[selinux-policy: 2284/3172] Add separate x_pointer and x_keyboard classes inheriting from x_device.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:22:48 UTC 2010
commit e4928c5f7954ea062815c8a37c9d37e3e3fa40df
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Tue Oct 13 19:17:13 2009 -0400
Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types. Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
policy/flask/access_vectors | 55 +++++++++++++++++++++++++---------------
policy/flask/security_classes | 4 +++
2 files changed, 38 insertions(+), 21 deletions(-)
---
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3998b77..6620e4c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -94,6 +94,33 @@ common database
}
#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -525,27 +552,7 @@ class x_client
}
class x_device
-{
- getattr
- setattr
- use
- read
- write
- getfocus
- setfocus
- bell
- force_cursor
- freeze
- grab
- manage
- list_property
- get_property
- set_property
- add
- remove
- create
- destroy
-}
+inherits x_device
class x_server
{
@@ -802,3 +809,9 @@ class kernel_service
class tun_socket
inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2bd1bf6..fa65db2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,4 +121,8 @@ class kernel_service
class tun_socket
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
# FLASK
More information about the scm-commits
mailing list