From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 28 Oct 2009 09:57:25 -0400 Subject: [refpolicy] [PATCH 0/3] Updated X object manager policy -v2: Intro In-Reply-To: <4AE7A702.60309@tycho.nsa.gov> References: <4AE7A702.60309@tycho.nsa.gov> Message-ID: <1256738245.6392.53.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-10-27 at 22:05 -0400, Eamon Walsh wrote: > This patch series is an updated policy for the X server object manager. > This is the policy that I was running in Portland for my various demos. > It includes new x_pointer/x_keyboard classes, unconfined-by-default > user types, and other changes. The only thing missing here is updated > mls constraints; I am still working on those. > > The 3 patches here are NOT independent and breakage will probably > result if only some of them are applied. I only broke them up in an > attempt to make it easier to review the changes. > > This is also available in a git tree at > git://anongit.freedesktop.org/~ewalsh/refpolicy (branch "master"), for > ease of pulling. This looks ok. I have this in a branch in my local repo for now, as I have a couple minor questions/issues: 1) +xserver_object_types_template(root) Is this for the root window? 2) The aliases that were removed need to be restored, and updated for the removals this patchset. 3) I'd like to try to find a better name for "xserver_unprotected", if possible. Additional patches can be made on top of these. > Changes from -v1: > > Dropped the x_keyboard/x_pointer object class patch (already pushed). > > Dropped the patch making system_dbusd_t and consolekit_t unconfined. > This is so the focus is only on the changes to the xserver module. > > No changes to the existing xserver_role and xserver_restricted_role > interfaces. The existing UBAC-based controls have been restored. > > Removed an apostrophe in a comment that was causing m4 errors. > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150