selinux-policy/suse_modifications_xserver.patch

Index: serefpolicy-20140730/policy/modules/services/xserver.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.fc
+++ serefpolicy-20140730/policy/modules/services/xserver.fc
@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /usr/bin/Xvnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
+#/usr/lib/gdm/.* 	-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/X11/display-manager	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
Index: serefpolicy-20140730/policy/modules/services/xserver.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.te
+++ serefpolicy-20140730/policy/modules/services/xserver.te
@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
 	allow xdm_t self:process { execheap execmem };
 ')
 
+ifndef(`distro_suse',`
+	# this is a neverallow, maybe dontaudit it
+	#allow xdm_t proc_kcore_t:file getattr;
+	allow xdm_t var_run_t:lnk_file create;
+	allow xdm_t var_lib_t:lnk_file read;
+
+	dev_getattr_all_blk_files( xdm_t )
+	dev_getattr_all_chr_files( xdm_t )
+	logging_r_xconsole(xdm_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_exec_nfs_files(xdm_t)
 ')
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68 2018-11-27 10:16:35 +01:00			`Index: serefpolicy-20140730/policy/modules/services/xserver.fc`
			`===================================================================`
			`--- serefpolicy-20140730.orig/policy/modules/services/xserver.fc`
			`+++ serefpolicy-20140730/policy/modules/services/xserver.fc`
			`@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.* -- gen_context(system_`
			`/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)`
			`/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)`

			`+#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)`
			`+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)`
			`+`
			`/usr/lib/qt-./etc/settings(/.)? gen_context(system_u:object_r:xdm_var_run_t,s0)`

			`/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)`
			`Index: serefpolicy-20140730/policy/modules/services/xserver.te`
			`===================================================================`
			`--- serefpolicy-20140730.orig/policy/modules/services/xserver.te`
			`+++ serefpolicy-20140730/policy/modules/services/xserver.te`
			@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
			`allow xdm_t self:process { execheap execmem };`
			`')`

			+ifndef(`distro_suse',`
			`+ # this is a neverallow, maybe dontaudit it`
			`+ #allow xdm_t proc_kcore_t:file getattr;`
			`+ allow xdm_t var_run_t:lnk_file create;`
			`+ allow xdm_t var_lib_t:lnk_file read;`
			`+`
			`+ dev_getattr_all_blk_files( xdm_t )`
			`+ dev_getattr_all_chr_files( xdm_t )`
			`+ logging_r_xconsole(xdm_t)`
			`+')`
			`+`
			tunable_policy(`use_nfs_home_dirs',`
			`fs_exec_nfs_files(xdm_t)`
			`')`