# Need to further investigate these permissions and +# perhaps define derived types. +allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +allow xdm_t var_lib_t:file { create write unlink }; + +# Connect to xfs. +ifdef(`xfs.te', ` +allow xdm_t xfs_tmp_t:dir search; +allow xdm_t xfs_tmp_t:sock_file write; +can_unix_connect(xdm_t, xfs_t) +') + +allow xdm_t etc_t:lnk_file read; + +# wdm has its own config dir /etc/X11/wdm +# this is ugly, daemons should not create files under /etc! +allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; +allow xdm_t xdm_rw_etc_t:file create_file_perms; + +# Signal any user domain. +allow xdm_t userdomain:process signal_perms; + +# Search /proc for any user domain processes. +allow xdm_t userdomain:dir r_dir_perms; +allow xdm_t userdomain:{ file lnk_file } r_file_perms; + +# Allow xdm access to the user domains +allow xdm_t home_root_t:dir search; +allow xdm_xserver_t home_root_t:dir search; + +# Do not audit denied attempts to access devices. +dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; +dontaudit xdm_t device_t:file_class_set rw_file_perms; +dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; +dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; +dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; +dontaudit xdm_t devpts_t:dir search; + +# Do not audit denied probes of /proc. +dontaudit xdm_t domain:dir r_dir_perms; +dontaudit xdm_t domain:{ file lnk_file } r_file_perms; + +# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... +allow xdm_t usr_t:{ lnk_file file } { getattr read }; + +# Read fonts +read_fonts(xdm_t) + +# Do not audit attempts to write to index files under /usr +dontaudit xdm_t usr_t:file write; + +# Do not audit access to /root +dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; + +# Do not audit user access to the X log files due to file handle inheritance +dontaudit unpriv_userdomain xserver_log_t:file { write append }; + +# Do not audit attempts to check whether user root has email +dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; +dontaudit xdm_t mail_spool_t:file getattr; + +# Access sound device. +allow xdm_t sound_device_t:chr_file { setattr getattr }; + +# Allow setting of attributes on power management devices. +allow xdm_t power_device_t:chr_file { getattr setattr }; + +# Run the X server in a derived domain. +xserver_domain(xdm) + +ifdef(`rhgb.te', ` +allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +allow xdm_xserver_t ramfs_t:file create_file_perms; +allow rhgb_t xdm_xserver_t:process signal; +') + +# Unrestricted inheritance. +allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; + +# Run xkbcomp. +allow xdm_xserver_t var_lib_t:dir search; +allow xdm_xserver_t xkb_var_lib_t:lnk_file read; +can_exec(xdm_xserver_t, xkb_var_lib_t) + +# Insert video drivers. +allow xdm_xserver_t self:capability mknod; +allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; +domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) +allow insmod_t xserver_log_t:file write; +allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; + +# Read /proc/dri/.* +allow xdm_xserver_t proc_t:dir { search read }; + +# Search /var/run. +allow xdm_xserver_t var_run_t:dir search; + +# FIXME: After per user fonts are properly working +# xdm_xserver_t may no longer have any reason +# to read ROLE_home_t - examine this in more detail +# (xauth?) + +# Search home directories. +allow xdm_xserver_t user_home_type:dir search; +allow xdm_xserver_t user_home_type:file { getattr read }; + +if (use_nfs_home_dirs) { +allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; +allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, nfs_t) +} + +if (use_samba_home_dirs) { +allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; +allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; +can_exec(xdm_t, cifs_t) +} + +# for .dmrc +allow xdm_t user_home_dir_type:dir { getattr search }; +allow xdm_t user_home_type:file { getattr read }; + +ifdef(`support_polyinstatiation', ` +# xdm_t can polyinstantiate +polyinstantiater(xdm_t) +# xdm needs access for linking .X11-unix to poly /tmp +allow xdm_t polymember:dir { add_name remove_name write }; +allow xdm_t polymember:lnk_file { create unlink }; +# xdm needs access for copying .Xauthority into new home +allow xdm_t polymember:file { create getattr write }; +') + +allow xdm_t mnt_t:dir { getattr read search }; +# +# Wants to delete .xsession-errors file +# +allow xdm_t user_home_type:file unlink; +# +# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# +ifdef(`pam.te', ` +allow xdm_t pam_var_run_t:dir create_dir_perms; +allow xdm_t pam_var_run_t:file create_file_perms; +allow pam_t xdm_t:fifo_file { getattr ioctl write }; +domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) +can_exec(xdm_t, pam_exec_t) +# For pam_console +rw_dir_create_file(xdm_t, pam_var_console_t) +') + +# Pamconsole/alsa +ifdef(`alsa.te', ` +domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) +') dnl ifdef + +allow xdm_t var_log_t:file { getattr read }; +allow xdm_t wtmp_t:file { getattr read }; + +domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) +# +# Poweroff wants to create the /poweroff file when run from xdm +# +file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) + +# +# xdm tries to bind to biff_port_t +# +dontaudit xdm_t port_type:tcp_socket name_bind; + +# VNC v4 module in X server +allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; +ifdef(`crack.te', ` +allow xdm_t crack_db_t:file r_file_perms; +') +r_dir_file(xdm_t, selinux_config_t) + +# Run telinit->init to shutdown. +can_exec(xdm_t, init_exec_t) +allow xdm_t self:sem create_sem_perms; + +# Allow gdm to run gdm-binary +can_exec(xdm_t, xdm_exec_t) + +# Supress permission check on .ICE-unix +dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; +') dnl end TODO diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 1c00508..d1c6e25 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -39,6 +39,11 @@ ifdef(`targeted_policy',` /etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0) ') +/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) +/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) +/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) +/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /sbin # diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9513fad..a435178 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -19,7 +19,11 @@ attribute direct_init_entry; # # init_t is the domain of the init process. # -type init_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type init_t; +') domain_type(init_t) role system_r types init_t; diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 3f6f48e..a03604b 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -29,8 +29,7 @@ ifdef(`targeted_policy',` # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. - # cjp: remove xdm_t when we get to that module - typealias unconfined_t alias { secadm_t sysadm_t xdm_t }; + typealias unconfined_t alias { secadm_t sysadm_t }; init_domtrans_script(unconfined_t)