From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 14 Dec 2016 16:29:23 -0500 Subject: [refpolicy] [PATCH 5/5] rtkit: enable dbus chat with xdm In-Reply-To: <1481676545.17446.13.camel@trentalancia.net> References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <1481676545.17446.13.camel@trentalancia.net> Message-ID: <7a91e7db-5de3-9c37-549f-e6d1cd8c446b@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/16 19:49, Guido Trentalancia via refpolicy wrote: > Enable dbus messaging between the X Display Manager (XDM) and > the rtkit daemon. > > Also, let the rtkit daemon set the priority of the X Display > Manager (XDM). > > This patch (along with parts 3/5 and 4/5) might be needed when > running gdm. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/rtkit.te | 8 ++++++++ > policy/modules/services/xserver.if | 20 +++++++++++++++++++- > 2 files changed, 27 insertions(+), 1 deletion(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100 > @@ -42,4 +42,12 @@ optional_policy(` > optional_policy(` > policykit_dbus_chat(rtkit_daemon_t) > ') > + > + optional_policy(` > + xserver_dbus_chat_xdm(rtkit_daemon_t) > + ') > +') > + > +optional_policy(` > + xserver_setsched_xdm(rtkit_daemon_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if > --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 > +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100 > @@ -162,7 +162,6 @@ interface(`xserver_role',` > manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > - > ') > > ####################################### > @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## > +## Set the priority of X Display > +## Manager (XDM). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_setsched_xdm',` > + gen_require(` > + attribute xdm_domain; > + ') > + > + allow $1 xdm_domain:process setsched; > +') Since you're operating on an attribute, it should be xserver_setsched_all_xdms(). Otherwise it implies just on xdm_t. -- Chris PeBenito