[refpolicy] [PATCH 3/6] Make consolekit_t and system_dbusd_t unconfined in X.
Eamon Walsh
ewalsh at tycho.nsa.gov
Tue Oct 13 20:29:21 CDT 2009
Make consolekit_t and system_dbusd_t unconfined in X.
Both of these types have been observed trying to touch the user's X
display, one example being through /usr/libexec/ck-get-x11-server-pid
and /usr/libexec/ck-get-x11-display-device.
Signed-off-by: Eamon Walsh<ewalsh at tycho.nsa.gov>
---
policy/modules/services/consolekit.te | 1 +
policy/modules/services/dbus.te | 2 ++
2 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 1ead55d..4f9b992 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -108,6 +108,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
+ xserver_unconfined(consolekit_t)
corenet_tcp_connect_xserver_port(consolekit_t)
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index aa857cb..f60e1f1 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -135,6 +135,8 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+xserver_unconfined(system_dbusd_t)
+
optional_policy(`
bind_domtrans(system_dbusd_t)
')
--
1.6.5.rc2
More information about the refpolicy
mailing list