From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 21:32:57 +0200 (CEST) Subject: [refpolicy] [PATCH v2 2/2] udev: manage xserver console device In-Reply-To: <520453077.205084.1492702720803@pim.register.it> References: <744918107.204924.1492702640247@pim.register.it> <520453077.205084.1492702720803@pim.register.it> Message-ID: <925367184.203384.1492716777322@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Modify the udev module so that the udev daemon can manage the xserver console device (a named pipe, usually /dev/xconsole). I have posted a new version of this patch for the sake of not leaving incomplete patches around on the list. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 19 +++++++++++++++++++ policy/modules/system/udev.te | 2 ++ 2 files changed, 21 insertions(+) --- a/policy/modules/kernel/devices.if 2016-12-27 16:37:59.000000000 +0100 +++ b/policy/modules/kernel/devices.if 2017-04-20 21:24:58.110629406 +0200 @@ -406,6 +406,25 @@ interface(`dev_manage_generic_files',` manage_files_pattern($1, device_t, device_t) ') +####################################### +## +## Create a fifo file in the device +## directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_generic_fifo_files',` + gen_require(` + type device_t; + ') + + manage_fifo_files_pattern($1, device_t, device_t) +') + ######################################## ## ## Dontaudit getattr on generic pipes. --- a/policy/modules/system/udev.te 2017-02-04 19:30:18.000000000 +0100 +++ b/policy/modules/system/udev.te 2017-04-20 21:24:39.203629483 +0200 @@ -104,6 +104,8 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) +# create /dev/xconsole +dev_manage_generic_fifo_files(udev_t) dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t)