From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 22 Feb 2011 21:30:39 +0100 Subject: [refpolicy] [PATCH v2 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) In-Reply-To: <4D593FB4.5030307@tresys.com> References: <20110206151633.GA13056@siphos.be> <4D593FB4.5030307@tresys.com> Message-ID: <20110222203039.GA7281@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes 15-second lag/timeout (needs siginh permission as provided by xserver_domtrans). Apparently, the 15-second lag (or some other behavior) was already detected in the past, giving rise to the SIGINH permission in the xserver_domtrans() interface. However, domains that are given the xserver_(restricted_)role do not call the xserver_domtrans but rather the "standard" domtrans_pattern. The new patch suggests to use xserver_domtrans in the xserver_restricted_role, which automatically includes the siginh permission then. Signed-off-by: Sven Vermeulen --- policy/modules/services/xserver.if | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index da2601a..130ced9 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -30,7 +30,6 @@ interface(`xserver_restricted_role',` allow xserver_t $2:fd use; allow xserver_t $2:shm rw_shm_perms; - domtrans_pattern($2, xserver_exec_t, xserver_t) allow xserver_t $2:process signal; allow xserver_t $2:shm rw_shm_perms; @@ -96,6 +95,7 @@ interface(`xserver_restricted_role',` miscfiles_read_fonts($2) xserver_common_x_domain_template(user, $2) + xserver_domtrans($2) xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) -- 1.7.3.4