[selinux-policy: 774/3172] add xdm

Thu Oct 7 20:11:57 UTC 2010

commit 23a4442bf1d0d61a7c9b8b832ab8dad8891fb092
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Oct 21 17:55:15 2005 +0000

    add xdm

 refpolicy/Changelog                             |    1 +
 refpolicy/policy/modules/kernel/mls.te          |   12 +-
 refpolicy/policy/modules/services/xdm.fc        |   38 ++
 refpolicy/policy/modules/services/xdm.if        |    1 +
 refpolicy/policy/modules/services/xdm.te        |  420 +++++++++++++++++++++++
 refpolicy/policy/modules/system/corecommands.fc |    5 +
 refpolicy/policy/modules/system/init.te         |    6 +-
 refpolicy/policy/modules/system/unconfined.te   |    3 +-
 8 files changed, 479 insertions(+), 7 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 74dcdcc..1e4714c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,6 +6,7 @@
 	cyrus
 	dovecot
 	distcc
+	xdm
 
 * Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
 - Many fixes to make loadable modules build.
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 6e1c358..70c39b2 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -54,22 +54,26 @@ attribute mlsrangetrans;
 
 type getty_t;
 type login_exec_t;
+type init_t;
 type init_exec_t;
 type initrc_t;
 type sshd_exec_t;
 type su_exec_t;
 type udev_exec_t;
 type unconfined_t;
+type xdm_exec_t;
 
-ifdef(`enable_mcs', `
+ifdef(`enable_mcs',`
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
 range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
 ')
 
