diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 1b12d7d..e803cdb 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -450,6 +450,39 @@ interface(`xserver_stream_connect_xdm',`
########################################
## <summary>
+## Read xdm-writable configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`xserver_read_xdm_rw_config',`
+ gen_require(`
+ type xdm_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 xdm_rw_etc_t:dir { getattr read };
+')
+
+########################################
+## <summary>
+## Set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`xserver_setattr_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
## Create a named socket in a XDM
## temporary directory.
## </summary>
@@ -570,3 +603,22 @@ interface(`xserver_dontaudit_write_log',`
dontaudit $1 xserver_log_t:file { append write };
')
+
+########################################
+## <summary>
+## Do not audit attempts to write the X server
+## log files.
+## </summary>
+## <param name="domain">
+## Domain to not audit
+## </param>
+#
+interface(`xserver_delete_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:dir rw_dir_perms;
+ allow $1 xserver_log_t:file unlink;
+')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 61f38f0..dacf9aa 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.0.1)
+policy_module(xserver,1.0.2)
########################################
#
@@ -368,53 +368,53 @@ optional_policy(`xfs',`
# XDM Xserver local policy
#
-ifdef(`strict_policy',`
- allow xdm_xserver_t xdm_t:process signal;
- allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
- # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
- # handle of a file inside the dir!!!
- allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
- dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
- allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+# Label pid and temporary files with derived types.
+allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
+allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
+allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
+allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
- # Label pid and temporary files with derived types.
- allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
- allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
- allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
- allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
+# Run xkbcomp.
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+files_search_var_lib(xdm_xserver_t)
- # Run xkbcomp.
- allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
- can_exec(xdm_xserver_t, xkb_var_lib_t)
- files_search_var_lib(xdm_xserver_t)
+# VNC v4 module in X server
+corenet_tcp_bind_vnc_port(xdm_xserver_t)
- # VNC v4 module in X server
- corenet_tcp_bind_vnc_port(xdm_xserver_t)
+fs_search_auto_mountpoints(xdm_xserver_t)
- fs_search_auto_mountpoints(xdm_xserver_t)
+init_use_fd(xdm_xserver_t)
- init_use_fd(xdm_xserver_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xdm_xserver_t)
+ fs_manage_nfs_files(xdm_xserver_t)
+ fs_manage_nfs_symlinks(xdm_xserver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_xserver_t)
+ fs_manage_cifs_files(xdm_xserver_t)
+ fs_manage_cifs_symlinks(xdm_xserver_t)
+')
+ifdef(`strict_policy',`
# FIXME: After per user fonts are properly working
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_user_home_files(xdm_xserver_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_xserver_t)
- fs_manage_nfs_files(xdm_xserver_t)
- fs_manage_nfs_symlinks(xdm_xserver_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xdm_xserver_t)
- fs_manage_cifs_files(xdm_xserver_t)
- fs_manage_cifs_symlinks(xdm_xserver_t)
- ')
-
ifdef(`TODO',`
# Read all global and per user fonts
read_fonts(xdm_xserver_t, sysadm)
@@ -431,14 +431,6 @@ ifdef(`targeted_policy',`
')
ifdef(`TODO',`
-# cjp: TODO: integrate strict policy:
-# init script wants to check if it needs to update windowmanagerlist
-allow initrc_t xdm_rw_etc_t:file { getattr read };
-ifdef(`distro_suse', `
-# set permissions on /tmp/.X11-unix
-allow initrc_t xdm_tmp_t:dir setattr;
-')
-
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
can_resmgrd_connect(xdm_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 6a6a1fb..2df8025 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.2.1)
+policy_module(init,1.2.2)
gen_require(`
class passwd rootok;
@@ -428,30 +428,46 @@ ifdef(`distro_redhat',`
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
- fs_rw_tmpfs_chr_files(initrc_t)
-
- storage_create_fixed_disk(initrc_t)
- storage_getattr_removable_dev(initrc_t)
-
files_create_boot_flag(initrc_t)
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
- miscfiles_read_fonts(initrc_t)
- miscfiles_read_hwdata(initrc_t)
+ fs_rw_tmpfs_chr_files(initrc_t)
+
+ storage_create_fixed_disk(initrc_t)
+ storage_getattr_removable_dev(initrc_t)
# readahead asks for these
auth_dontaudit_read_shadow(initrc_t)
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+
optional_policy(`bind',`
bind_manage_config_dirs(initrc_t)
+ bind_write_config(initrc_t)
')
optional_policy(`rpc',`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
')
+
+ optional_policy(`sysnetwork',`
+ sysnet_rw_dhcp_config(initrc_t)
+ ')
+
+ optional_policy(`xserver',`
+ xserver_delete_log(initrc_t)
+ ')
+')
+
+ifdef(`distro_suse',`
+ optional_policy(`xserver',`
+ # set permissions on /tmp/.X11-unix
+ xserver_setattr_xdm_tmp_dirs(initrc_t)
+ ')
')
ifdef(`targeted_policy',`
@@ -484,12 +500,6 @@ optional_policy(`bind',`
# for chmod in start script
bind_setattr_pid_dirs(initrc_t)
-
- # for /etc/rndc.key
- ifdef(`distro_redhat',`
- # Allow init script to cp localtime to named_conf_t
- bind_write_config(initrc_t)
- ')
')
optional_policy(`bluetooth',`
@@ -668,10 +678,6 @@ optional_policy(`su',`
')
optional_policy(`sysnetwork',`
- ifdef(`distro_redhat',`
- sysnet_rw_dhcp_config(initrc_t)
- ')
-
sysnet_read_dhcpc_state(initrc_t)
')
@@ -682,6 +688,11 @@ optional_policy(`xfs',`
xfs_read_sockets(initrc_t)
')
+optional_policy(`xserver',`
+ # init s cript wants to check if it needs to update windowmanagerlist
+ xserver_read_xdm_rw_config(initrc_t)
+')
+
optional_policy(`zebra',`
zebra_read_config(initrc_t)
')
@@ -690,17 +701,7 @@ ifdef(`TODO',`
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
-# during boot up initrc needs to do the following
-allow initrc_t default_t:dir write;
-
ifdef(`distro_redhat', `
allow initrc_t device_t:dir create;
-
- ifdef(`xserver.te', `
- # wants to cleanup xserver log dir
- allow initrc_t xserver_log_t:dir rw_dir_perms;
- allow initrc_t xserver_log_t:file unlink;
- ')
-
')
') dnl end TODO