From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 28 Aug 2009 13:40:36 -0400 Subject: [refpolicy] [PATCH] remove deprecated xserver interface In-Reply-To: <4A943548.8020900@tycho.nsa.gov> References: <4A943548.8020900@tycho.nsa.gov> Message-ID: <1251481236.8357.121.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-08-25 at 15:02 -0400, Eamon Walsh wrote: > Index: policy/modules/apps/wireshark.te > =================================================================== > --- policy/modules/apps/wireshark.te (revision 3012) > +++ policy/modules/apps/wireshark.te (working copy) > @@ -119,6 +119,6 @@ > ') > > optional_policy(` > - xserver_user_client(wireshark_t, wireshark_tmpfs_t) > + xserver_user_x_domain_template(wireshark, wireshark_t, > wireshark_tmpfs_t) > xserver_create_xdm_tmp_sockets(wireshark_t) > ') Merged this. > Index: policy/modules/services/xserver.if > =================================================================== > --- policy/modules/services/xserver.if (revision 3012) > +++ policy/modules/services/xserver.if (working copy) > @@ -193,65 +193,6 @@ > > ####################################### > ## > -## Create full client sessions > -## on a user X server. > -## > -## > -## > -## Domain allowed access. > -## > -## > -## > -## > -## The type of the domain SYSV tmpfs files. > -## > -## > -# > -interface(`xserver_user_client',` > -# refpolicywarn(`$0() has been deprecated, please use > xserver_user_x_domain_template instead.') Kept the interface, in case an external module calls it. Uncommented the warning. > - gen_require(` > - type xdm_t, xdm_tmp_t; > - type xauth_home_t, iceauth_home_t, xserver_t, > xserver_tmpfs_t; > - ') > - > - allow $1 self:shm create_shm_perms; > - allow $1 self:unix_dgram_socket create_socket_perms; > - allow $1 self:unix_stream_socket { connectto > create_stream_socket_perms }; > - > - # Read .Xauthority file > - allow $1 xauth_home_t:file { getattr read }; > - allow $1 iceauth_home_t:file { getattr read }; > - > - # for when /tmp/.X11-unix is created by the system > - allow $1 xdm_t:fd use; > - allow $1 xdm_t:fifo_file { getattr read write ioctl }; > - allow $1 xdm_tmp_t:dir search; > - allow $1 xdm_tmp_t:sock_file { read write }; > - dontaudit $1 xdm_t:tcp_socket { read write }; > - > - # Allow connections to X server. > - files_search_tmp($1) > - > - miscfiles_read_fonts($1) > - > - userdom_search_user_home_dirs($1) > - # for .xsession-errors > - userdom_dontaudit_write_user_home_content_files($1) > - > - xserver_ro_session($1,$2) > - xserver_use_user_fonts($1) > - > - xserver_read_xdm_tmp_files($1) > - > - # Client write xserver shm > - tunable_policy(`allow_write_xshm',` > - allow $1 xserver_t:shm rw_shm_perms; > - allow $1 xserver_tmpfs_t:file rw_file_perms; > - ') > -') > - > -####################################### > -## > ## Interface to provide X object permissions on a given X server > to > ## an X client domain. Provides the minimal set required by a > basic > ## X client application. > Index: policy/modules/system/userdomain.if > =================================================================== > --- policy/modules/system/userdomain.if (revision 3012) > +++ policy/modules/system/userdomain.if (working copy) > @@ -438,7 +438,7 @@ > # GNOME checks for usb and other devices: > dev_rw_usbfs($1_t) > > - xserver_user_client($1_t, user_tmpfs_t) > + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) > xserver_xsession_entry_type($1_t) > xserver_dontaudit_write_log($1_t) > xserver_stream_connect_xdm($1_t) Merged this. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150