From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 14 Aug 2016 14:24:12 -0400
Subject: [refpolicy] [PATCH v2] Update the policy and file contexts for
 the xserver module
In-Reply-To: <1471098223.21480.19.camel@trentalancia.net>
References: <1471094827.21480.13.camel@trentalancia.net>
	<1471098223.21480.19.camel@trentalancia.net>
Message-ID: <f38b5601-5017-acc2-3525-965fd77dcc9a@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/13/16 10:23, Guido Trentalancia wrote:
> Update for the xserver module:
>
> - updated the file contexts for the Xsession script;
> - created an interface for chatting over dbus with
>   xdm;
> - added permission to chat over dbus with colord.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    1 +
>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>  policy/modules/services/xserver.te |    4 ++++
>  3 files changed, 26 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>  	typeattribute $1 x_domain;
>  	typeattribute $1 xserver_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Send and receive messages from
> +##	xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdm_dbus_chat',`

Why does this interface need to be added, if it isn't going to be used 
(it's not used below).

If it is still needed, then the interface should be xserver_dbus_chat_xdm()


> +	gen_require(`
> +		type xdm_t;
> +		class dbus send_msg;
> +        ')
> +
> +	allow $1 xdm_t:dbus send_msg;
> +	allow xdm_t $1:dbus send_msg;
> +')
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
> @@ -507,6 +507,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	colord_dbus_chat(xdm_t)
> +')
> +
> +optional_policy(`
>  	consolekit_dbus_chat(xdm_t)
>  ')


-- 
Chris PeBenito