[selinux-policy: 1335/3172] move xconsole to xserver mod

Thu Oct 7 21:00:54 UTC 2010

commit 413982c6a3032591b97bb353a677f06c65a77fc7
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Apr 6 19:27:41 2006 +0000

    move xconsole to xserver mod

 refpolicy/Changelog                          |    2 +
 refpolicy/policy/modules/kernel/devices.te   |   12 +--------
 refpolicy/policy/modules/services/xserver.fc |    5 +++
 refpolicy/policy/modules/services/xserver.if |   36 ++++++++++++++++++++++++++
 refpolicy/policy/modules/services/xserver.te |   12 ++++++--
 refpolicy/policy/modules/system/init.te      |   16 +++--------
 refpolicy/policy/modules/system/logging.te   |   10 +++---
 7 files changed, 63 insertions(+), 30 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 68b6a8d..ad1810e 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Move xconsole_device_t from devices to xserver since it is
+  not actually a device, it is a named pipe.
 - Handle nonexistant .fc and .if files in devel Makefile by
   automatically creating empty files.
 - Remove unused devfs_control_t.
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index bf16a3b..9e8164c 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.5)
+policy_module(devices,1.1.6)
 
 ########################################
 #
@@ -181,16 +181,6 @@ type zero_device_t;
 dev_node(zero_device_t)
 mls_trusted_object(zero_device_t)
 
-
-# TODO:
-
-# this is not actually a device
-# move it to xserver
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
 ########################################
 #
 # Rules for all device nodes
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 77f634b..eb6e748 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -12,6 +12,11 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 ')
 
 #
+# /dev
+#
+/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
+
+#
 # /etc
 #
 
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 332cbd8..ec410cd 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -710,6 +710,42 @@ interface(`xserver_use_all_users_fonts',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_setattr_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the X windows console named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_console',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr read write };
+')
+
+########################################
+## <summary>
 ##	Connect to XDM over a unix domain
 ##	stream socket.
 ## </summary>
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 6e318d6..9918eb5 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.3)
+policy_module(xserver,1.1.4)
 
 ########################################
 #
@@ -19,6 +19,12 @@ files_type(iceauth_exec_t)
 type xauth_exec_t;
 files_type(xauth_exec_t)
 
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
 type xdm_t;
 # real declaration moved to mls until
 # range_transition works in loadable modules
@@ -86,6 +92,8 @@ allow xdm_t self:udp_socket create_socket_perms;
 # Supress permission check on .ICE-unix
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
 
@@ -438,8 +446,6 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-
 can_resmgrd_connect(xdm_t)
 
 # Need to further investigate these permissions and
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 15394d8..f640e63 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.6)
+policy_module(init,1.3.7)
 
 gen_require(`
 	class passwd rootok;
@@ -726,19 +726,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# init s	cript wants to check if it needs to update windowmanagerlist
+	# Set device ownerships/modes.
+	xserver_setattr_console_pipes(initrc_t)
+
+	# init script wants to check if it needs to update windowmanagerlist
 	xserver_read_xdm_rw_config(initrc_t)
 ')
 
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
-
-ifdef(`TODO',`
-# Set device ownerships/modes.
-allow initrc_t xconsole_device_t:fifo_file setattr;
-
-ifdef(`distro_redhat', `
-	allow initrc_t device_t:dir create;
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index f31af3a..8a75634 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.2)
+policy_module(logging,1.3.3)
 
 ########################################
 #
@@ -369,7 +369,7 @@ optional_policy(`
 	udev_read_db(syslogd_t)
 ')
 
-ifdef(`TODO',`
-# log to the xconsole
-allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-') dnl end TODO
+optional_policy(`
+	# log to the xconsole
+	xserver_rw_console(syslogd_t)
+')
