Here is my current diff on xserver policy.

Here is my current diff on xserver policy.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1564 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I threw away my XACe changes from my patch and decided to start again.

Here is my current xserver patch

I am looking at the X Server stuff and I have several questions about
using this policy.

First most X Apps will run under staff_t.

Some will run in an equivalence class staff_java_t, staff_mono_t.

These should have all the same access between each other

staff_t == staff_java_t == staff_mono_t

How do I do that with Xace policy interface.

I have staff_mozilla_t, and staff_nsplugin_t what interface to I add to
these to allow them to work with staff_t defined above?  How about if I
want to stop nsplugin from reading the cut buffer of staff_t?  I also
want to stop nsplugin from sniffing the keyboard  (xspy), and doing any
screen capture.

When I sudo to root, I use unconfined_t.  It starts X Apps up like
system-config-selinux.  How do I define the interactions between this X
Client and my staff_* windows?

My xserver runs as xdm_xserver_t but the current interfaces look like
they expect it to be labeled staff_xserver_t?

Last time I went through this exercise I ended up with a maze of twisty
little passages.

I don't think that anything I asked above is all that complicated but I
believe getting the policy correct will be difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhAZkcACgkQrlYvE4MpobNY2QCgtyEO5rLrsGO6Aa2uMGLw9wUz
+OAAoKqcO1hhxQDBfMrHJn3ruM/xsmYw
=smnl
-----END PGP SIGNATURE-----

[-- Attachment #2: services_xserver.patch --]
[-- Type: text/plain, Size: 33112 bytes --]

Subject: [PATCH] refpolicy: services_xserver changes
--text follows this line--
--- nsaserefpolicy/policy/modules/services/xserver.fc	2008-05-19 10:26:37.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc	2008-05-30 16:22:00.160785000 -0400
@@ -1,13 +1,14 @@
 #
 # HOME_DIR
 #
-HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:fonts_home_t,s0)
+HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:fonts_config_home_t,s0)
+HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:fonts_config_home_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
 # /dev
@@ -32,11 +33,6 @@
 /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
 #
 # /opt
 #
@@ -58,7 +54,8 @@
 #
 
 /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -89,16 +86,23 @@
 
 /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
 
-/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/run/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
--- nsaserefpolicy/policy/modules/services/xserver.if	2008-05-19 10:26:38.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if	2008-05-30 16:24:12.019801000 -0400
@@ -128,18 +128,24 @@
 	dev_rw_agp($1_xserver_t)
 	dev_rw_framebuffer($1_xserver_t)
 	dev_manage_dri_dev($1_xserver_t)
-	dev_create_generic_dirs($1_xserver_t)
-	dev_setattr_generic_dirs($1_xserver_t)
+	dev_manage_generic_dirs($1_xserver_t)
 	# raw memory access is needed if not using the frame buffer
 	dev_read_raw_memory($1_xserver_t)
 	dev_wx_raw_memory($1_xserver_t)
 	# for other device nodes such as the NVidia binary-only driver
 	dev_rw_xserver_misc($1_xserver_t)
+	dev_setattr_xserver_misc_dev($1_xserver_t)
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
 	dev_rwx_zero($1_xserver_t)
+	dev_read_urand($1_xserver_t)
+	dev_rw_generic_usb_dev($1_xserver_t)
+	dev_rw_generic_usb_pipes($1_xserver_t)
 
+	domain_mmap_low_type($1_xserver_t)
 	domain_mmap_low($1_xserver_t)
+	domain_read_all_domains_state($1_xserver_t)
+	domain_dontaudit_ptrace_all_domains($1_xserver_t)
 
 	files_read_etc_files($1_xserver_t)
 	files_read_etc_runtime_files($1_xserver_t)
@@ -153,7 +159,8 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
-	fs_search_ramfs($1_xserver_t)
+	fs_manage_ramfs_files($1_xserver_t)
+	fs_list_inotifyfs($1_xserver_t)
 
 	selinux_validate_context($1_xserver_t)
 	selinux_compute_access_vector($1_xserver_t)
@@ -163,6 +170,9 @@
 
 	init_getpgid($1_xserver_t)
 
+	miscfiles_read_hwdata($1_xserver_t)
+
+	term_search_ptys($1_xserver_t)
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 
@@ -270,6 +280,9 @@
 	gen_require(`
 		type iceauth_exec_t, xauth_exec_t;
 		attribute fonts_type, fonts_cache_type, fonts_config_type;
+		type fonts_home_t;
+		type fonts_cache_home_t;
+		type fonts_config_home_t;
 	')
 
