From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 16 Jul 2013 09:16:00 -0400
Subject: [refpolicy] x_keyboard/x_pointer MLS constraints
Message-ID: <51E54790.40700@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I was reviewing the policy, when I noticed that there were no MLS constraints for the x_keyboard and x_pointer classes.  Is there any reason not to add these constraints (which are copied from x_device):

diff --git a/policy/mls b/policy/mls
index d218387..f11e5e2 100644
--- a/policy/mls
+++ b/policy/mls
@@ -666,6 +666,42 @@ mlsconstrain x_application_data { paste_after_confirm }
        ( l1 dom l2 );


+#
+# MLS policy for the x_pointer class
+#
+
+# the x_pointer "read" ops
+mlsconstrain x_pointer { getattr use read getfocus grab }
+       (( l1 dom l2 ) or
+        (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+        ( t1 == mlsxwinread ));
+
+# the x_pointer "write" ops (implicit single level)
+mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
+       (( l1 eq l2 ) or
+        (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+        ( t1 == mlsxwinwritexinput ) or
+        ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_keyboard class
+#
+
+# the x_keyboard "read" ops
+mlsconstrain x_keyboard { getattr use read getfocus grab }
+       (( l1 dom l2 ) or
+        (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+        ( t1 == mlsxwinread ));
+
+# the x_keyboard "write" ops (implicit single level)
+mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
+       (( l1 eq l2 ) or
+        (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+        ( t1 == mlsxwinwritexinput ) or
+        ( t1 == mlsxwinwrite ));
+
+

 #
 # MLS policy for the dbus class


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com