[selinux-policy: 2295/3172] Drop the xserver_unprotected interface.

Thu Oct 7 22:23:47 UTC 2010

commit 5025a463cf0810899915432082273f633c6df93f
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Oct 29 18:57:38 2009 -0400

    Drop the xserver_unprotected interface.
    
    The motivation for this was xdm_t objects not getting cleaned up,
    so the user session tried to interact with them.  But since the
    default user type is unconfined this problem has gone away for now.
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
    Signed-off-by: Chris PeBenito <cpebenito at tresys.com>

 policy/modules/services/xserver.if |   20 --------------------
 policy/modules/services/xserver.te |   16 ----------------
 2 files changed, 0 insertions(+), 36 deletions(-)
---

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index cffc058..e34a892 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1200,26 +1200,6 @@ interface(`xserver_manage_core_devices',`
 
 ########################################
 ## <summary>
-##	Interface to remove protections on an X client domain.
-##	Gives other X client domains full permissions over the target
-##	domain's X objects.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to be unprotected.
-##	</summary>
-## </param>
-#
-interface(`xserver_unprotected',`
-	gen_require(`
-		attribute xserver_unprotected_type;
-	')
-
-	typeattribute $1 xserver_unprotected_type;
-')
-
-########################################
-## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index d6c4b95..f7e7637 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -82,7 +82,6 @@ type root_xdrawable_t, xdrawable_type;
 type root_xcolormap_t, xcolormap_type;
 
 attribute xserver_unconfined_type;
-attribute xserver_unprotected_type;
 
 xserver_object_types_template(root)
 xserver_object_types_template(user)
@@ -157,7 +156,6 @@ init_daemon_domain(xdm_t, xdm_exec_t)
 xserver_object_types_template(xdm)
 xserver_common_x_domain_template(xdm, xdm_t)
 xserver_unconfined(xdm_t)
-xserver_unprotected(xdm_t)
 
 type xdm_lock_t;
 files_lock_file(xdm_lock_t)
@@ -950,20 +948,6 @@ allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
 ########################################
 #
-# Rules for unprotected access to a domain
-#
-
-allow x_domain xserver_unprotected_type:x_drawable *;
-allow x_domain xserver_unprotected_type:x_gc *;
-allow x_domain xserver_unprotected_type:x_colormap *;
-allow x_domain xserver_unprotected_type:x_property *;
-allow x_domain xserver_unprotected_type:x_cursor *;
-allow x_domain xserver_unprotected_type:x_client *;
-allow x_domain xserver_unprotected_type:x_device *;
-allow x_domain xserver_unprotected_type:x_resource *;
-
-########################################
-#
 # Rules for unconfined access to this module
 #
 