 	##############################
@@ -280,35 +293,25 @@
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
-	type $1_fonts_t, fonts_type;
-	userdom_user_home_content($1,$1_fonts_t)
-
-	type $1_fonts_cache_t, fonts_cache_type;
-	userdom_user_home_content($1,$1_fonts_cache_t)
-
-	type $1_fonts_config_t, fonts_config_type;
-	userdom_user_home_content($1,$1_fonts_cache_t)
+	typealias fonts_home_t alias $1_fonts_t;
+	typealias fonts_cache_home_t alias $1_fonts_cache_t;
+	typealias fonts_config_home_t alias $1_fonts_config_t;
 
 	type $1_iceauth_t;
 	domain_type($1_iceauth_t)
 	domain_entry_file($1_iceauth_t,iceauth_exec_t)
 	role $3 types $1_iceauth_t;
 
-	type $1_iceauth_home_t alias $1_iceauth_rw_t;
-	files_poly_member($1_iceauth_home_t)
-	userdom_user_home_content($1,$1_iceauth_home_t)
+	typealias iceauth_home_t alias $1_iceauth_rw_t;
+	typealias iceauth_home_t alias $1_iceauth_home_t;
 
 	type $1_xauth_t;
 	domain_type($1_xauth_t)
 	domain_entry_file($1_xauth_t,xauth_exec_t)
 	role $3 types $1_xauth_t;
 
-	type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
-	files_poly_member($1_xauth_home_t)
-	userdom_user_home_content($1,$1_xauth_home_t)
-
-	type $1_xauth_tmp_t;
-	files_tmp_file($1_xauth_tmp_t)
+	typealias xauth_home_t alias $1_xauth_rw_t;
+	typealias xauth_home_t alias $1_xauth_home_t;
 
 	##############################
 	#
@@ -317,24 +320,24 @@
 
 	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
 
-	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+	allow $1_xserver_t xauth_home_t:file { getattr read };
 
 	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
 	allow $1_xserver_t $2:process signal;
 
 	allow $1_xserver_t $2:shm rw_shm_perms;
 
-	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
-	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-	relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
-	relabel_files_pattern($2,$1_fonts_t,$1_fonts_t)
-
-	manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
-	manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
-	relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+	manage_dirs_pattern($2,fonts_home_t,fonts_home_t)
+	manage_files_pattern($2,fonts_home_t,fonts_home_t)
+	relabel_dirs_pattern($2,fonts_home_t,fonts_home_t)
+	relabel_files_pattern($2,fonts_home_t,fonts_home_t)
+
+	manage_dirs_pattern($2,fonts_config_t,fonts_config_t)
+	manage_files_pattern($2,fonts_config_t,fonts_config_t)
+	relabel_files_pattern($2,fonts_config_t,fonts_config_t)
 
 	# For startup relabel
-	allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+	allow $2 fonts_cache_t:{ dir file } { relabelto relabelfrom };
 
 	stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
 
@@ -375,12 +378,12 @@
 	allow $1_xauth_t self:process signal;
 	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
 
-	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
+	allow $1_xauth_t xauth_home_t:file manage_file_perms;
+	userdom_user_home_dir_filetrans($1,$1_xauth_t,xauth_home_t,file)
 
-	manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
-	manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
-	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+	manage_dirs_pattern($1_xauth_t,xauth_tmp_t,xauth_tmp_t)
+	manage_files_pattern($1_xauth_t,xauth_tmp_t,xauth_tmp_t)
+	files_tmp_filetrans($1_xauth_t, xauth_tmp_t, { file dir })
 
 	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 
@@ -389,11 +392,11 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
 
-	allow $2 $1_xauth_home_t:file manage_file_perms;
-	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
+	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file { relabelfrom relabelto };
 
-	allow xdm_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+	allow xdm_t xauth_home_t:file manage_file_perms;
+	userdom_user_home_dir_filetrans($1,xdm_t,xauth_home_t,file)
 
 	domain_use_interactive_fds($1_xauth_t)
 
@@ -435,16 +438,16 @@
 
 	domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
 
-	allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
+	allow $1_iceauth_t iceauth_home_t:file manage_file_perms;
+	userdom_user_home_dir_filetrans($1,$1_iceauth_t,iceauth_home_t,file)
 
 	# allow ps to show iceauth
 	ps_process_pattern($2,$1_iceauth_t)
 
-	allow $2 $1_iceauth_home_t:file manage_file_perms;
-	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file { relabelfrom relabelto };
 
