From: ewalsh@tycho.nsa.gov (Eamon Walsh)
Date: Fri, 30 Oct 2009 19:13:02 -0400
Subject: [refpolicy] [PATCH] make consolekit_t a confined X client
Message-ID: <4AEB72FE.60803@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Note: I don't know what to put for the third argument to xserver_user_x_domain_template.
tmpfs_t?  user_tmpfs_t?  Why does this template have a tmpfs argument anyway?


commit fa343fbf30f96528e06a1b487dfef5e808f3b68b
Author: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date:   Fri Oct 30 18:47:17 2009 -0400

    Make consolekit_t a confined X user.
    
    The program /usr/libexec/ck-get-x11-server-pid connects to the
    X server after a user login.  The program itself doesn't do
    anything except call getpeercred(), however Xlib helpfully
    creates some objects and reads properties in XOpenDisplay().
    
    TODO: Fix consolekit to use libxcb instead...
    
    Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 1ead55d..ba53a09 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -108,6 +108,7 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(consolekit_t)
 	xserver_read_user_xauth(consolekit_t)
+	xserver_user_x_domain_template(consolekit, consolekit_t, tmpfs_t)
 	corenet_tcp_connect_xserver_port(consolekit_t)
 ')
 



-- 

Eamon Walsh 
National Security Agency