From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 20 Apr 2017 17:37:20 +0200 (CEST)
Subject: [refpolicy] [PATCH 1/2] xserver: console device is chr_file and not
	fifo_file
Message-ID: <744918107.204924.1492702640247@pim.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The xserver module contains two interfaces to handle the xconsole
device (usually /dev/xconsole).

Unfortunately, it seems that the above mentioned interfaces use the
wrong file type: fifo (named pipe) instead of character device.

This patch fixes such issue and also introduces a new interface to
manage the xconsole device (so that it can be created, for example,
by an udev rule).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.if |   29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

--- a/policy/modules/services/xserver.if	2017-01-29 18:47:23.000000000 +0100
+++ b/policy/modules/services/xserver.if	2017-04-20 17:14:45.721199079 +0200
@@ -664,7 +695,8 @@ interface(`xserver_read_user_iceauth',`
 
 ########################################
 ## <summary>
-##	Set the attributes of the X windows console named pipes.
+##	Set the attributes of the X
+##	windows console device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -677,12 +709,13 @@ interface(`xserver_setattr_console_pipes
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the X windows console named pipe.
+##	Read and write the X windows
+##	console device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -695,7 +728,26 @@ interface(`xserver_rw_console',`
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+	allow $1 xconsole_device_t:chr_file rw_chr_file_perms;
+')
+
+#######################################
+## <summary>
+##	Manage the X windows console
+##	device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_console',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:chr_file manage_chr_file_perms;
 ')
 
 ########################################