-	allow xdm_t $1_iceauth_home_t:file read_file_perms;
+	allow xdm_t iceauth_home_t:file read_file_perms;
 
 	fs_search_auto_mountpoints($1_iceauth_t)
 
@@ -610,7 +613,7 @@
 #	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xauth_home_t, iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
 	')
 
 	allow $2 self:shm create_shm_perms;
@@ -618,8 +621,8 @@
 	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $2 $1_xauth_home_t:file { getattr read };
-	allow $2 $1_iceauth_home_t:file { getattr read };
+	allow $2 xauth_home_t:file { getattr read };
+	allow $2 iceauth_home_t:file { getattr read };
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
@@ -880,7 +883,7 @@
 template(`xserver_user_x_domain_template',`
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xauth_home_t, iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
 	')
 
 	allow $3 self:shm create_shm_perms;
@@ -888,8 +891,8 @@
 	allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $3 $1_xauth_home_t:file { getattr read };
-	allow $3 $1_iceauth_home_t:file { getattr read };
+	allow $3 xauth_home_t:file { getattr read };
+	allow $3 iceauth_home_t:file { getattr read };
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $3 xdm_t:fd use;
@@ -952,26 +955,43 @@
 #
 template(`xserver_use_user_fonts',`
 	gen_require(`
-		type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+		type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
 	')
 
 	# Read per user fonts
-	allow $2 $1_fonts_t:dir list_dir_perms;
-	allow $2 $1_fonts_t:file read_file_perms;
+	read_files_pattern($2, fonts_home_t,  fonts_home_t)
 
 	# Manipulate the global font cache
-	manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
-	manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
+	manage_dirs_pattern($2,fonts_cache_home_t,fonts_cache_home_t)
+	manage_files_pattern($2,fonts_cache_home_t,fonts_cache_home_t)
 
 	# Read per user font config
-	allow $2 $1_fonts_config_t:dir list_dir_perms;
-	allow $2 $1_fonts_config_t:file read_file_perms;
+	allow $2 fonts_config_home_t:dir list_dir_perms;
+	allow $2 fonts_config_home_t:file read_file_perms;
 
 	userdom_search_user_home_dirs($1,$2)
 ')
 
 ########################################
 ## <summary>
+##	Get the attributes of xauth executable
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_getattr_xauth',`
+	gen_require(`
+		type xauth_exec_t;
+	')
+
+	allow $1 xauth_exec_t:file getattr;
+')
+
+########################################
+## <summary>
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
@@ -1005,6 +1025,73 @@
 
 ########################################
 ## <summary>
+##	Read a user Xauthority domain.
+## </summary>
+## <desc>
+##	<p>
+##	read to a user Xauthority domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_read_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	allow $2 xauth_home_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read a user Iceauthority domain.
+## </summary>
+## <desc>
+##	<p>
+##	read to a user Iceauthority domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	# Read .Iceauthority file
+	allow $2 iceauth_home_t:file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
@@ -1030,10 +1117,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
-		type $1_xauth_home_t;
+		type xauth_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+	userdom_user_home_dir_filetrans($1, $2, xauth_home_t, file)
 ')
 
 ########################################
@@ -1219,6 +1306,25 @@
 
 ########################################
 ## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+	gen_require(`
+		type xdm_xserver_t, xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
+')
+
+########################################
+## <summary>
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
@@ -1273,6 +1379,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
+	allow $1 xdm_tmp_t:sock_file unlink;
 ')
 
 ########################################
@@ -1291,7 +1398,7 @@
 	')
 
 	files_search_pids($1)
-	allow $1 xdm_var_run_t:file read_file_perms;
+	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
 ')
 
 ########################################
@@ -1314,6 +1421,24 @@
 
 ########################################
 ## <summary>
+##      dontaudit search of XDM var lib directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_dontaudit_xdm_lib_search',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Execute the X server in the XDM X server domain.
 ## </summary>
 ## <param name="domain">
@@ -1324,15 +1449,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
-		type xdm_xserver_t, xserver_exec_t;
+		type xdm_xserver_t, xserver_exec_t, xdm_t;
 	')
 
  	allow $1 xdm_xserver_t:process siginh;
+ 	allow xdm_t $1:process sigchld;
 	domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute xsever in the xdm_xserver domain, and
+##	allow the specified role the xdm_xserver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the xdm_xserver domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the xdm_xserver domain to use.
+##	</summary>
+## </param>
+#
+interface(`xserver_run_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	xserver_domtrans_xdm_xserver($1)
+	role $2 types xdm_xserver_t;
+	allow xdm_xserver_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
@@ -1482,7 +1639,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
-	allow $1 xdm_xserver_tmp_t:file { getattr read };
+	read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
 ')
 
