From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Fri, 30 Oct 2009 19:13:02 -0400 Subject: [refpolicy] [PATCH] make consolekit_t a confined X client Message-ID: <4AEB72FE.60803@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Note: I don't know what to put for the third argument to xserver_user_x_domain_template. tmpfs_t? user_tmpfs_t? Why does this template have a tmpfs argument anyway? commit fa343fbf30f96528e06a1b487dfef5e808f3b68b Author: Eamon Walsh Date: Fri Oct 30 18:47:17 2009 -0400 Make consolekit_t a confined X user. The program /usr/libexec/ck-get-x11-server-pid connects to the X server after a user login. The program itself doesn't do anything except call getpeercred(), however Xlib helpfully creates some objects and reads properties in XOpenDisplay(). TODO: Fix consolekit to use libxcb instead... Signed-off-by: Eamon Walsh diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index 1ead55d..ba53a09 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -108,6 +108,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) + xserver_user_x_domain_template(consolekit, consolekit_t, tmpfs_t) corenet_tcp_connect_xserver_port(consolekit_t) ') -- Eamon Walsh National Security Agency