From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 02 Nov 2009 09:08:49 -0500 Subject: [refpolicy] [PATCH] make consolekit_t a confined X client In-Reply-To: <4AEB72FE.60803@tycho.nsa.gov> References: <4AEB72FE.60803@tycho.nsa.gov> Message-ID: <1257170929.17520.20.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-10-30 at 19:13 -0400, Eamon Walsh wrote: > Note: I don't know what to put for the third argument to xserver_user_x_domain_template. > tmpfs_t? user_tmpfs_t? Why does this template have a tmpfs argument anyway? Its designed for full X apps that use the display for their tmpfs type used for the shm. Does consolekit need a subset of whats in xserver_user_x_domain_template? > commit fa343fbf30f96528e06a1b487dfef5e808f3b68b > Author: Eamon Walsh > Date: Fri Oct 30 18:47:17 2009 -0400 > > Make consolekit_t a confined X user. > > The program /usr/libexec/ck-get-x11-server-pid connects to the > X server after a user login. The program itself doesn't do > anything except call getpeercred(), however Xlib helpfully > creates some objects and reads properties in XOpenDisplay(). > > TODO: Fix consolekit to use libxcb instead... > > Signed-off-by: Eamon Walsh > > diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te > index 1ead55d..ba53a09 100644 > --- a/policy/modules/services/consolekit.te > +++ b/policy/modules/services/consolekit.te > @@ -108,6 +108,7 @@ optional_policy(` > optional_policy(` > xserver_read_xdm_pid(consolekit_t) > xserver_read_user_xauth(consolekit_t) > + xserver_user_x_domain_template(consolekit, consolekit_t, tmpfs_t) > corenet_tcp_connect_xserver_port(consolekit_t) > ') > > > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150