Index: policy/domains/program/modutil.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v retrieving revision 1.25 diff -u -r1.25 modutil.te --- policy/domains/program/modutil.te 8 Nov 2004 20:58:16 -0000 1.25 +++ policy/domains/program/modutil.te 9 Nov 2004 17:26:28 -0000 @@ -123,7 +123,7 @@ allow insmod_t self:rawip_socket create_socket_perms; allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config }; allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; +allow insmod_t self:process { fork signal_perms wxpage }; allow insmod_t device_t:dir search; allow insmod_t etc_runtime_t:file { getattr read }; Index: policy/domains/program/unused/prelink.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v retrieving revision 1.14 diff -u -r1.14 prelink.te --- policy/domains/program/unused/prelink.te 8 Nov 2004 20:58:18 -0000 1.14 +++ policy/domains/program/unused/prelink.te 9 Nov 2004 17:26:29 -0000 @@ -11,6 +11,8 @@ # daemon_base_domain(prelink, `, admin') +allow prelink_t self:process wxpage; + allow prelink_t fs_t:filesystem getattr; ifdef(`crond.te', ` Index: policy/domains/program/unused/udev.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v retrieving revision 1.32 diff -u -r1.32 udev.te --- policy/domains/program/unused/udev.te 8 Nov 2004 20:58:19 -0000 1.32 +++ policy/domains/program/unused/udev.te 9 Nov 2004 17:26:29 -0000 @@ -13,6 +13,9 @@ general_domain_access(udev_t) +# Why? +allow udev_t self:process wxpage; + etc_domain(udev) typealias udev_etc_t alias etc_udev_t; type udev_helper_exec_t, file_type, sysadmfile, exec_type; Index: policy/flask/access_vectors =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v retrieving revision 1.13 diff -u -r1.13 access_vectors --- policy/flask/access_vectors 9 Sep 2004 12:01:52 -0000 1.13 +++ policy/flask/access_vectors 8 Nov 2004 16:27:39 -0000 @@ -240,6 +240,7 @@ siginh setrlimit rlimitinh + wxpage } Index: policy/macros/base_user_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v retrieving revision 1.34 diff -u -r1.34 base_user_macros.te --- policy/macros/base_user_macros.te 8 Nov 2004 20:58:20 -0000 1.34 +++ policy/macros/base_user_macros.te 9 Nov 2004 17:45:54 -0000 @@ -33,6 +33,9 @@ # Grant permissions within the domain. general_domain_access($1_t); +# Uncomment to allow loading DSOs that require executable stack. +#allow $1_t self:process wxpage; + # # kdeinit wants this access # Index: policy/macros/core_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v retrieving revision 1.24 diff -u -r1.24 core_macros.te --- policy/macros/core_macros.te 8 Nov 2004 20:58:20 -0000 1.24 +++ policy/macros/core_macros.te 9 Nov 2004 17:26:31 -0000 @@ -617,9 +617,9 @@ # define(`general_domain_access',` # Access other processes in the same domain. -# Omits ptrace, setexec, and setfscreate. These must be granted -# separately if desired. -allow $1 self:process ~{ptrace setexec setfscreate setrlimit}; +# Omits ptrace, setexec, setfscreate, setrlimit, and wxpage. +# These must be granted separately if desired. +allow $1 self:process ~{ptrace setexec setfscreate setrlimit wxpage}; # Access /proc/PID files for processes in the same domain. allow $1 self:dir r_dir_perms; Index: policy/macros/program/xserver_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v retrieving revision 1.37 diff -u -r1.37 xserver_macros.te --- policy/macros/program/xserver_macros.te 8 Nov 2004 20:58:21 -0000 1.37 +++ policy/macros/program/xserver_macros.te 9 Nov 2004 17:26:31 -0000 @@ -56,6 +56,8 @@ # for access within the domain general_domain_access($1_xserver_t) +allow $1_xserver_t self:process wxpage; + allow $1_xserver_t etc_runtime_t:file { getattr read }; ifelse($1, xdm, `