fixed policy for xscreensaver with opengl

2020-05-23 09:39:34 +02:00 · 2020-05-23 09:39:34 +02:00 · 32adc20d89
commit 32adc20d89
parent 10d3b4d1fb
1 changed files with 10 additions and 20 deletions
--- a/sec-policy/selinux-feffe-policies/files/feffe.te
+++ b/sec-policy/selinux-feffe-policies/files/feffe.te
@ -59,30 +59,26 @@ tunable_policy(`feffe_use_xdm',`
  allow system_dbusd_t self:netlink_kobject_uevent_socket {create setopt bind getattr read};
 ')

-
-gen_tunable(feffe_xscreensaver_read_home, false)
-tunable_policy(`feffe_xscreensaver_read_home',`
+gen_tunable(feffe_xscreensaver_gl, false)
+tunable_policy(`feffe_xscreensaver_gl',`
  gen_require(`
-    attribute user_home_content_type;
    attribute non_security_file_type;
+    attribute user_home_content_type;

-    type user_t;
-    type xscreensaver_helper_t;
    type xscreensaver_t;
+    type xscreensaver_helper_exec_t;
+    type xscreensaver_helper_t;
    type xdm_t;
    type lib_t;
    type tmpfs_t;
    type bin_t;
-    type xscreensaver_helper_exec_t;
-    type fs_t;
    type xserver_t;
  ')
+  read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
  dev_rw_dri(xscreensaver_helper_t)
  dev_rw_dri(xscreensaver_t)
  allow xscreensaver_helper_t xdm_t:fd use;
-  search_dirs_pattern(xscreensaver_helper_t, home_root_t, user_home_dir_t)
-  list_dirs_pattern(xscreensaver_helper_t, user_home_dir_t, user_home_t)
-  read_files_pattern(xscreensaver_helper_t, user_home_t, user_home_t)
+  allow xscreensaver_helper_t xserver_t:fd use;
  exec_files_pattern(xscreensaver_t, lib_t, lib_t)
  dev_read_sysfs(xscreensaver_t)
  xserver_rw_mesa_shader_cache(xscreensaver_t)
@ -93,15 +89,9 @@ tunable_policy(`feffe_xscreensaver_read_home',`
  exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
  exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
  allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown };
-  read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
-
-  allow xscreensaver_t fs_t:filesystem getattr;
  xdg_manage_cache(xscreensaver_helper_t)

-  dontaudit xscreensaver_helper_t non_security_file_type:file map;
-  dontaudit xscreensaver_helper_t non_security_file_type:dir search;
-  dontaudit xscreensaver_helper_t xserver_t:fd use;
-  dontaudit xscreensaver_t self:process execmem;
-  dontaudit xscreensaver_t user_home_content_type:dir search;
+  dontaudit xscreensaver_helper_t non_security_file_type:filesystem getattr;
+  dontaudit xscreensaver_helper_t non_security_file_type:dir { getattr search };
+  dontaudit xscreensaver_helper_t non_security_file_type:{fifo_file file} {getattr read map};
 ')
-