From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 14 Aug 2016 21:06:02 +0200
Subject: [refpolicy] [PATCH v2] Update the policy and file contexts for
 the xserver module
In-Reply-To: <3e5bf95e-d2ab-9df6-d4a2-36d91a79b7ab@ieee.org>
References: <1471094827.21480.13.camel@trentalancia.net>
	<1471098223.21480.19.camel@trentalancia.net>
	<f38b5601-5017-acc2-3525-965fd77dcc9a@ieee.org>
	<886d105a-cc6f-9f94-b851-4a9511570008@gmail.com>
	<3e5bf95e-d2ab-9df6-d4a2-36d91a79b7ab@ieee.org>
Message-ID: <bee8a213-1b9d-73b8-9778-2c955ec36cf3@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/14/2016 09:05 PM, Chris PeBenito wrote:
> On 08/14/16 14:26, Dominick Grift wrote:
>> On 08/14/2016 08:24 PM, Chris PeBenito wrote:
>>> On 08/13/16 10:23, Guido Trentalancia wrote:
>>>> Update for the xserver module:
>>>>
>>>> - updated the file contexts for the Xsession script;
>>>> - created an interface for chatting over dbus with
>>>>   xdm;
>>>> - added permission to chat over dbus with colord.
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/services/xserver.fc |    1 +
>>>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>>>  policy/modules/services/xserver.te |    4 ++++
>>>>  3 files changed, 26 insertions(+)
>>>>
>>>> ---
>>>> refpolicy-git-06082016-orig/policy/modules/services/xserver.fc   
>>>> 2016-08-06 21:26:43.295774282 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc   
>>>> 2016-08-13 16:20:35.731361535 +0200
>>>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*    --    gen_context(s
>>>>  /usr/lib/xorg/Xorg\.wrap    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>>  /usr/lib/xorg-server/Xorg    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>>  /usr/lib/xorg-server/Xorg\.wrap    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>> +/usr/lib/X11/xdm/Xsession    --   
>>>> gen_context(system_u:object_r:xsession_exec_t,s0)
>>>>
>>>>  /usr/sbin/lightdm    --   
>>>> gen_context(system_u:object_r:xdm_exec_t,s0)
>>>>
>>>> ---
>>>> refpolicy-git-06082016-orig/policy/modules/services/xserver.if   
>>>> 2016-08-06 21:26:43.295774282 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if   
>>>> 2016-08-13 15:01:34.028150851 +0200
>>>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>>>      typeattribute $1 x_domain;
>>>>      typeattribute $1 xserver_unconfined_type;
>>>>  ')
>>>> +
>>>> +########################################
>>>> +## <summary>
>>>> +##    Send and receive messages from
>>>> +##    xdm over dbus.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##    <summary>
>>>> +##    Domain allowed access.
>>>> +##    </summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`xdm_dbus_chat',`
>>>
>>> Why does this interface need to be added, if it isn't going to be used
>>> (it's not used below).
>>>
>>> If it is still needed, then the interface should be
>>> xserver_dbus_chat_xdm()
>>>
>>>
>>
>> Seems to be used here though:
>>
>> http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html
> 
> You're right.  With all of the patches, I missed this connection.
> 

Yes. Too much. There are some other things that slipped through that
should'nt have.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/096b8e89/attachment-0001.bin