[selinux-policy: 2284/3172] Add separate x_pointer and x_keyboard classes inheriting from x_device.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:22:48 UTC 2010 

commit e4928c5f7954ea062815c8a37c9d37e3e3fa40df
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Tue Oct 13 19:17:13 2009 -0400

    Add separate x_pointer and x_keyboard classes inheriting from x_device.
    
    This is needed to allow more fine-grained control over X devices without
    using different types.  Using different types is problematic because
    devices act as subjects in the X Flask implementation, and subjects
    cannot be labeled through a type transition (since the output role is
    hardcoded to object_r).
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>

 policy/flask/access_vectors   |   55 +++++++++++++++++++++++++---------------
 policy/flask/security_classes |    4 +++
 2 files changed, 38 insertions(+), 21 deletions(-)
---
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3998b77..6620e4c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -94,6 +94,33 @@ common database
 }
 
 #
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -525,27 +552,7 @@ class x_client
 }
 
 class x_device
-{
-	getattr
-	setattr
-	use
-	read
-	write
-	getfocus
-	setfocus
-	bell
-	force_cursor
-	freeze
-	grab
-	manage
-	list_property
-	get_property
-	set_property
-	add
-	remove
-	create
-	destroy
-}
+inherits x_device
 
 class x_server
 {
@@ -802,3 +809,9 @@ class kernel_service
 
 class tun_socket
 inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2bd1bf6..fa65db2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,4 +121,8 @@ class kernel_service
 
 class tun_socket
 
+# Still More SE-X Windows stuff
+class x_pointer			# userspace
+class x_keyboard		# userspace
+
 # FLASK

More information about the scm-commits mailing list