 ########################################
@@ -1674,6 +1831,65 @@
 
 ########################################
 ## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_stream_connect',`
+	gen_require(`
+		type xdm_t, xdm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xdm_var_run_t:sock_file write;
+	allow $1 xdm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	xdm xserver RW shared memory socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_rw_shm',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	allow xdm_xserver_t $1:fd use;
+	allow $1 xdm_xserver_t:shm rw_shm_perms;
+	allow xdm_xserver_t $1:shm rw_shm_perms;
+
+')
+
+########################################
+## <summary>
+##	Ptrace XDM 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_ptrace_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process ptrace;
+')
+
+########################################
+## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
@@ -1691,3 +1907,82 @@
 
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	exec_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+	gen_require(`
+		type fonts_home_t;
+	')
+
+	manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
+	manage_files_pattern($1, fonts_home_t, fonts_home_t)
+	manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
+')
+
+########################################
+## <summary>
+##	Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_read_home_fonts',`
+	gen_require(`
+		type fonts_home_t;
+	')
+
+	read_files_pattern($1,fonts_home_t,fonts_home_t)
+	read_lnk_files_pattern($1,fonts_home_t,fonts_home_t)
+')
--- nsaserefpolicy/policy/modules/services/xserver.te	2008-05-19 10:26:37.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/services/xserver.te	2008-05-30 16:26:02.967410000 -0400
@@ -8,6 +8,14 @@
 
 ## <desc>
 ## <p>
+## Allows X clients to read the x devices (keyboard/mouse)
+## </p>
+## </desc>
+gen_tunable(allow_read_x_device,true)
+
+
+## <desc>
+## <p>
 ## Allows clients to write to the X server shared
 ## memory segments.
 ## </p>
@@ -16,6 +24,13 @@
 
 ## <desc>
 ## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem,false)
+
+## <desc>
+## <p>
 ## Allow xdm logins as sysadm
 ## </p>
 ## </desc>
@@ -92,7 +107,7 @@
 files_lock_file(xdm_lock_t)
 
 type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
 
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
@@ -100,6 +115,12 @@
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
@@ -122,6 +143,27 @@
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+type fonts_cache_home_t, fonts_cache_type;
+userdom_user_home_content(user,fonts_cache_home_t)
+
+type fonts_home_t, fonts_type;
+userdom_user_home_content(user,fonts_home_t)
+
+type fonts_config_home_t, fonts_config_type;
+userdom_user_home_content(user,fonts_config_home_t)
+
+type user_iceauth_home_t;
+userdom_user_home_content(user,user_iceauth_home_t)
+
+type xauth_home_t, xauth_home_type;
+userdom_user_home_content(user,xauth_home_t)
+
+type admin_xauth_home_t;
+files_type(admin_xauth_home_t)
+
+type xauth_tmp_t;
+files_tmp_file(xauth_tmp_t)
+
 xserver_common_domain_template(xdm)
 xserver_common_x_domain_template(xdm,xdm,xdm_t)
 init_system_domain(xdm_xserver_t,xserver_exec_t)
@@ -142,6 +184,7 @@
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { getattr getcap setcap };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
@@ -154,6 +197,8 @@
 allow xdm_t self:key { search link write };
 
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -169,6 +214,8 @@
 manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+relabelfrom_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 
 manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
@@ -176,15 +223,24 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
+fs_list_all(xdm_t)
+
+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
 
 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
 manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
 
 manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
 manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
 manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+manage_sock_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file })
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -198,6 +254,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t)
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -229,6 +286,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
@@ -241,6 +299,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
@@ -253,14 +312,15 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
 
 domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
 domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
@@ -271,9 +331,13 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
+files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_write_usr_files(xdm_t)
 
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
@@ -282,6 +346,7 @@
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
 
 term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
@@ -290,6 +355,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
@@ -301,21 +367,25 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
 
