Navigation

← Previous Changeset
Next Changeset →

Changeset 2651

Timestamp:

03/26/08 14:44:25 (8 months ago)

Author:

pebenito

Message:

xselinux: merge x_rootcolormap_t and x_rootwindow_t into a per-role type, and merge x_rootscreen_t into the per-role xserver type.

Files:

branches/xselinux/policy/modules/services/xserver.if (modified) (11 diffs)
branches/xselinux/policy/modules/services/xserver.te (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/xselinux/policy/modules/services/xserver.if

r2650	r2651
18	18
19	19	attribute x_server_domain;
20		~~type x_rootwindow_t, x_rootcolormap_t, x_rootscreen_t;~~
21	20	class x_drawable all_x_drawable_perms;
22	21	class x_colormap all_x_colormap_perms;
…	…
31	30	attribute $1_x_domain;
32	31	attribute $1_input_xevent_type;
	32
	33	type $1_rootwindow_t, rootwindow_type;
33	34
34	35	type $1_xserver_t, x_server_domain;
…	…
93	94	logging_log_filetrans($1_xserver_t,xserver_log_t,file)
94	95
95		# Labeling rules for default windows, screens, and colormaps
96		type_transition $1_xserver_t $1_xserver_t:x_drawable x_rootwindow_t;
97		type_transition $1_xserver_t $1_xserver_t:x_colormap x_rootcolormap_t;
98		type_transition $1_xserver_t $1_xserver_t:x_screen x_rootscreen_t;
	96	# Labeling rules for default windows and colormaps
	97	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
99	98
100	99	kernel_read_system_state($1_xserver_t)
…	…
197	196	attribute xproperty_type, xselection_type;
198	197	attribute xextension_type, xevent_type;
199
200		type x_rootcolormap_t, x_rootscreen_t;
201		type ~~x_rootwindow_t,~~ remote_xclient_t;
	198	attribute rootwindow_type;
	199
	200	type remote_xclient_t;
202	201	')
203	202	allow $1_xserver_t x_server_domain:x_server *;
204		allow $1_xserver_t { x_domain ~~x_rootwindow_t~~ }:x_drawable *;
205		allow $1_xserver_t x_~~rootscreen_t~~:x_screen *;
	203	allow $1_xserver_t { x_domain rootwindow_type }:x_drawable *;
	204	allow $1_xserver_t x_server_domain:x_screen *;
206	205	allow $1_xserver_t x_domain:x_gc *;
207		allow $1_xserver_t { x_domain ~~x_rootcolormap_t~~ }:x_colormap *;
	206	allow $1_xserver_t { x_domain rootwindow_type }:x_colormap *;
208	207	allow $1_xserver_t xproperty_type:x_property *;
209	208	allow $1_xserver_t xselection_type:x_selection *;
…	…
472	471
473	472	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
474		allow $1_xserver_t { x_rootwindow_t $1_x_domain }:x_drawable send;
	473	allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
475	474
476	475	# manage: xhost X11:ChangeHosts
…	…
485	484	allow $2 $1_xserver_t:x_resource write;
486	485
487		allow $2 ~~x_rootcolormap~~_t:x_colormap { install uninstall };
	486	allow $2 $1_rootwindow_t:x_colormap { install uninstall };
488	487
489	488	# read: gnome-settings-daemon RANDR:GetScreenSizeRange
…	…
491	490	# setattr: gnome-settings-daemon X11:GrabKey
492	491	# manage: metacity X11:ChangeWindowAttributes
493		allow $2 x_rootwindow_t:x_drawable { read write manage setattr };
	492	allow $2 $1_rootwindow_t:x_drawable { read write manage setattr };
494	493
495	494	# setattr: metacity X11:InstallColormap
496		allow $2 ~~x_rootscreen~~_t:x_screen { saver_setattr saver_getattr setattr };
	495	allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr };
497	496
498	497	# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
…	…
677	676	template(`xserver_common_x_domain_template',`
678	677	gen_require(`
679		type ~~x_rootwindow_t, x_rootcolormap~~_t, std_xext_t, shmem_xext_t;
	678	type $1_rootwindow_t, std_xext_t, shmem_xext_t;
680	679	type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
681	680	type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
…	…
766	765	allow $3 info_xproperty_t:x_property read;
767	766	# can change properties of root window
768		allow $3 x_rootwindow_t:x_drawable { list_property get_property set_property };
	767	allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
769	768	# can change properties of own windows
770	769	allow $3 self:x_drawable { list_property get_property set_property };
…	…
772	771	# X Windows
773	772	# operations allowed on root windows
774		allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
	773	allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
775	774	# operations allowed on my windows
776	775	allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
777		type_transition $3 x_rootwindow_t:x_drawable $3;
	776	type_transition $3 $1_rootwindow_t:x_drawable $3;
778	777
779	778	# X Colormaps
780	779	# can use the default colormap
781		allow $3 ~~x_rootcolormap~~_t:x_colormap { read use add_color };
	780	allow $3 $1_rootwindow_t:x_colormap { read use add_color };
782	781
783	782	# X Input
…	…
829	828	attribute xproperty_type, xselection_type;
830	829	attribute xextension_type, xevent_type;
831
832		type x_rootcolormap_t, x_rootscreen_t;
833		type ~~x_rootwindow_t,~~ remote_xclient_t;
	830	attribute rootwindow_type;
	831
	832	type remote_xclient_t;
834	833	')
835	834	allow $3 x_server_domain:x_server *;
836		allow $3 { x_domain ~~x_rootwindow_t~~ }:x_drawable *;
837		allow $3 x_~~rootscreen_t~~:x_screen *;
	835	allow $3 { x_domain rootwindow_type }:x_drawable *;
	836	allow $3 x_server_domain:x_screen *;
838	837	allow $3 x_domain:x_gc *;
839		allow $3 { x_domain ~~x_rootcolormap_t~~ }:x_colormap *;
	838	allow $3 { x_domain rootwindow_type }:x_colormap *;
840	839	allow $3 xproperty_type:x_property *;
841	840	allow $3 xselection_type:x_selection *;

branches/xselinux/policy/modules/services/xserver.te

r2643	r2651
39	39
40	40	# Per-object attributes
	41	attribute rootwindow_type;
41	42	attribute x_domain;
42	43	attribute xproperty_type;
…	…
68	69	type video_xext_t, xextension_type;
69	70	type unknown_xevent_t, xevent_type;
70		~~type x_rootcolormap_t;~~
71		~~type x_rootscreen_t;~~
72		~~type x_rootwindow_t;~~
73	71	type xevent_t alias default_xevent_t, xevent_type;
74	72	type xext_t alias unknown_xext_t, xextension_type;
…	…
496	494
497	495	allow xserver_unconfined_type x_server_domain:x_server *;
498		allow xserver_unconfined_type { x_domain ~~x_rootwindow_t~~ }:x_drawable *;
499		allow xserver_unconfined_type x_~~rootscreen_t~~:x_screen *;
	496	allow xserver_unconfined_type { x_domain rootwindow_type }:x_drawable *;
	497	allow xserver_unconfined_type x_server_domain:x_screen *;
500	498	allow xserver_unconfined_type x_domain:x_gc *;
501		allow xserver_unconfined_type { x_domain ~~x_rootcolormap_t~~ }:x_colormap *;
	499	allow xserver_unconfined_type { x_domain rootwindow_type }:x_colormap *;
502	500	allow xserver_unconfined_type xproperty_type:x_property *;
503	501	allow xserver_unconfined_type xselection_type:x_selection *;

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.