From 7b9c57c8ba06657501f0b67755c2871acb179dd1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 30 2008 05:41:15 +0000 Subject: - Allow initrc_t to dbus chat with consolekit. --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 14ced2c..9b71c43 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -12737,7 +12737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 11:32:17.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-29 13:18:18.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-29 19:56:07.000000000 +0100 @@ -9,6 +9,7 @@ # # Delcarations @@ -12841,7 +12841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + attribute domain; + ') + unconfined_domain(unconfined_dbusd_t) -+ allow dbusd_unconfined domain:consolekit_t:dbus send_msg; ++ allow dbusd_unconfined domain:dbus send_msg; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if @@ -25394,7 +25394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 11:32:17.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-28 23:04:06.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-30 07:37:14.000000000 +0200 @@ -8,6 +8,14 @@ ## @@ -25671,7 +25671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +381,11 @@ +@@ -256,22 +381,28 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -25685,7 +25685,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,8 +394,13 @@ + # for .dmrc + userdom_read_unpriv_users_home_content_files(xdm_t) ++userdom_dontaudit_write_user_home_content_files(user, xdm_t) ++ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25699,7 +25702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -301,10 +430,15 @@ +@@ -301,10 +432,15 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -25716,7 +25719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +446,23 @@ +@@ -312,6 +448,23 @@ ') optional_policy(` @@ -25740,7 +25743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +473,10 @@ +@@ -322,6 +475,10 @@ ') optional_policy(` @@ -25751,7 +25754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +490,11 @@ +@@ -335,6 +492,11 @@ ') optional_policy(` @@ -25763,7 +25766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +503,8 @@ +@@ -343,8 +505,8 @@ ') optional_policy(` @@ -25773,7 +25776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +540,7 @@ +@@ -380,7 +542,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -25782,7 +25785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +552,15 @@ +@@ -392,6 +554,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -25798,7 +25801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +573,17 @@ +@@ -404,9 +575,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -25816,7 +25819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +597,22 @@ +@@ -420,6 +599,22 @@ ') optional_policy(` @@ -25839,7 +25842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +622,139 @@ +@@ -429,47 +624,139 @@ ') optional_policy(` @@ -25903,7 +25906,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # -# Wants to delete .xsession-errors file +# xauth_t Local policy -+# + # +-allow xdm_t user_home_type:file unlink; +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) + +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) @@ -25949,8 +25953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +############################## - # --allow xdm_t user_home_type:file unlink; ++# +# iceauth_t Local policy +# +