LinuxLists.cc - [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon

2012-09-14 08:56:10

Subject: [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon

Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..e424022 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -72,6 +72,8 @@
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)

+/etc/(X11/)?xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index be8f670..f6cfdb4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -61,6 +61,7 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2f4ba59..b40ea98 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -132,6 +132,10 @@
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
userdom_user_home_content(iceauth_home_t)

+type keyboardd_t;
+type keyboardd_exec_t;
+init_daemon_domain(keyboardd_t, keyboardd_exec_t)
+
type xauth_t;
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
@@ -244,6 +248,21 @@

########################################
#
+# keyboardd local policy
+#
+
+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
+
+files_manage_etc_runtime_files(keyboardd_t)
+files_etc_filetrans_etc_runtime(keyboardd_t, file)
+
+files_read_etc_files(keyboardd_t)
+
+miscfiles_read_localization(keyboardd_t)
+
+########################################
+#
# Xauth local policy
#

2012-09-14 09:01:41

by dominick.grift

[permalink] [raw]

Subject: [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon

xorg.conf keyboard layout callout

I am not sure whether this is the right place to put this keyboard
daemon policy.

Fedora has it in a separate keyboardd module

However this daemon seems pretty specific to Xorg since its sole purpose
is:

"to monitor the keyboard layout configured in
/etc/sysconfig/keyboard and transfer this into the matching xorg.conf.d
snippet."

If this is not an optimal place i will be happy to put it elsewhere

On Fri, 2012-09-14 at 10:56 +0200, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index c2c6e05..e424022 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -72,6 +72,8 @@
> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
> +/etc/(X11/)?xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +
> ifdef(`distro_gentoo', `
> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index be8f670..f6cfdb4 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -61,6 +61,7 @@
> /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
> +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
> /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
> /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 2f4ba59..b40ea98 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -132,6 +132,10 @@
> typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
> userdom_user_home_content(iceauth_home_t)
>
> +type keyboardd_t;
> +type keyboardd_exec_t;
> +init_daemon_domain(keyboardd_t, keyboardd_exec_t)
> +
> type xauth_t;
> type xauth_exec_t;
> typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
> @@ -244,6 +248,21 @@
>
> ########################################
> #
> +# keyboardd local policy
> +#
> +
> +allow keyboardd_t self:fifo_file rw_fifo_file_perms;
> +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
> +
> +files_manage_etc_runtime_files(keyboardd_t)
> +files_etc_filetrans_etc_runtime(keyboardd_t, file)
> +
> +files_read_etc_files(keyboardd_t)
> +
> +miscfiles_read_localization(keyboardd_t)
> +
> +########################################
> +#
> # Xauth local policy
> #
>

2012-09-17 15:28:15

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon

On 09/14/12 05:01, Dominick Grift wrote:
> xorg.conf keyboard layout callout
>
> I am not sure whether this is the right place to put this keyboard
> daemon policy.
>
> Fedora has it in a separate keyboardd module
>
> However this daemon seems pretty specific to Xorg since its sole purpose
> is:
>
> "to monitor the keyboard layout configured in
> /etc/sysconfig/keyboard and transfer this into the matching xorg.conf.d
> snippet."
>
> If this is not an optimal place i will be happy to put it elsewhere

Is this a Fedora-specific service (it appears to be, based on the file contexts)? If so, I think it makes more sense for it to be in a separate module.

> On Fri, 2012-09-14 at 10:56 +0200, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <[email protected]>
>> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
>> index c2c6e05..e424022 100644
>> --- a/policy/modules/kernel/files.fc
>> +++ b/policy/modules/kernel/files.fc
>> @@ -72,6 +72,8 @@
>> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
>> /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
>>
>> +/etc/(X11/)?xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
>> +
>> ifdef(`distro_gentoo', `
>> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
>> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
>> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
>> index be8f670..f6cfdb4 100644
>> --- a/policy/modules/services/xserver.fc
>> +++ b/policy/modules/services/xserver.fc
>> @@ -61,6 +61,7 @@
>> /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
>> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
>> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
>> +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
>> /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
>> /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
>> /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
>> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
>> index 2f4ba59..b40ea98 100644
>> --- a/policy/modules/services/xserver.te
>> +++ b/policy/modules/services/xserver.te
>> @@ -132,6 +132,10 @@
>> typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
>> userdom_user_home_content(iceauth_home_t)
>>
>> +type keyboardd_t;
>> +type keyboardd_exec_t;
>> +init_daemon_domain(keyboardd_t, keyboardd_exec_t)
>> +
>> type xauth_t;
>> type xauth_exec_t;
>> typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>> @@ -244,6 +248,21 @@
>>
>> ########################################
>> #
>> +# keyboardd local policy
>> +#
>> +
>> +allow keyboardd_t self:fifo_file rw_fifo_file_perms;
>> +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +files_manage_etc_runtime_files(keyboardd_t)
>> +files_etc_filetrans_etc_runtime(keyboardd_t, file)
>> +
>> +files_read_etc_files(keyboardd_t)
>> +
>> +miscfiles_read_localization(keyboardd_t)
>> +
>> +########################################
>> +#
>> # Xauth local policy
>> #
>>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com