From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 17 Sep 2012 11:28:15 -0400 Subject: [refpolicy] [PATCH] Related to RedHats' system-setup-keyboard daemon In-Reply-To: <1347613301.2915.34.camel@d30.localdomain> References: <1347612970-20153-1-git-send-email-dominick.grift@gmail.com> <1347613301.2915.34.camel@d30.localdomain> Message-ID: <5057418F.90309@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/14/12 05:01, Dominick Grift wrote: > xorg.conf keyboard layout callout > > I am not sure whether this is the right place to put this keyboard > daemon policy. > > Fedora has it in a separate keyboardd module > > However this daemon seems pretty specific to Xorg since its sole purpose > is: > > "to monitor the keyboard layout configured in > /etc/sysconfig/keyboard and transfer this into the matching xorg.conf.d > snippet." > > If this is not an optimal place i will be happy to put it elsewhere Is this a Fedora-specific service (it appears to be, based on the file contexts)? If so, I think it makes more sense for it to be in a separate module. > On Fri, 2012-09-14 at 10:56 +0200, Dominick Grift wrote: >> Signed-off-by: Dominick Grift >> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc >> index c2c6e05..e424022 100644 >> --- a/policy/modules/kernel/files.fc >> +++ b/policy/modules/kernel/files.fc >> @@ -72,6 +72,8 @@ >> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) >> /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) >> >> +/etc/(X11/)?xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) >> + >> ifdef(`distro_gentoo', ` >> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) >> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) >> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc >> index be8f670..f6cfdb4 100644 >> --- a/policy/modules/services/xserver.fc >> +++ b/policy/modules/services/xserver.fc >> @@ -61,6 +61,7 @@ >> /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) >> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) >> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) >> +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) >> /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) >> /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) >> /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) >> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te >> index 2f4ba59..b40ea98 100644 >> --- a/policy/modules/services/xserver.te >> +++ b/policy/modules/services/xserver.te >> @@ -132,6 +132,10 @@ >> typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; >> userdom_user_home_content(iceauth_home_t) >> >> +type keyboardd_t; >> +type keyboardd_exec_t; >> +init_daemon_domain(keyboardd_t, keyboardd_exec_t) >> + >> type xauth_t; >> type xauth_exec_t; >> typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; >> @@ -244,6 +248,21 @@ >> >> ######################################## >> # >> +# keyboardd local policy >> +# >> + >> +allow keyboardd_t self:fifo_file rw_fifo_file_perms; >> +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; >> + >> +files_manage_etc_runtime_files(keyboardd_t) >> +files_etc_filetrans_etc_runtime(keyboardd_t, file) >> + >> +files_read_etc_files(keyboardd_t) >> + >> +miscfiles_read_localization(keyboardd_t) >> + >> +######################################## >> +# >> # Xauth local policy >> # >> > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com