xdm fixes
Dominick Grift
domg472 at gmail.com
Mon May 17 14:19:42 UTC 2010
On Mon, May 17, 2010 at 10:07:11AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/15/2010 07:50 AM, Dominick Grift wrote:
> > On 05/15/2010 01:25 PM, Dominick Grift wrote:
> >> Here are two xdm fixes that i had to apply:
> >>
> >> Allow xdm_t to read gconf_etc_t else gconf sanity check failes and gnome power manager fails.
> >>
> >> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> >> ---------------------- policy/modules/services/xserver.te ---------------------
> >> index 65d2018..18aa8ef 100644
> >> @@ -722,6 +722,7 @@
> >> optional_policy(`
> >> gnome_manage_gconf_home_files(xdm_t)
> >> gnome_read_config(xdm_t)
> >> + gnome_read_gconf_config(xdm_t)
> >> gnome_append_gconf_home_files(xdm_t)
> >> ')
> >
> >
> > Actually looking at the above i am having some suspiscion:
> >
> > 1. gnome_append_gconf_home_files(xdm_t) seems redundant since xdm_t is
> > already allowed to manage gconf home files here:
> > gnome_manage_gconf_home_files(xdm_t)
> >
> > 2. I strongly suspect that this: gnome_read_config(xdm_t) is wrong and
> > that it should be removed.
> >
> > These issues were introduced in 3.7.19-15:
> >
> > - gnome_read_gconf_config(xdm_t)
> > + gnome_manage_gconf_home_files(xdm_t)
> >
> > The first should not have been removed.
> > The second makes gnome_append_gconf_home_files(xdm_t) redundant.
> >
> >> xdm_t read xdm_etc_t link files.
> >>
> >> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> >> ---------------------- policy/modules/services/xserver.te ---------------------
> >> index 168e133..dd29803 100644
> >> @@ -409,6 +409,7 @@
> >>
> >> allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> >>
> >> +allow xdm_t xdm_etc_t:lnk_file read_lnk_file_perms;
> >> read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
> >>
> >> manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> I am nervous about changing this in F13. I will make this change in F14
> though.
I think you removed gnome_read_gconf_config(xdm_t) in -15 and i think at that point the login process broke.
At least it did on my system.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEUEARECAAYFAkvxTY8ACgkQrlYvE4MpobM1gwCgl9xXzljX8MGfK0FvM9w1C8yf
> YXQAmNPMROaRKmbIpzUl9nUaf/ecJw4=
> =pmB4
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100517/8ea8eed4/attachment.bin
More information about the selinux
mailing list