On 4/4/19 8:29 AM, Sugar, David wrote:
This interface is needed when using the various script options in
lightdm (others?) configuration file. I'm using with 'display-setup-script'
and 'greeter-setup-script', but I suspect the same would be useful for
'display-stopped-script', 'session-cleanup-script' and others. In these
cases lightdm will be executing a configured script to perform some action
during the specified phase of the greeter/session. But without this interface
there is no way to transition into a new domain to execute the action.
I'm reluctant to add this "reversed" interface. In other cases, the
domain (init, cron, inetd, etc.) is legitimately transitioning to many
domains. I don't see that here.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/services/xserver.if | 31 ++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 854f3b90..2faef71d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -734,6 +734,37 @@ interface(`xserver_relabel_console_pipes',`
allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
')
+########################################
+## <summary>
+## Allow display manager to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## This is a interface to support the lightdm *-setup-script
+## options. This will allow the command run by lightdm to
+## be run in a domain other than xdm_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`xdm_run_domain',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ domtrans_pattern(xdm_t,$2,$1)
+')
+
########################################
## <summary>
## Use file descriptors for xdm.
--
Chris PeBenito
