From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 14 Oct 2009 08:53:02 -0400
Subject: [refpolicy] [PATCH 1/6] Add separate x_pointer and x_keyboard
 classes inheriting from x_device.
In-Reply-To: <4AD528EF.7070901@tycho.nsa.gov>
References: <4AD52806.1040604@tycho.nsa.gov> <4AD528EF.7070901@tycho.nsa.gov>
Message-ID: <1255524782.9995.55.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-10-13 at 21:27 -0400, Eamon Walsh wrote:
> Add separate x_pointer and x_keyboard classes inheriting from
> x_device.
> 
> This is needed to allow more fine-grained control over X devices
> without
> using different types.  Using different types is problematic because
> devices act as subjects in the X Flask implementation, and subjects
> cannot be labeled through a type transition (since the output role is
> hardcoded to object_r).

Merged.

> Signed-off-by: Eamon Walsh<ewalsh@tycho.nsa.gov>
> ---
>   policy/flask/access_vectors   |   55
> +++++++++++++++++++++++++---------------
>   policy/flask/security_classes |    4 +++
>   2 files changed, 38 insertions(+), 21 deletions(-)
> 
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 3998b77..6620e4c 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -94,6 +94,33 @@ common database
>   }
> 
>   #
> +# Define a common prefix for pointer and keyboard access vectors.
> +#
> +
> +common x_device
> +{
> +       getattr
> +       setattr
> +       use
> +       read
> +       write
> +       getfocus
> +       setfocus
> +       bell
> +       force_cursor
> +       freeze
> +       grab
> +       manage
> +       list_property
> +       get_property
> +       set_property
> +       add
> +       remove
> +       create
> +       destroy
> +}
> +
> +#
>   # Define the access vectors.
>   #
>   # class class_name [ inherits common_name ] { permission_name ... }
> @@ -525,27 +552,7 @@ class x_client
>   }
> 
>   class x_device
> -{
> -       getattr
> -       setattr
> -       use
> -       read
> -       write
> -       getfocus
> -       setfocus
> -       bell
> -       force_cursor
> -       freeze
> -       grab
> -       manage
> -       list_property
> -       get_property
> -       set_property
> -       add
> -       remove
> -       create
> -       destroy
> -}
> +inherits x_device
> 
>   class x_server
>   {
> @@ -802,3 +809,9 @@ class kernel_service
> 
>   class tun_socket
>   inherits socket
> +
> +class x_pointer
> +inherits x_device
> +
> +class x_keyboard
> +inherits x_device
> diff --git a/policy/flask/security_classes
> b/policy/flask/security_classes
> index 2bd1bf6..fa65db2 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -121,4 +121,8 @@ class kernel_service
> 
>   class tun_socket
> 
> +# Still More SE-X Windows stuff
> +class x_pointer                        # userspace
> +class x_keyboard               # userspace
> +
>   # FLASK
> --
> 1.6.5.rc2
> 
> 
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150