From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 03 Mar 2011 09:22:57 -0500 Subject: [refpolicy] [PATCH v2 1/1] Without allow siginh, we get a huge timeout wait period (15 seconds) In-Reply-To: <20110222203039.GA7281@siphos.be> References: <20110206151633.GA13056@siphos.be> <4D593FB4.5030307@tresys.com> <20110222203039.GA7281@siphos.be> Message-ID: <4D6FA441.8070206@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 2/22/2011 3:30 PM, Sven Vermeulen wrote: > Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes > 15-second lag/timeout (needs siginh permission as provided by > xserver_domtrans). > > > Apparently, the 15-second lag (or some other behavior) was already detected > in the past, giving rise to the SIGINH permission in the xserver_domtrans() > interface. > > However, domains that are given the xserver_(restricted_)role do not call > the xserver_domtrans but rather the "standard" domtrans_pattern. > > The new patch suggests to use xserver_domtrans in the > xserver_restricted_role, which automatically includes the siginh permission > then. Merged. > Signed-off-by: Sven Vermeulen > --- > policy/modules/services/xserver.if | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index da2601a..130ced9 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -30,7 +30,6 @@ interface(`xserver_restricted_role',` > allow xserver_t $2:fd use; > allow xserver_t $2:shm rw_shm_perms; > > - domtrans_pattern($2, xserver_exec_t, xserver_t) > allow xserver_t $2:process signal; > > allow xserver_t $2:shm rw_shm_perms; > @@ -96,6 +95,7 @@ interface(`xserver_restricted_role',` > miscfiles_read_fonts($2) > > xserver_common_x_domain_template(user, $2) > + xserver_domtrans($2) > xserver_unconfined($2) > xserver_xsession_entry_type($2) > xserver_dontaudit_write_log($2) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com