diff options
author | 2017-09-12 04:11:15 +0200 | |
---|---|---|
committer | 2017-09-14 21:11:29 +0200 | |
commit | 9784a6f76e05543821abe87ce8b3952a9f0a2409 (patch) | |
tree | aff6c1106a1ac277e42198cfe5a2326c7a436914 /policy/modules/services | |
parent | Module version bumps. (diff) | |
download | hardened-refpolicy-9784a6f76e05543821abe87ce8b3952a9f0a2409.tar.gz hardened-refpolicy-9784a6f76e05543821abe87ce8b3952a9f0a2409.tar.bz2 hardened-refpolicy-9784a6f76e05543821abe87ce8b3952a9f0a2409.zip |
Grant all permissions neccessary for Xorg and basic X clients
Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.
Diffstat (limited to 'policy/modules/services')
-rw-r--r-- | policy/modules/services/xserver.if | 4 | ||||
-rw-r--r-- | policy/modules/services/xserver.te | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index d14bf3c0..13f80093 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -197,7 +197,7 @@ interface(`xserver_ro_session',` # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; - allow xserver_t $2:file rw_file_perms; + allow xserver_t $2:file { rw_file_perms map }; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; @@ -210,6 +210,8 @@ interface(`xserver_ro_session',` allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; + + allow $1 $2:file map; ') ####################################### diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index a88e4af5..5c40fec4 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow xserver_t xserver_tmpfs_t:file map; # Run xkbcomp manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) @@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) +userdom_map_user_tmpfs_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) xserver_use_user_fonts(xserver_t) |