From: domg472@gmail.com (Dominick Grift)
Date: Fri, 3 Sep 2010 12:53:30 +0200
Subject: [refpolicy] [Xserver 1/1] The xserver module is not in base.
Message-ID: <20100903105326.GA22748@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The xserver module is not in base.
That must mean its use is optional.
Move all external xserver interface to optional policy blocks.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5d3d45c... 521f16d... M	policy/modules/apps/evolution.te
:100644 100644 cbf4bec... 7266190... M	policy/modules/apps/mozilla.te
:100644 100644 815a467... e6dc43a... M	policy/modules/apps/mplayer.te
:100644 100644 794c0be... c75a7ce... M	policy/modules/apps/thunderbird.te
:100644 100644 1f803bb... 8524075... M	policy/modules/apps/vmware.te
:100644 100644 1bdeb16... a4d2bc5... M	policy/modules/apps/xscreensaver.te
:100644 100644 0f262a7... ca59bdb... M	policy/modules/services/rhgb.te
:100644 100644 e226da4... 5216d19... M	policy/modules/services/xserver.te
:100644 100644 8b4f6d8... cf5f157... M	policy/modules/system/userdomain.if
 policy/modules/apps/evolution.te    |   26 +++++++++++++++++---------
 policy/modules/apps/mozilla.te      |   10 ++++++----
 policy/modules/apps/mplayer.te      |    6 ++++--
 policy/modules/apps/thunderbird.te  |   10 ++++++----
 policy/modules/apps/vmware.te       |    4 +++-
 policy/modules/apps/xscreensaver.te |    5 ++++-
 policy/modules/services/rhgb.te     |   20 +++++++++++---------
 policy/modules/services/xserver.te  |    2 +-
 policy/modules/system/userdomain.if |   30 ++++++++++++++++++------------
 9 files changed, 70 insertions(+), 43 deletions(-)

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 5d3d45c..521f16d 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
 
 mta_read_config(evolution_t)
 
-xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
-xserver_read_xdm_tmp_files(evolution_t)
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(evolution_t)
 	fs_manage_nfs_files(evolution_t)
@@ -340,6 +337,11 @@ optional_policy(`
 	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
 ')
 
+optional_policy(`
+	xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+	xserver_read_xdm_tmp_files(evolution_t)
+')
+
 ########################################
 #
 # Evolution alarm local policy
@@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
 # until properly implemented
 userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
 
-xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
-
 # Access evolution home
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(evolution_alarm_t)
@@ -408,6 +408,10 @@ optional_policy(`
 	nscd_socket_use(evolution_alarm_t)
 ')
 
+optional_policy(`
+	xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+')
+
 ########################################
 #
 # Evolution exchange connector local policy
@@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
 # until properly implemented
 userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
 
-xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
-
 # Access evolution home
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(evolution_exchange_t)
@@ -488,6 +490,10 @@ optional_policy(`
 	nscd_socket_use(evolution_exchange_t)
 ')
 
+optional_policy(`
+	xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+')
+
 ########################################
 #
 # Evolution data server local policy
@@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
 # until properly implemented
 userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
 
-xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
-
 optional_policy(`
 	nscd_socket_use(evolution_webcal_t)
 ')
+
+optional_policy(`
+	xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..7266190 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
 
 userdom_use_user_ptys(mozilla_t)
 
-xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
-xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-
 tunable_policy(`allow_execmem',`
 	allow mozilla_t self:process { execmem execstack };
 ')
@@ -266,3 +262,9 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
+
+optional_policy(`
+	xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+	xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+	xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 815a467..e6dc43a 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
 userdom_read_user_home_content_symlinks(mplayer_t)
 userdom_write_user_tmp_sockets(mplayer_t)
 
-xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-
 # Read songs
 ifdef(`enable_mls',`',`
 	fs_search_removable(mplayer_t)
@@ -309,3 +307,7 @@ optional_policy(`
 	pulseaudio_exec(mplayer_t)
 	pulseaudio_stream_connect(mplayer_t)
 ')
+
+optional_policy(`
+	xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 794c0be..c75a7ce 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
 # .kde/....gtkrc
 userdom_read_user_home_content_files(thunderbird_t)
 
-xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
-xserver_read_xdm_tmp_files(thunderbird_t)
-xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-
 # Access ~/.thunderbird
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(thunderbird_t)
@@ -208,3 +204,9 @@ optional_policy(`
 	mozilla_domtrans(thunderbird_t)
 	mozilla_dbus_chat(thunderbird_t)
 ')
+
+optional_policy(`
+	xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+	xserver_read_xdm_tmp_files(thunderbird_t)
+	xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..8524075 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
 sysnet_dns_name_resolve(vmware_t)
 sysnet_read_config(vmware_t)
 
-xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+optional_policy(`
+	xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..a4d2bc5 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
 #access to .icons and ~/.xscreensaver
 userdom_read_user_home_content_files(xscreensaver_t)
 
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+	xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
+
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..ca59bdb 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
 userdom_dontaudit_search_user_home_content(rhgb_t)
 
-xserver_read_tmp_files(rhgb_t)
-xserver_kill(rhgb_t)
-# for running setxkbmap
-xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans(rhgb_t)
-xserver_signal(rhgb_t)
-xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect(rhgb_t)
-
 optional_policy(`
 	consoletype_exec(rhgb_t)
 ')
@@ -135,6 +126,17 @@ optional_policy(`
 	udev_read_db(rhgb_t)
 ')
 
+optional_policy(`
+	xserver_read_tmp_files(rhgb_t)
+	xserver_kill(rhgb_t)
+	# for running setxkbmap
+	xserver_read_xkb_libs(rhgb_t)
+	xserver_domtrans(rhgb_t)
+	xserver_signal(rhgb_t)
+	xserver_read_xdm_tmp_files(rhgb_t)
+	xserver_stream_connect(rhgb_t)
+')
+
 ifdef(`TODO',`
 	#this seems a bit much
 	allow domain rhgb_devpts_t:chr_file { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e226da4..5216d19 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-#	xserver_rw_session_template(xdm,userdomain)
+	#	xserver_rw_session_template(xdm,userdomain)
 ',`
 	userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
 	# FIXME:
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8b4f6d8..cf5f157 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
 
-	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
-	xserver_xsession_entry_type($1_t)
-	xserver_dontaudit_write_log($1_t)
-	xserver_stream_connect_xdm($1_t)
-	# certain apps want to read xdm.pid file
-	xserver_read_xdm_pid($1_t)
-	# gnome-session creates socket under /tmp/.ICE-unix/
-	xserver_create_xdm_tmp_sockets($1_t)
-	# Needed for escd, remove if we get escd policy
-	xserver_manage_xdm_tmp_files($1_t)
+	optional_policy(`
+		xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+		xserver_xsession_entry_type($1_t)
+		xserver_dontaudit_write_log($1_t)
+		xserver_stream_connect_xdm($1_t)
+		# certain apps want to read xdm.pid file
+		xserver_read_xdm_pid($1_t)
+		# gnome-session creates socket under /tmp/.ICE-unix/
+		xserver_create_xdm_tmp_sockets($1_t)
+		# Needed for escd, remove if we get escd policy
+		xserver_manage_xdm_tmp_files($1_t)
+	')
 ')
 
 #######################################
@@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
 	logging_send_audit_msgs($1_t)
 	selinux_get_enforce_mode($1_t)
 
-	xserver_restricted_role($1_r, $1_t)
-
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')
@@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
 	optional_policy(`
 		setroubleshoot_dontaudit_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		xserver_restricted_role($1_r, $1_t)
+	')
 ')
 
 #######################################
@@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
 	')
 
 	xserver_xsession_spec_domtrans($1, userdomain)
+
 	allow userdomain $1:fd use;
 	allow userdomain $1:fifo_file rw_file_perms;
 	allow userdomain $1:process sigchld;
@@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	')
 
 	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+
 	allow unpriv_userdomain $1:fd use;
 	allow unpriv_userdomain $1:fifo_file rw_file_perms;
 	allow unpriv_userdomain $1:process sigchld;
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/cfc0799d/attachment.bin