]> git.ipfire.org Git - people/stevee/selinux-policy.git/commitdiff
projects / people / stevee / selinux-policy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4f8ee1f)
Xserver: Removed rules that allowed xdm_t to use systemd_logind
authorDominick Grift <domg472@gmail.com>
Fri, 15 Jul 2011 17:33:40 +0000 (19:33 +0200)
committerDominick Grift <domg472@gmail.com>
Fri, 15 Jul 2011 17:33:40 +0000 (19:33 +0200)
/run/systemd/sessions/.* fifo_file descriptor, as that access is now
added to authlogin_pgm_domain (which xdm is)

The following calls in authlogin_pgm_domain are optional ( you may be
using upstart or sysvinit or whatever and my not have the systemd module
installed )

systemd_use_fds_logind($1)
systemd_write_inherited_logind_sessions_pipes($1)

policy/modules/services/xserver.te patch | blob | blame | history
policy/modules/system/authlogin.if patch | blob | blame | history

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 05598abc8e5e0d739c911805ee94376b19890010..bc547bf52d07639cd94bc34b8bc0090790d06470 100644 (file)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -879,11 +879,6 @@ optional_policy(`
        shutdown_domtrans(xdm_t)
 ')
 
-optional_policy(`
-       systemd_use_fds_logind(xdm_t)
-       systemd_write_inherited_logind_sessions_pipes(xdm_t)
-')
-
 optional_policy(`
        udev_read_db(xdm_t)
 ')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c53dcd9dafe5613a76dd9953cf399086a5ee991e..66248040305dda973d63617339ec50ae83e928f5 100644 (file)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -171,9 +171,6 @@ interface(`auth_login_pgm_domain',`
        seutil_read_config($1)
        seutil_read_default_contexts($1)
 
-       systemd_use_fds_logind($1)
-       systemd_write_inherited_logind_sessions_pipes($1)
-
        userdom_set_rlimitnh($1)
        userdom_read_user_home_content_symlinks($1)
        userdom_delete_user_tmp_files($1)
@@ -214,6 +211,11 @@ interface(`auth_login_pgm_domain',`
                ssh_read_user_home_files($1)
                userdom_read_user_home_content_files($1)
        ')
+
+       optional_policy(`
+               systemd_use_fds_logind($1)
+               systemd_write_inherited_logind_sessions_pipes($1)
+       ')
 ')
 
 ########################################
The IPFire selinux policy.