From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 22 Feb 2011 21:30:39 +0100
Subject: [refpolicy] [PATCH v2 1/1] Without allow siginh,
 we get a huge timeout wait period (15 seconds)
In-Reply-To: <4D593FB4.5030307@tresys.com>
References: <20110206151633.GA13056@siphos.be>
 <4D593FB4.5030307@tresys.com>
Message-ID: <20110222203039.GA7281@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).


Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.

However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.

The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.


Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/xserver.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..130ced9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
 	allow xserver_t $2:fd use;
 	allow xserver_t $2:shm rw_shm_perms;
 
-	domtrans_pattern($2, xserver_exec_t, xserver_t)
 	allow xserver_t $2:process signal;
 
 	allow xserver_t $2:shm rw_shm_perms;
@@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
 	miscfiles_read_fonts($2)
 
 	xserver_common_x_domain_template(user, $2)
+	xserver_domtrans($2)
 	xserver_unconfined($2)
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
-- 
1.7.3.4