From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Tue, 13 Oct 2009 21:29:21 -0400 Subject: [refpolicy] [PATCH 3/6] Make consolekit_t and system_dbusd_t unconfined in X. In-Reply-To: <4AD52806.1040604@tycho.nsa.gov> References: <4AD52806.1040604@tycho.nsa.gov> Message-ID: <4AD52971.9080408@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Make consolekit_t and system_dbusd_t unconfined in X. Both of these types have been observed trying to touch the user's X display, one example being through /usr/libexec/ck-get-x11-server-pid and /usr/libexec/ck-get-x11-display-device. Signed-off-by: Eamon Walsh --- policy/modules/services/consolekit.te | 1 + policy/modules/services/dbus.te | 2 ++ 2 files changed, 3 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index 1ead55d..4f9b992 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -108,6 +108,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) + xserver_unconfined(consolekit_t) corenet_tcp_connect_xserver_port(consolekit_t) ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index aa857cb..f60e1f1 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -135,6 +135,8 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) +xserver_unconfined(system_dbusd_t) + optional_policy(` bind_domtrans(system_dbusd_t) ') -- 1.6.5.rc2