From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 17:37:20 +0200 (CEST) Subject: [refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file Message-ID: <744918107.204924.1492702640247@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The xserver module contains two interfaces to handle the xconsole device (usually /dev/xconsole). Unfortunately, it seems that the above mentioned interfaces use the wrong file type: fifo (named pipe) instead of character device. This patch fixes such issue and also introduces a new interface to manage the xconsole device (so that it can be created, for example, by an udev rule). Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.if | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) --- a/policy/modules/services/xserver.if 2017-01-29 18:47:23.000000000 +0100 +++ b/policy/modules/services/xserver.if 2017-04-20 17:14:45.721199079 +0200 @@ -664,7 +695,8 @@ interface(`xserver_read_user_iceauth',` ######################################## ## -## Set the attributes of the X windows console named pipes. +## Set the attributes of the X +## windows console device. ## ## ## @@ -677,12 +709,13 @@ interface(`xserver_setattr_console_pipes type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file setattr; + allow $1 xconsole_device_t:chr_file setattr; ') ######################################## ## -## Read and write the X windows console named pipe. +## Read and write the X windows +## console device. ## ## ## @@ -695,7 +728,26 @@ interface(`xserver_rw_console',` type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; + allow $1 xconsole_device_t:chr_file rw_chr_file_perms; +') + +####################################### +## +## Manage the X windows console +## device. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_console',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:chr_file manage_chr_file_perms; ') ########################################