[refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients

From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/2] Grant all permissions neccessary for Xorg and basic X clients
Date: Tue, 12 Sep 2017 04:11:15 +0200	[thread overview]
Message-ID: <20170912021116.14272-1-aranea@aixah.de> (raw)

Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.
---
 policy/modules/kernel/devices.if    | 1 +
 policy/modules/services/xserver.if  | 4 +++-
 policy/modules/services/xserver.te  | 2 ++
 policy/modules/system/userdomain.if | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 39069c177..b8f85c2ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1992,6 +1992,7 @@ interface(`dev_manage_dri_dev',`
 	')
 
 	manage_chr_files_pattern($1, device_t, dri_device_t)
+	allow $1 dri_device_t:chr_file map;
 ')
 
 ########################################
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d14bf3c0d..13f800936 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
 	# Xserver read/write client shm
 	allow xserver_t $1:fd use;
 	allow xserver_t $1:shm rw_shm_perms;
-	allow xserver_t $2:file rw_file_perms;
+	allow xserver_t $2:file { rw_file_perms map };
 
 	# Connect to xserver
 	allow $1 xserver_t:unix_stream_socket connectto;
@@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:fd use;
 	allow $1 xserver_t:shm r_shm_perms;
 	allow $1 xserver_tmpfs_t:file read_file_perms;
+
+	allow $1 $2:file map;
 ')
 
 #######################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 0a9c8731e..e89e1535b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow xserver_t xserver_tmpfs_t:file map;
 
 # Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
 userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78e821eb2..849f9b6a7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -804,6 +804,8 @@ template(`userdom_login_user_template', `
 	userdom_exec_user_tmp_files($1_t)
 	userdom_exec_user_home_content_files($1_t)
 
+	userdom_map_user_tmpfs_files($1_t)
+
 	userdom_change_password_template($1)
 
 	##############################
-- 
2.14.1
