From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 02 Nov 2009 11:29:59 -0500 Subject: [refpolicy] [PATCH] make consolekit_t a confined X client In-Reply-To: <1257170929.17520.20.camel@gorn.columbia.tresys.com> References: <4AEB72FE.60803@tycho.nsa.gov> <1257170929.17520.20.camel@gorn.columbia.tresys.com> Message-ID: <4AEF0907.1040806@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/02/2009 09:08 AM, Christopher J. PeBenito wrote: > On Fri, 2009-10-30 at 19:13 -0400, Eamon Walsh wrote: >> Note: I don't know what to put for the third argument to xserver_user_x_domain_template. >> tmpfs_t? user_tmpfs_t? Why does this template have a tmpfs argument anyway? > > Its designed for full X apps that use the display for their tmpfs type > used for the shm. Does consolekit need a subset of whats in > xserver_user_x_domain_template? > >> commit fa343fbf30f96528e06a1b487dfef5e808f3b68b >> Author: Eamon Walsh >> Date: Fri Oct 30 18:47:17 2009 -0400 >> >> Make consolekit_t a confined X user. >> >> The program /usr/libexec/ck-get-x11-server-pid connects to the >> X server after a user login. The program itself doesn't do >> anything except call getpeercred(), however Xlib helpfully >> creates some objects and reads properties in XOpenDisplay(). >> >> TODO: Fix consolekit to use libxcb instead... >> >> Signed-off-by: Eamon Walsh >> >> diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te >> index 1ead55d..ba53a09 100644 >> --- a/policy/modules/services/consolekit.te >> +++ b/policy/modules/services/consolekit.te >> @@ -108,6 +108,7 @@ optional_policy(` >> optional_policy(` >> xserver_read_xdm_pid(consolekit_t) >> xserver_read_user_xauth(consolekit_t) >> + xserver_user_x_domain_template(consolekit, consolekit_t, tmpfs_t) >> corenet_tcp_connect_xserver_port(consolekit_t) >> ') >> >> >> >> > > I think there should be an interface called xserver_common_app() Which just takes the type, no setting up random tmpfs, or random template types. Too complicated, for any policy writer to understand.