From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 28 Oct 2009 09:57:25 -0400
Subject: [refpolicy] [PATCH 0/3] Updated X object manager policy -v2:
	Intro
In-Reply-To: <4AE7A702.60309@tycho.nsa.gov>
References: <4AE7A702.60309@tycho.nsa.gov>
Message-ID: <1256738245.6392.53.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-10-27 at 22:05 -0400, Eamon Walsh wrote:
> This patch series is an updated policy for the X server object manager.  
> This is the policy that I was running in Portland for my various demos. 
> It includes new x_pointer/x_keyboard classes, unconfined-by-default 
> user types, and other changes.  The only thing missing here is updated 
> mls constraints; I am still working on those.
> 
> The 3 patches here are NOT independent and breakage will probably 
> result if only some of them are applied.  I only broke them up in an 
> attempt to make it easier to review the changes.
> 
> This is also available in a git tree at 
> git://anongit.freedesktop.org/~ewalsh/refpolicy (branch "master"), for 
> ease of pulling.

This looks ok.  I have this in a branch in my local repo for now, as I
have a couple minor questions/issues:

1) +xserver_object_types_template(root)

Is this for the root window?

2) The aliases that were removed need to be restored, and updated for
the removals this patchset.

3) I'd like to try to find a better name for "xserver_unprotected", if
possible.

Additional patches can be made on top of these.

> Changes from -v1:
> 
> Dropped the x_keyboard/x_pointer object class patch (already pushed).
> 
> Dropped the patch making system_dbusd_t and consolekit_t unconfined.
> This is so the focus is only on the changes to the xserver module.
> 
> No changes to the existing xserver_role and xserver_restricted_role
> interfaces.  The existing UBAC-based controls have been restored.
> 
> Removed an apostrophe in a comment that was causing m4 errors.
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150