Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/05/2010 06:32 PM, Daniel J Walsh wrote:
> selinux-policy-3.6.32-99.fc12 on Fedora 12

Should users be able to login using gdm/gui if they are not assigned a
default level of s0?

semanage login -m -s user_u -r s1-s1 joe

I could not get that to work.

Also attached is a modification that i implemented to get MLS to "work"
on previous f13 policy versions:

> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> with
> the words "unsubscribe selinux" without quotes as the message.


## <summary>Window manager.</summary>

########################################
## <summary>
##	Role access for Window manager.
## </summary>
## <param name="role prefix">
##	<summary>
##	Role prefix.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`mlswm_role',`
	gen_require(`
		type $1_wm_t, $1_dbusd_t, xserver_t, root_xdrawable_t;
		class x_drawable { read manage show setattr };
		class x_resource { write };
		class x_keyboard { manage freeze };
		class x_screen { setattr };
	')

	allow $3 $1_wm_t:process signal;
	allow $3 $1_wm_t:unix_stream_socket connectto;

	allow $1_wm_t self:process signal;
	allow $1_wm_t $1_dbusd_t:unix_stream_socket connectto;

	allow $3 $1_wm_t:x_drawable { read setattr };
	allow $3 $1_wm_t:x_resource write;

	allow $1_wm_t root_xdrawable_t:x_drawable manage;
	allow $1_wm_t $3:x_drawable { read manage setattr show };
	allow $1_wm_t $3:x_resource write;
	allow $1_wm_t xserver_t:x_keyboard { manage freeze };
	allow $1_wm_t xserver_t:x_screen setattr;
')

policy_module(mlswm, 1.0.0)
# optional_policy(`
gen_require(`
	type staff_t, xdm_var_lib_t, root_xdrawable_t, xdm_t, xserver_t;
	role staff_r;
	class x_drawable { read write add_child };
	class x_client { destroy };
	class x_resource { write };
	class x_keyboard { read manage };
	class x_pointer { get_property manage set_property list_property };
	class x_screen { saver_setattr };
	class x_server { manage };
')

allow staff_t xdm_var_lib_t:file { read open };

allow staff_t root_xdrawable_t:x_drawable write;
allow staff_t xdm_t:x_client destroy;
allow staff_t xdm_t:x_drawable { read add_child };
allow staff_t xdm_t:x_resource write;
allow staff_t xserver_t:x_keyboard { read manage };
allow staff_t xserver_t:x_pointer { get_property manage set_property list_property };
allow staff_t xserver_t:x_screen saver_setattr;
allow staff_t xserver_t:x_server manage;

mlswm_role(staff, staff_r, staff_t)
# ')

Attachment:
signature.asc

Description: OpenPGP digital signature






















[Index of Archives]
 
 
[Selinux Refpolicy]
 
 
[Linux SGX]
 
 
[Fedora Users]
 
 
[Fedora Desktop]
 
 
[Yosemite Photos]
 
 
[Yosemite Camping]
 
 
[Yosemite Campsites]
 
 
[KDE Users]
 
 
[Gnome Users]


















 
Powered by Linux