From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 14 Aug 2016 21:09:56 +0200
Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the
 xserver module
In-Reply-To: <1471098223.21480.19.camel@trentalancia.net>
References: <1471094827.21480.13.camel@trentalancia.net>
	<1471098223.21480.19.camel@trentalancia.net>
Message-ID: <1471201796.27146.16.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm (currently used by the userdomain module in
  the common user template);
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   21 +++++++++++++++++++++
 policy/modules/services/xserver.te |    4 ++++
 3 files changed, 26 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
@@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-14 21:04:33.812531119 +0200
@@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
@@ -507,6 +507,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')