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
+miscfiles_manage_localization(xdm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
-userdom_read_unpriv_users_home_content_files(xdm_t)
+unprivuser_read_home_content_files(xdm_t)
+unprivuser_dontaudit_write_home_content_files(xdm_t)
+
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
-
-sysadm_dontaudit_search_home_dirs(xdm_t)
+#
+# Wants to delete .xsession-errors file
+#
+userdom_unlink_unpriv_users_home_content_files(xdm_t)
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
@@ -348,10 +418,12 @@
 
 optional_policy(`
 	alsa_domtrans(xdm_t)
+	alsa_read_rw_config(xdm_t)
 ')
 
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
+	consolekit_read_log(xdm_t)
 ')
 
 optional_policy(`
@@ -359,6 +431,19 @@
 ')
 
 optional_policy(`
+	dbus_per_role_template(xdm, xdm_t, system_r)
+	dbus_system_bus_client_template(xdm, xdm_t)
+
+	optional_policy(`
+		hal_dbus_chat(xdm_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(xdm_t)
+	')
+')
+
+optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
@@ -369,6 +454,10 @@
 ')
 
 optional_policy(`
+	gnome_exec_gconf(xdm_t)
+')
+
+optional_policy(`
 	loadkeys_exec(xdm_t)
 ')
 
@@ -382,16 +471,25 @@
 ')
 
 optional_policy(`
+	polkit_domtrans_auth(xdm_t)
+	polkit_read_lib(xdm_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(xdm_t)
 ')
 
 optional_policy(`
+	sysadm_dontaudit_search_home_dirs(xdm_t)
+')
+
+optional_policy(`
 	udev_read_db(xdm_t)
 ')
 
 optional_policy(`
-	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
+	unconfined_signal(xdm_t)
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
@@ -427,7 +525,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -439,6 +537,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
 
+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)	
+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
+
+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)	
+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,{ dir file })
+
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
 
@@ -450,10 +557,19 @@
 # xdm_xserver_t may no longer have any reason
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
-userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+unprivuser_read_home_content_files(xdm_xserver_t)
+unprivuser_manage_tmp_files(xdm_xserver_t)
 
 xserver_use_all_users_fonts(xdm_xserver_t)
 
+getty_use_fds(xdm_xserver_t)
+locallogin_use_fds(xdm_xserver_t)
+userdom_dontaudit_write_user_home_content_files(user, xdm_xserver_t)
+
+optional_policy(`
+	userhelper_search_config(xdm_xserver_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_xserver_t)
 	fs_manage_nfs_files(xdm_xserver_t)
@@ -467,6 +583,22 @@
 ')
 
 optional_policy(`
+	dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
+
+	optional_policy(`
+		hal_dbus_chat(xdm_xserver_t)
+	')
+')
+
+optional_policy(`
+	locallogin_use_fds(xdm_xserver_t)
+')
+
+optional_policy(`
+	mono_rw_shm(xdm_xserver_t)
+')
+
+optional_policy(`
 	resmgr_stream_connect(xdm_t)
 ')
 
@@ -476,16 +608,32 @@
 ')
 
 optional_policy(`
-	unconfined_domain_noaudit(xdm_xserver_t)
-	unconfined_domtrans(xdm_xserver_t)
+	rpm_dontaudit_rw_shm(xdm_xserver_t)
+	rpm_rw_tmpfs_files(xdm_xserver_t)
+')
 
-	ifndef(`distro_redhat',`
-		allow xdm_xserver_t self:process { execheap execmem };
-	')
+optional_policy(`
+	unconfined_rw_shm(xdm_xserver_t)
+	unconfined_execmem_rw_shm(xdm_xserver_t)
+	unconfined_rw_tmpfs_files(xdm_xserver_t)
 
-	ifdef(`distro_rhel4',`
-		allow xdm_xserver_t self:process { execheap execmem };
-	')
+	# xserver signals unconfined user on startx
+	unconfined_signal(xdm_xserver_t)
+	unconfined_getpgid(xdm_xserver_t)
+	unconfined_domain(xdm_xserver_t)
+')
+
+
+tunable_policy(`allow_xserver_execmem', `
+	allow xdm_xserver_t self:process { execheap execmem execstack };
+')
+
+ifndef(`distro_redhat',`
+	allow xdm_xserver_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+	allow xdm_xserver_t self:process { execheap execmem };
 ')
 
 ########################################

[-- Attachment #3: services_xserver.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: Here is my current diff on xserver policy.

[Eamon Walsh]

Daniel J Walsh wrote:
> I threw away my XACe changes from my patch and decided to start again.
>
> Here is my current xserver patch
>
> I am looking at the X Server stuff and I have several questions about
> using this policy.
>
> First most X Apps will run under staff_t.
>
> Some will run in an equivalence class staff_java_t, staff_mono_t.
>
> These should have all the same access between each other
>
> staff_t == staff_java_t == staff_mono_t
>
> How do I do that with Xace policy interface.