-ifdef(`enable_mls', `
+ifdef(`enable_mls',`
 # run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s9:c0.c255;
 ')
diff --git a/refpolicy/policy/modules/services/xdm.fc b/refpolicy/policy/modules/services/xdm.fc
new file mode 100644
index 0000000..f175401
--- /dev/null
+++ b/refpolicy/policy/modules/services/xdm.fc
@@ -0,0 +1,38 @@
+
+/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+/etc/kde3?/kdm/Xstartup	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xreset	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/[wx]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+/etc/X11/wdm/Xsetup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
+/opt/kde3/bin/kdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
+
+/usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+')
+
+/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/xdm.if b/refpolicy/policy/modules/services/xdm.if
new file mode 100644
index 0000000..4c29517
--- /dev/null
+++ b/refpolicy/policy/modules/services/xdm.if
@@ -0,0 +1 @@
+## <summary>X windows login display manager</summary>
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
new file mode 100644
index 0000000..5e9ad2e
--- /dev/null
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -0,0 +1,420 @@
+
+policy_module(xdm,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# hack until all of strict is converted
+#type xdm_t;
+gen_require(`
+	type unconfined_t;
+')
+typealias unconfined_t alias xdm_t;
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type xdm_exec_t;
+')
+init_domain(xdm_t,xdm_exec_t)
+init_daemon_domain(xdm_t,xdm_exec_t)
+
+type xsession_exec_t;
+files_type(xsession_exec_t)
+
+type xserver_log_t;
+files_type(xserver_log_t)
+
+type xdm_xserver_tmp_t;
+files_type(xdm_xserver_tmp_t)
+
+type xdm_lock_t;
+files_lock_file(xdm_lock_t)
+
+type xdm_rw_etc_t;
+files_type(xdm_rw_etc_t)
+
+type xdm_var_run_t;
+files_type(xdm_var_run_t)
+
+type xdm_var_lib_t;
+files_type(xdm_var_lib_t)
+
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+
+type xdm_tmpfs_t;
+files_tmpfs_file(xdm_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid setsched setrlimit };
+allow xdm_t self:fifo_file rw_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+
+allow xdm_t xdm_lock_t:file create_file_perms;
+files_create_lock(xdm_t,xdm_lock_t)
+
+allow xdm_t xdm_tmp_t:dir create_dir_perms;
+allow xdm_t xdm_tmp_t:file create_file_perms;
+allow xdm_t xdm_tmp_t:file create_file_perms;
+files_create_tmp_files(xdm_t, xdm_tmp_t, { file dir sock_file })
+
+allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+fs_create_tmpfs_data(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow xdm_t xdm_var_lib_t:file create_file_perms;
+allow xdm_t xdm_var_lib_t:dir create_dir_perms;
+files_create_var_lib(xdm_t,xdm_var_lib_t)
+
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctl(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_urand(xdm_t)
+
+selinux_get_fs_mount(xdm_t)
+selinux_validate_context(xdm_t)
+selinux_compute_access_vector(xdm_t)
+selinux_compute_create_context(xdm_t)
+selinux_compute_relabel_context(xdm_t)
+selinux_compute_user_contexts(xdm_t)
+
+files_read_etc_runtime_files(xdm_t)
+
+ifdef(`targeted_policy',`
+	unconfined_domain_template(xdm_t)
+')
+
+ifdef(`TODO',`
+# cjp: TODO: integrate strict policy:
+daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
+
+allow xdm_t xdm_var_run_t:dir setattr;
+
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+allow initrc_t xdm_var_run_t:fifo_file unlink;
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
+
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+
+allow xdm_t default_context_t:dir search;
+allow xdm_t default_context_t:{ file lnk_file } { read getattr };
+
+can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
+
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+allow xdm_xserver_t xdm_t:process signal;
+# for reboot
+allow xdm_t initctl_t:fifo_file write;
+
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t xdm_rw_etc_t:file { getattr read };
+ifdef(`distro_suse', `
+# set permissions on /tmp/.X11-unix
+allow initrc_t xdm_tmp_t:dir setattr;
+')
+
+# Transition to user domains for user sessions.
+domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
+allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
+allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
+allow unpriv_userdomain xdm_xserver_t:fd use;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
+allow xdm_xserver_t unpriv_userdomain:fd use;
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# gnome-session creates socket under /tmp/.ICE-unix/
+allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
+allow unpriv_userdomain xdm_tmp_t:sock_file create;
+
+# Allow xdm logins as sysadm_r:sysadm_t
+bool xdm_sysadm_login false;
+if (xdm_sysadm_login) {
+domain_trans(xdm_t, xsession_exec_t, sysadm_t)
+allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
+allow sysadm_t xdm_xserver_t:shm r_shm_perms;
+allow sysadm_t xdm_xserver_t:fd use;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
+allow xdm_xserver_t sysadm_t:fd use;
+}
+
+# Label pid and temporary files with derived types.
+rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
+allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
+
+# Run helper programs.
+allow xdm_t etc_t:file { getattr read };
+allow xdm_t bin_t:dir { getattr search };
+# lib_t is for running cpp
+can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
+allow xdm_t { bin_t sbin_t }:lnk_file read;
+ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
+ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
+allow xdm_t xdm_xserver_t:process sigkill;
+allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+# Access devices.
+allow xdm_t device_t:dir { read search };
+allow xdm_t console_device_t:chr_file setattr;
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t framebuf_device_t:chr_file { getattr setattr };
+allow xdm_t mouse_device_t:chr_file { getattr setattr };
+allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
+allow xdm_t dri_device_t:chr_file rw_file_perms;
+allow xdm_t device_t:dir rw_dir_perms;
+allow xdm_t agp_device_t:chr_file rw_file_perms;
+allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
+allow xdm_t v4l_device_t:chr_file { setattr getattr };
+allow xdm_t scanner_device_t:chr_file { setattr getattr };
+allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
+allow xdm_t device_t:lnk_file read;
+can_resmgrd_connect(xdm_t)
+
+# Access xdm log files.
+file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
+allow xdm_t xserver_log_t:dir rw_dir_perms;
+allow xdm_t xserver_log_t:dir setattr;
+# Access /var/gdm/.gdmfifo.
+allow xdm_t xserver_log_t:fifo_file create_file_perms;
+
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
+
+# Remove /tmp/.X11-unix/X0.
+allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+
+ifdef(`gpm.te', `
+# Talk to the console mouse server.
+allow xdm_t gpmctl_t:sock_file { getattr setattr write };
+allow xdm_t gpm_t:unix_stream_socket connectto;
+')
+
+allow xdm_t sysfs_t:dir search;
+
+# Update utmp and wtmp.
+allow xdm_t initrc_var_run_t: file { read write lock };
+allow xdm_t wtmp_t:file append;
+
+# Update lastlog.
+allow xdm_t lastlog_t:file rw_file_perms;
+
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+allow xdm_t xfs_tmp_t:dir search;
+allow xdm_t xfs_tmp_t:sock_file write;
+can_unix_connect(xdm_t, xfs_t)
+')
+
+allow xdm_t etc_t:lnk_file read;
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+# Signal any user domain.
+allow xdm_t userdomain:process signal_perms;
+
+# Search /proc for any user domain processes.
+allow xdm_t userdomain:dir r_dir_perms;
+allow xdm_t userdomain:{ file lnk_file } r_file_perms;
+
+# Allow xdm access to the user domains
+allow xdm_t home_root_t:dir search;
+allow xdm_xserver_t home_root_t:dir search;
+
+# Do not audit denied attempts to access devices.
+dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
+dontaudit xdm_t device_t:file_class_set rw_file_perms;
+dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir search;
+
+# Do not audit denied probes of /proc.
+dontaudit xdm_t domain:dir r_dir_perms;
+dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
+
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+allow xdm_t usr_t:{ lnk_file file } { getattr read };
+
+# Read fonts
+read_fonts(xdm_t)
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
+
+# Do not audit access to /root
+dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# Do not audit attempts to check whether user root has email
+dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
+dontaudit xdm_t mail_spool_t:file getattr;
+
+# Access sound device.
+allow xdm_t sound_device_t:chr_file { setattr getattr };
+
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
+# Run the X server in a derived domain.
+xserver_domain(xdm)
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+# Unrestricted inheritance.
+allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
+
+# Run xkbcomp.
+allow xdm_xserver_t var_lib_t:dir search;
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+
+# Insert video drivers.  
+allow xdm_xserver_t self:capability mknod;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
+domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
+allow insmod_t xserver_log_t:file write;
+allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
+
+# Read /proc/dri/.*
+allow xdm_xserver_t proc_t:dir { search read };
+
+# Search /var/run.
+allow xdm_xserver_t var_run_t:dir search;
+
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+
+# Search home directories.
+allow xdm_xserver_t user_home_type:dir search;
+allow xdm_xserver_t user_home_type:file { getattr read };
+
+if (use_nfs_home_dirs) {
+allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
+allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
+# for .dmrc
+allow xdm_t user_home_dir_type:dir { getattr search };
+allow xdm_t user_home_type:file { getattr read };
+
+ifdef(`support_polyinstatiation', `
+# xdm_t can polyinstantiate
+polyinstantiater(xdm_t)
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
+allow xdm_t mnt_t:dir { getattr read search };
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+ifdef(`pam.te', `
+allow xdm_t pam_var_run_t:dir create_dir_perms;
+allow xdm_t pam_var_run_t:file create_file_perms;
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
+can_exec(xdm_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file(xdm_t, pam_var_console_t)
+')
+
+# Pamconsole/alsa 
+ifdef(`alsa.te', `
+domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
+') dnl ifdef
+
+allow xdm_t var_log_t:file { getattr read };
+allow xdm_t wtmp_t:file { getattr read };
+
+domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+#
+# Poweroff wants to create the /poweroff file when run from xdm
+#
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
+#
+# xdm tries to bind to biff_port_t
+#
+dontaudit xdm_t port_type:tcp_socket name_bind;
+
+# VNC v4 module in X server
+allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; 
+ifdef(`crack.te', `
+allow xdm_t crack_db_t:file r_file_perms;
+')
+r_dir_file(xdm_t, selinux_config_t)
+
+# Run telinit->init to shutdown.
+can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 1c00508..d1c6e25 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -39,6 +39,11 @@ ifdef(`targeted_policy',`
 /etc/X11/prefdm		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/etc/X11/xdm/GiveConsole --	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole --	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /sbin
 #
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9513fad..a435178 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -19,7 +19,11 @@ attribute direct_init_entry;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type init_t;
+')
 domain_type(init_t)
 role system_r types init_t;
 
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 3f6f48e..a03604b 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -29,8 +29,7 @@ ifdef(`targeted_policy',`
 
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
-	# cjp: remove xdm_t when we get to that module
-	typealias unconfined_t alias { secadm_t sysadm_t xdm_t };
+	typealias unconfined_t alias { secadm_t sysadm_t };
 
 	init_domtrans_script(unconfined_t)
 
