From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 14 Sep 2012 11:01:41 +0200 Subject: [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon In-Reply-To: <1347612970-20153-1-git-send-email-dominick.grift@gmail.com> References: <1347612970-20153-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1347613301.2915.34.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com xorg.conf keyboard layout callout I am not sure whether this is the right place to put this keyboard daemon policy. Fedora has it in a separate keyboardd module However this daemon seems pretty specific to Xorg since its sole purpose is: "to monitor the keyboard layout configured in /etc/sysconfig/keyboard and transfer this into the matching xorg.conf.d snippet." If this is not an optimal place i will be happy to put it elsewhere On Fri, 2012-09-14 at 10:56 +0200, Dominick Grift wrote: > Signed-off-by: Dominick Grift > diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc > index c2c6e05..e424022 100644 > --- a/policy/modules/kernel/files.fc > +++ b/policy/modules/kernel/files.fc > @@ -72,6 +72,8 @@ > /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) > > +/etc/(X11/)?xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) > + > ifdef(`distro_gentoo', ` > /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc > index be8f670..f6cfdb4 100644 > --- a/policy/modules/services/xserver.fc > +++ b/policy/modules/services/xserver.fc > @@ -61,6 +61,7 @@ > /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) > +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) > /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) > /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 2f4ba59..b40ea98 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -132,6 +132,10 @@ > typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; > userdom_user_home_content(iceauth_home_t) > > +type keyboardd_t; > +type keyboardd_exec_t; > +init_daemon_domain(keyboardd_t, keyboardd_exec_t) > + > type xauth_t; > type xauth_exec_t; > typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; > @@ -244,6 +248,21 @@ > > ######################################## > # > +# keyboardd local policy > +# > + > +allow keyboardd_t self:fifo_file rw_fifo_file_perms; > +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; > + > +files_manage_etc_runtime_files(keyboardd_t) > +files_etc_filetrans_etc_runtime(keyboardd_t, file) > + > +files_read_etc_files(keyboardd_t) > + > +miscfiles_read_localization(keyboardd_t) > + > +######################################## > +# > # Xauth local policy > # >