From: ewalsh@tycho.nsa.gov (Eamon Walsh)
Date: Tue, 13 Oct 2009 21:29:21 -0400
Subject: [refpolicy] [PATCH 3/6] Make consolekit_t and system_dbusd_t
	unconfined in X.
In-Reply-To: <4AD52806.1040604@tycho.nsa.gov>
References: <4AD52806.1040604@tycho.nsa.gov>
Message-ID: <4AD52971.9080408@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Make consolekit_t and system_dbusd_t unconfined in X.

Both of these types have been observed trying to touch the user's X
display, one example being through /usr/libexec/ck-get-x11-server-pid
and /usr/libexec/ck-get-x11-display-device.

Signed-off-by: Eamon Walsh<ewalsh@tycho.nsa.gov>
---
  policy/modules/services/consolekit.te |    1 +
  policy/modules/services/dbus.te       |    2 ++
  2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 1ead55d..4f9b992 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -108,6 +108,7 @@ optional_policy(`
  optional_policy(`
  	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
+	xserver_unconfined(consolekit_t)
  	corenet_tcp_connect_xserver_port(consolekit_t)
  ')

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index aa857cb..f60e1f1 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -135,6 +135,8 @@ seutil_sigchld_newrole(system_dbusd_t)
  userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
  userdom_dontaudit_search_user_home_dirs(system_dbusd_t)

+xserver_unconfined(system_dbusd_t)
+
  optional_policy(`
  	bind_domtrans(system_dbusd_t)
  ')
-- 
1.6.5.rc2