[refpolicy] [PATCH] remove deprecated xserver interface

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] remove deprecated xserver interface
@ 2009-08-25 19:02 Eamon Walsh
  2009-08-28 17:40 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Eamon Walsh @ 2009-08-25 19:02 UTC (permalink / raw)
  To: refpolicy


-- 
Eamon Walsh<ewalsh@tycho.nsa.gov>
National Security Agency

-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy_rm_deprecated.patch
Type: text/x-patch
Size: 3030 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090825/9b6df66c/attachment.bin 

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] remove deprecated xserver interface
  2009-08-25 19:02 [refpolicy] [PATCH] remove deprecated xserver interface Eamon Walsh
@ 2009-08-28 17:40 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2009-08-28 17:40 UTC (permalink / raw)
  To: refpolicy

On Tue, 2009-08-25 at 15:02 -0400, Eamon Walsh wrote:
> Index: policy/modules/apps/wireshark.te
> ===================================================================
> --- policy/modules/apps/wireshark.te    (revision 3012)
> +++ policy/modules/apps/wireshark.te    (working copy)
> @@ -119,6 +119,6 @@
>  ')
>  
>  optional_policy(`
> -       xserver_user_client(wireshark_t, wireshark_tmpfs_t)
> +       xserver_user_x_domain_template(wireshark, wireshark_t,
> wireshark_tmpfs_t)
>         xserver_create_xdm_tmp_sockets(wireshark_t)
>  ')

Merged this.

> Index: policy/modules/services/xserver.if
> ===================================================================
> --- policy/modules/services/xserver.if  (revision 3012)
> +++ policy/modules/services/xserver.if  (working copy)
> @@ -193,65 +193,6 @@
>  
>  #######################################
>  ## <summary>
> -##     Create full client sessions
> -##     on a user X server.
> -## </summary>
> -## <param name="domain">
> -##     <summary>
> -##     Domain allowed access.
> -##     </summary>
> -## </param>
> -## <param name="tmpfs_type">
> -##     <summary>
> -##     The type of the domain SYSV tmpfs files.
> -##     </summary>
> -## </param>
> -#
> -interface(`xserver_user_client',`
> -#      refpolicywarn(`$0() has been deprecated, please use
> xserver_user_x_domain_template instead.')

Kept the interface, in case an external module calls it.  Uncommented
the warning.

> -       gen_require(`
> -               type xdm_t, xdm_tmp_t;
> -               type xauth_home_t, iceauth_home_t, xserver_t,
> xserver_tmpfs_t;
> -       ')
> -
> -       allow $1 self:shm create_shm_perms;
> -       allow $1 self:unix_dgram_socket create_socket_perms;
> -       allow $1 self:unix_stream_socket { connectto
> create_stream_socket_perms };
> -
> -       # Read .Xauthority file
> -       allow $1 xauth_home_t:file { getattr read };
> -       allow $1 iceauth_home_t:file { getattr read };
> -
> -       # for when /tmp/.X11-unix is created by the system
> -       allow $1 xdm_t:fd use;
> -       allow $1 xdm_t:fifo_file { getattr read write ioctl };
> -       allow $1 xdm_tmp_t:dir search;
> -       allow $1 xdm_tmp_t:sock_file { read write };
> -       dontaudit $1 xdm_t:tcp_socket { read write };
> -
> -       # Allow connections to X server.
> -       files_search_tmp($1)
> -
> -       miscfiles_read_fonts($1)
> -
> -       userdom_search_user_home_dirs($1)
> -       # for .xsession-errors
> -       userdom_dontaudit_write_user_home_content_files($1)
> -
> -       xserver_ro_session($1,$2)
> -       xserver_use_user_fonts($1)
> -
> -       xserver_read_xdm_tmp_files($1)
> -
> -       # Client write xserver shm
> -       tunable_policy(`allow_write_xshm',`
> -               allow $1 xserver_t:shm rw_shm_perms;
> -               allow $1 xserver_tmpfs_t:file rw_file_perms;
> -       ')
> -')
> -
> -#######################################
> -## <summary>
>  ##     Interface to provide X object permissions on a given X server
> to
>  ##     an X client domain.  Provides the minimal set required by a
> basic
>  ##     X client application.
> Index: policy/modules/system/userdomain.if
> ===================================================================
> --- policy/modules/system/userdomain.if (revision 3012)
> +++ policy/modules/system/userdomain.if (working copy)
> @@ -438,7 +438,7 @@
>         # GNOME checks for usb and other devices:
>         dev_rw_usbfs($1_t)
>  
> -       xserver_user_client($1_t, user_tmpfs_t)
> +       xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
>         xserver_xsession_entry_type($1_t)
>         xserver_dontaudit_write_log($1_t)
>         xserver_stream_connect_xdm($1_t)

Merged this.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-08-28 17:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-25 19:02 [refpolicy] [PATCH] remove deprecated xserver interface Eamon Walsh
2009-08-28 17:40 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.