From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 28 Aug 2009 13:40:36 -0400
Subject: [refpolicy] [PATCH] remove deprecated xserver interface
In-Reply-To: <4A943548.8020900@tycho.nsa.gov>
References: <4A943548.8020900@tycho.nsa.gov>
Message-ID: <1251481236.8357.121.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Tue, 2009-08-25 at 15:02 -0400, Eamon Walsh wrote:
> Index: policy/modules/apps/wireshark.te
> ===================================================================
> --- policy/modules/apps/wireshark.te (revision 3012)
> +++ policy/modules/apps/wireshark.te (working copy)
> @@ -119,6 +119,6 @@
> ')
>
> optional_policy(`
> - xserver_user_client(wireshark_t, wireshark_tmpfs_t)
> + xserver_user_x_domain_template(wireshark, wireshark_t,
> wireshark_tmpfs_t)
> xserver_create_xdm_tmp_sockets(wireshark_t)
> ')
Merged this.
> Index: policy/modules/services/xserver.if
> ===================================================================
> --- policy/modules/services/xserver.if (revision 3012)
> +++ policy/modules/services/xserver.if (working copy)
> @@ -193,65 +193,6 @@
>
> #######################################
> ##
> -## Create full client sessions
> -## on a user X server.
> -##
> -##
> -##
> -## Domain allowed access.
> -##
> -##
> -##
> -##
> -## The type of the domain SYSV tmpfs files.
> -##
> -##
> -#
> -interface(`xserver_user_client',`
> -# refpolicywarn(`$0() has been deprecated, please use
> xserver_user_x_domain_template instead.')
Kept the interface, in case an external module calls it. Uncommented
the warning.
> - gen_require(`
> - type xdm_t, xdm_tmp_t;
> - type xauth_home_t, iceauth_home_t, xserver_t,
> xserver_tmpfs_t;
> - ')
> -
> - allow $1 self:shm create_shm_perms;
> - allow $1 self:unix_dgram_socket create_socket_perms;
> - allow $1 self:unix_stream_socket { connectto
> create_stream_socket_perms };
> -
> - # Read .Xauthority file
> - allow $1 xauth_home_t:file { getattr read };
> - allow $1 iceauth_home_t:file { getattr read };
> -
> - # for when /tmp/.X11-unix is created by the system
> - allow $1 xdm_t:fd use;
> - allow $1 xdm_t:fifo_file { getattr read write ioctl };
> - allow $1 xdm_tmp_t:dir search;
> - allow $1 xdm_tmp_t:sock_file { read write };
> - dontaudit $1 xdm_t:tcp_socket { read write };
> -
> - # Allow connections to X server.
> - files_search_tmp($1)
> -
> - miscfiles_read_fonts($1)
> -
> - userdom_search_user_home_dirs($1)
> - # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> -
> - xserver_ro_session($1,$2)
> - xserver_use_user_fonts($1)
> -
> - xserver_read_xdm_tmp_files($1)
> -
> - # Client write xserver shm
> - tunable_policy(`allow_write_xshm',`
> - allow $1 xserver_t:shm rw_shm_perms;
> - allow $1 xserver_tmpfs_t:file rw_file_perms;
> - ')
> -')
> -
> -#######################################
> -##
> ## Interface to provide X object permissions on a given X server
> to
> ## an X client domain. Provides the minimal set required by a
> basic
> ## X client application.
> Index: policy/modules/system/userdomain.if
> ===================================================================
> --- policy/modules/system/userdomain.if (revision 3012)
> +++ policy/modules/system/userdomain.if (working copy)
> @@ -438,7 +438,7 @@
> # GNOME checks for usb and other devices:
> dev_rw_usbfs($1_t)
>
> - xserver_user_client($1_t, user_tmpfs_t)
> + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> xserver_xsession_entry_type($1_t)
> xserver_dontaudit_write_log($1_t)
> xserver_stream_connect_xdm($1_t)
Merged this.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150