From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Thu, 29 Oct 2009 18:57:38 -0400 Subject: [refpolicy] [PATCH 0/3] Updated X object manager policy -v2: Intro In-Reply-To: <1256738245.6392.53.camel@gorn.columbia.tresys.com> References: <4AE7A702.60309@tycho.nsa.gov> <1256738245.6392.53.camel@gorn.columbia.tresys.com> Message-ID: <4AEA1DE2.9000400@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/28/2009 09:57 AM, Christopher J. PeBenito wrote: > On Tue, 2009-10-27 at 22:05 -0400, Eamon Walsh wrote: > >> This patch series is an updated policy for the X server object manager. >> This is the policy that I was running in Portland for my various demos. >> It includes new x_pointer/x_keyboard classes, unconfined-by-default >> user types, and other changes. The only thing missing here is updated >> mls constraints; I am still working on those. >> >> The 3 patches here are NOT independent and breakage will probably >> result if only some of them are applied. I only broke them up in an >> attempt to make it easier to review the changes. >> >> This is also available in a git tree at >> git://anongit.freedesktop.org/~ewalsh/refpolicy (branch "master"), for >> ease of pulling. >> > This looks ok. I have this in a branch in my local repo for now, as I > have a couple minor questions/issues: > > 1) +xserver_object_types_template(root) > > Is this for the root window? > It defines the root_input_xevent_t type that is used for input events sent to the root window (if no other window has focus). This is new; before this patchset they were just labeled generic "input_xevent_t." If other derived event types are reintroduced they will go in that template as well so calling it will define root_* variants that can be used. > 2) The aliases that were removed need to be restored, and updated for > the removals this patchset. > Are you referring to the type aliases here? What needs to be updated? > 3) I'd like to try to find a better name for "xserver_unprotected", if > possible. > Let's just drop this interface (attached patch). I'm not seeing the AVC's that motivated this anymore, probably because the default user types are X unconfined. If they show up again I can resubmit this. > Additional patches can be made on top of these. > -- Eamon Walsh National Security Agency -------------- next part -------------- A non-text attachment was scrubbed... Name: remove_unprotected.patch Type: text/x-patch Size: 2782 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091029/311777f1/attachment.bin