From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 14 Aug 2016 15:05:02 -0400
Subject: [refpolicy] [PATCH v2] Update the policy and file contexts for
 the xserver module
In-Reply-To: <886d105a-cc6f-9f94-b851-4a9511570008@gmail.com>
References: <1471094827.21480.13.camel@trentalancia.net>
	<1471098223.21480.19.camel@trentalancia.net>
	<f38b5601-5017-acc2-3525-965fd77dcc9a@ieee.org>
	<886d105a-cc6f-9f94-b851-4a9511570008@gmail.com>
Message-ID: <3e5bf95e-d2ab-9df6-d4a2-36d91a79b7ab@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/14/16 14:26, Dominick Grift wrote:
> On 08/14/2016 08:24 PM, Chris PeBenito wrote:
>> On 08/13/16 10:23, Guido Trentalancia wrote:
>>> Update for the xserver module:
>>>
>>> - updated the file contexts for the Xsession script;
>>> - created an interface for chatting over dbus with
>>>   xdm;
>>> - added permission to chat over dbus with colord.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/services/xserver.fc |    1 +
>>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>>  policy/modules/services/xserver.te |    4 ++++
>>>  3 files changed, 26 insertions(+)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
>>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>>>
>>>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
>>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>>  	typeattribute $1 x_domain;
>>>  	typeattribute $1 xserver_unconfined_type;
>>>  ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +##	Send and receive messages from
>>> +##	xdm over dbus.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`xdm_dbus_chat',`
>>
>> Why does this interface need to be added, if it isn't going to be used
>> (it's not used below).
>>
>> If it is still needed, then the interface should be xserver_dbus_chat_xdm()
>>
>>
>
> Seems to be used here though:
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html

You're right.  With all of the patches, I missed this connection.

-- 
Chris PeBenito