1) Transition all the X objects created by those domains into the same 
type, or
2) Assign a common attribute to those domains, and somehow split up 
xserver_common_x_domain_template() so you can issue the allow rules once 
for the attribute.

Every object in X is labeled either through a type transition or from a 
name in the x_contexts file.

The root window and certain other objects, such as the default colormap, 
are labeled in a type transition from the server's domain.  Chris has 
these objects going to $1_rootwindow_t.  All other new windows are 
labeled in a type transition with the creating domain as the subject and 
the parent window as the related object.

Events are first labeled from the x_contexts file; for example a 
ButtonPress event would be labeled input_xevent_t.  However, each event 
is then relabeled in a type transition with the type of the window 
(where it is being delivered) as the subject and the previous type as 
the related object.  This is where the "user_input_xevent_t" types come 
from.

Window properties are first labeled from the x_contexts file, then 
relabeled in a transition with the domain creating them as the subject 
and the previous type as the related object.  This is where the 
"user_foo_xproperty_t" types come from.

I could go on but my documentation will have all of this in it.


>
> I have staff_mozilla_t, and staff_nsplugin_t what interface to I add to
> these to allow them to work with staff_t defined above?

Don't think such an interface exists, presently.

> How about if I
> want to stop nsplugin from reading the cut buffer of staff_t?  

I'm assuming you mean "I want to prevent nsplugin from accessing data 
that a staff_t application has exposed on the clipboard."

Several options here:

1) Deny nsplugin "read" access on the PRIMARY, SECONDARY, and CLIPBOARD 
selections.  These selections are labeled by name (selabel) from the 
x_contexts file, currently "clipboard_xselection_t".  In this case any 
nsplugin that calls ConvertSelection() will cause a denial and a 
BadAccess X protocol error will be sent back, which will probably abort 
the plugin, and firefox.  I kind of doubt this is what you want, as 
people do paste things into nsplugins (I'm picturing someone pasting a 
filename into some Adobe Acrobat dialog box).

3) Use an active selection manager, such as the one that Ted Toth is 
working on.  This program seizes ownership of the clipboard whenever it 
changes, so it can intercept paste requests and pop up a confirmation 
dialog or deny the request.

2) Set up selection polyinstantiation, separating staff_t from nsplugin 
using a type_member rule.  In this case nsplugin will have its own 
selection instances, and will not be able to see staff_t pastes.  To 
support pasting, you will need a selection manager that "see" across the 
polyinstantiation (using special XSELinux extension requests).



> I also
> want to stop nsplugin from sniffing the keyboard  (xspy), and doing any
> screen capture.

Deny "read" access on x_device, and deny "read" access on non-nsplugin 
x_drawable objects (including the root window).

The "read" access on devices is a problem because of common usage by 
applications of requests that require this privilege, such as 
XQueryPointer.  I am working with upstream to try and come up with new 
semantics for these requests that will prevent input from leaking 
between X clients.

>
> When I sudo to root, I use unconfined_t.  It starts X Apps up like
> system-config-selinux.  How do I define the interactions between this X
> Client and my staff_* windows?

The unconfined_t windows are labeled in a type_transition from the root 
window as described above.
The window manager will need permissions over the unconfined_t window 
objects.  This does not mean the window manager needs to run as 
unconfined itself.
The type of the x_device objects (treated as a subject when input events 
are being posted) will need to have permission to send input events to 
the unconfined_t windows.

Any other interactions are the result of nosing around by other 
applications.  For example, I have observed gnome-screensaver register 
for input events on _every_ window on the entire screen.  Other 
applications might call XQueryTree on the entire window hierarchy (the 
equivalent of "find / -print").  These behaviors will cause denials; the 
only solution is to fix the applications. 


>
> My xserver runs as xdm_xserver_t but the current interfaces look like
> they expect it to be labeled staff_xserver_t?

You'll have to ask Chris about this.  My understanding is that 
xdm_xserver_t is supported as a "special case."  I'm anxious to collapse 
these down to one type through rbac separation, fixing X server launch 
via GDM, or otherwise.

>
> Last time I went through this exercise I ended up with a maze of twisty
> little passages.
>
> I don't think that anything I asked above is all that complicated but I
> believe getting the policy correct will be difficult.

The stuff I wrote isn't the be-all and end-all, so feel free to start 
from scratch.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.