From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients
Date: Tue, 12 Sep 2017 04:11:15 +0200 [thread overview]
Message-ID: <20170912021116.14272-1-aranea@aixah.de> (raw)
Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.
---
policy/modules/kernel/devices.if | 1 +
policy/modules/services/xserver.if | 4 +++-
policy/modules/services/xserver.te | 2 ++
policy/modules/system/userdomain.if | 2 ++
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 39069c177..b8f85c2ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
')
manage_chr_files_pattern($1, device_t, dri_device_t)
+ allow $1 dri_device_t:chr_file map;
')
########################################
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d14bf3c0d..13f800936 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
# Xserver read/write client shm
allow xserver_t $1:fd use;
allow xserver_t $1:shm rw_shm_perms;
- allow xserver_t $2:file rw_file_perms;
+ allow xserver_t $2:file { rw_file_perms map };
# Connect to xserver
allow $1 xserver_t:unix_stream_socket connectto;
@@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:fd use;
allow $1 xserver_t:shm r_shm_perms;
allow $1 xserver_tmpfs_t:file read_file_perms;
+
+ allow $1 $2:file map;
')
#######################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 0a9c8731e..e89e1535b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow xserver_t xserver_tmpfs_t:file map;
# Run xkbcomp
manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78e821eb2..849f9b6a7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
+ userdom_map_user_tmpfs_files($1_t)
+
userdom_change_password_template($1)
##############################
--
2.14.1
next reply other threads:[~2017-09-12 2:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-12 2:11 Luis Ressel [this message]
2017-09-12 2:11 ` [refpolicy] [PATCH 2/2] kernel: Add map permission to the dev_{read, write}_sound* interfaces Luis Ressel
2017-09-12 22:48 ` Chris PeBenito
2017-09-12 22:47 ` [refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients Chris PeBenito
2017-09-13 3:14 ` Luis Ressel
2017-09-13 22:33 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170912021116.14272-1-aranea@aixah.de \
--to=aranea@aixah.de \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.