--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
05-15-2010, 11:50 AM
Dominick Grift
xdm fixes
On 05/15/2010 01:25 PM, Dominick Grift wrote:
> Here are two xdm fixes that i had to apply:
>
> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---------------------- policy/modules/services/xserver.te ---------------------
> index 65d2018..18aa8ef 100644
> @@ -722,6 +722,7 @@
> optional_policy(`
> gnome_manage_gconf_home_files(xdm_t)
> gnome_read_config(xdm_t)
> + gnome_read_gconf_config(xdm_t)
> gnome_append_gconf_home_files(xdm_t)
> ')
Actually looking at the above i am having some suspiscion:
1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
already allowed to manage gconf home files here:
gnome_manage_gconf_home_files(xdm_t)
2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
that it should be removed.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
05-17-2010, 02:07 PM
Daniel J Walsh
xdm fixes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/15/2010 07:50 AM, Dominick Grift wrote:
> On 05/15/2010 01:25 PM, Dominick Grift wrote:
>> Here are two xdm fixes that i had to apply:
>>
>> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
>>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---------------------- policy/modules/services/xserver.te ---------------------
>> index 65d2018..18aa8ef 100644
>> @@ -722,6 +722,7 @@
>> optional_policy(`
>> gnome_manage_gconf_home_files(xdm_t)
>> gnome_read_config(xdm_t)
>> + gnome_read_gconf_config(xdm_t)
>> gnome_append_gconf_home_files(xdm_t)
>> ')
>
>
> Actually looking at the above i am having some suspiscion:
>
> 1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
> already allowed to manage gconf home files here:
> gnome_manage_gconf_home_files(xdm_t)
>
> 2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
> that it should be removed.
>
> These issues were introduced in 3.7.19-15:
>
> - gnome_read_gconf_config(xdm_t)
> + gnome_manage_gconf_home_files(xdm_t)
>
> The first should not have been removed.
> The second makes gnome_append_gconf_home_files(xdm_t) redundant.
>
>> xdm_t read xdm_etc_t link files.
>>
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
>> ---------------------- policy/modules/services/xserver.te ---------------------
>> index 168e133..dd29803 100644
>> @@ -409,6 +409,7 @@
>>
>> allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
>>
>> +allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
>> read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
>>
>> manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
>>
>>
>>
>>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I am nervous about changing this in F13. I will make this change in F14
though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
xdm fixes
