FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 05-15-2010, 11:25 AM
Dominick Grift
 
Default xdm fixes

Here are two xdm fixes that i had to apply:

Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---------------------- policy/modules/services/xserver.te ---------------------
index 65d2018..18aa8ef 100644
@@ -722,6 +722,7 @@
optional_policy(`
gnome_manage_gconf_home_files(xdm_t)
gnome_read_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
gnome_append_gconf_home_files(xdm_t)
')

xdm_t read xdm_etc_t link files.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---------------------- policy/modules/services/xserver.te ---------------------
index 168e133..dd29803 100644
@@ -409,6 +409,7 @@

allow xdm_t xconsole_device_t:fifo_file { getattr setattr };

+allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)

manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-15-2010, 11:50 AM
Dominick Grift
 
Default xdm fixes

On 05/15/2010 01:25 PM, Dominick Grift wrote:
> Here are two xdm fixes that i had to apply:
>
> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---------------------- policy/modules/services/xserver.te ---------------------
> index 65d2018..18aa8ef 100644
> @@ -722,6 +722,7 @@
> optional_policy(`
> gnome_manage_gconf_home_files(xdm_t)
> gnome_read_config(xdm_t)
> + gnome_read_gconf_config(xdm_t)
> gnome_append_gconf_home_files(xdm_t)
> ')


Actually looking at the above i am having some suspiscion:

1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
already allowed to manage gconf home files here:
gnome_manage_gconf_home_files(xdm_t)

2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
that it should be removed.

These issues were introduced in 3.7.19-15:

- gnome_read_gconf_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)

The first should not have been removed.
The second makes gnome_append_gconf_home_files(xdm_t) redundant.

> xdm_t read xdm_etc_t link files.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---------------------- policy/modules/services/xserver.te ---------------------
> index 168e133..dd29803 100644
> @@ -409,6 +409,7 @@
>
> allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
>
> +allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
> read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
>
> manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
>
>
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-17-2010, 02:07 PM
Daniel J Walsh
 
Default xdm fixes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2010 07:50 AM, Dominick Grift wrote:
> On 05/15/2010 01:25 PM, Dominick Grift wrote:
>> Here are two xdm fixes that i had to apply:
>>
>> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
>>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---------------------- policy/modules/services/xserver.te ---------------------
>> index 65d2018..18aa8ef 100644
>> @@ -722,6 +722,7 @@
>> optional_policy(`
>> gnome_manage_gconf_home_files(xdm_t)
>> gnome_read_config(xdm_t)
>> + gnome_read_gconf_config(xdm_t)
>> gnome_append_gconf_home_files(xdm_t)
>> ')
>
>
> Actually looking at the above i am having some suspiscion:
>
> 1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
> already allowed to manage gconf home files here:
> gnome_manage_gconf_home_files(xdm_t)
>
> 2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
> that it should be removed.
>
> These issues were introduced in 3.7.19-15:
>
> - gnome_read_gconf_config(xdm_t)
> + gnome_manage_gconf_home_files(xdm_t)
>
> The first should not have been removed.
> The second makes gnome_append_gconf_home_files(xdm_t) redundant.
>
>> xdm_t read xdm_etc_t link files.
>>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---------------------- policy/modules/services/xserver.te ---------------------
>> index 168e133..dd29803 100644
>> @@ -409,6 +409,7 @@
>>
>> allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
>>
>> +allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
>> read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
>>
>> manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
>>
>>
>>
>>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I am nervous about changing this in F13. I will make this change in F14
though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAkvxTY8ACgkQrlYvE4MpobM1gwCgl9xXzljX8M GfK0FvM9w1C8yf
YXQAmNPMROaRKmbIpzUl9nUaf/ecJw4=
=pmB4
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-17-2010, 02:19 PM
Dominick Grift
 
Default xdm fixes

On Mon, May 17, 2010 at 10:07:11AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/15/2010 07:50 AM, Dominick Grift wrote:
> > On 05/15/2010 01:25 PM, Dominick Grift wrote:
> >> Here are two xdm fixes that i had to apply:
> >>
> >> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
> >>
> >> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >> ---------------------- policy/modules/services/xserver.te ---------------------
> >> index 65d2018..18aa8ef 100644
> >> @@ -722,6 +722,7 @@
> >> optional_policy(`
> >> gnome_manage_gconf_home_files(xdm_t)
> >> gnome_read_config(xdm_t)
> >> + gnome_read_gconf_config(xdm_t)
> >> gnome_append_gconf_home_files(xdm_t)
> >> ')
> >
> >
> > Actually looking at the above i am having some suspiscion:
> >
> > 1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
> > already allowed to manage gconf home files here:
> > gnome_manage_gconf_home_files(xdm_t)
> >
> > 2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
> > that it should be removed.
> >
> > These issues were introduced in 3.7.19-15:
> >
> > - gnome_read_gconf_config(xdm_t)
> > + gnome_manage_gconf_home_files(xdm_t)
> >
> > The first should not have been removed.
> > The second makes gnome_append_gconf_home_files(xdm_t) redundant.
> >
> >> xdm_t read xdm_etc_t link files.
> >>
> >> Signed-off-by: Dominick Grift <domg472@gmail.com>
> >> ---------------------- policy/modules/services/xserver.te ---------------------
> >> index 168e133..dd29803 100644
> >> @@ -409,6 +409,7 @@
> >>
> >> allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> >>
> >> +allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
> >> read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
> >>
> >> manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> I am nervous about changing this in F13. I will make this change in F14
> though.

I think you removed gnome_read_gconf_config(xdm_t) in -15 and i think at that point the login process broke.
At least it did on my system.


> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEUEARECAAYFAkvxTY8ACgkQrlYvE4MpobM1gwCgl9xXzljX8M GfK0FvM9w1C8yf
> YXQAmNPMROaRKmbIpzUl9nUaf/ecJw4=
> =pmB4
> -----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org