--- serefpolicy-3.4.1/policy/modules/apps/wm.if 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.if 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1,105 @@
+## <summary>Window Manager.</summary>
+
+#######################################
+## <summary>
+## Template to create types and rules common to
+## any window manager domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="prefix">
+## <summary>
+## The prefix of the X server domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`wm_domain_template',`
+ gen_require(`
+ type $1_t;
+ type wm_exec_t;
+ type tmpfs_t;
+ type $1_dbusd_t;
+ type $1_tmp_t;
+ type $2_rootwindow_t, $2_xproperty_t, $2_xserver_t, $2_var_run_t;
+ type $1_xproperty_t, $1_input_xevent_t, $1_manage_xevent_t,
$1_property_xevent_t;
+ type $1_focus_xevent_t, $1_client_xevent_t;
+ type output_xext_t;
+ class x_colormap { install uninstall };
+ class x_drawable manage;
+ class x_property write;
+ class x_device { setfocus grab force_cursor freeze };
+ class x_screen setattr;
+ ')
+
+ type $1_wm_t;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t,wm_exec_t)
+ role $1_r types $1_wm_t;
+
+ domtrans_pattern($1_t, wm_exec_t, $1_wm_t)
+
+ type $1_wm_tmpfs_t;
+ xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t)
+
+ files_read_etc_files($1_wm_t)
+
+ libs_use_ld_so($1_wm_t)
+ libs_use_shared_libs($1_wm_t)
+
+ nscd_dontaudit_search_pid($1_wm_t)
+
+ miscfiles_read_localization($1_wm_t)
+
+ dev_read_urand($1_wm_t)
+
+ files_list_tmp($1_wm_t)
+
+ dbus_user_bus_client_template($1,$1,$1_wm_t)
+
+ allow $1_wm_t info_xproperty_t:x_property write;
+
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:x_drawable blend;
+
+ allow $1_wm_t tmpfs_t:file { read write };
+ allow $1_wm_t $1_client_xevent_t:x_synthetic_event send;
+ allow $1_wm_t $1_focus_xevent_t:x_event receive;
+ allow $1_wm_t $1_home_t:dir search;
+ allow $1_wm_t $1_home_t:file { read append };
+ allow $1_wm_t $1_input_xevent_t:x_event receive;
+ allow $1_wm_t $1_manage_xevent_t:x_event receive;
+ allow $1_wm_t $1_manage_xevent_t:x_synthetic_event { receive send };
+ allow $1_wm_t $1_property_xevent_t:x_event receive;
+ allow $1_wm_t $1_t:unix_stream_socket connectto;
+ allow $1_wm_t $1_t:x_drawable { get_property setattr show receive
manage send read getattr list_child set_property };
+ allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name
getattr add_name };
+ allow $1_wm_t $1_tmp_t:sock_file { write create unlink };
+ allow $1_wm_t $1_xproperty_t:x_property { read write };
+ allow $1_wm_t usr_t:file { read getattr };
+ allow $1_wm_t usr_t:lnk_file read;
+ allow $1_wm_t $2_rootwindow_t:x_colormap install;
+ allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr };
+ allow $1_wm_t $2_var_run_t:dir search;
+ allow $1_wm_t $2_var_run_t:file { read getattr };
+ allow $1_wm_t $2_xproperty_t:x_property { write read };
+ allow $1_wm_t $2_xserver_t:x_device { setfocus use setattr grab
manage getattr freeze };
+ allow $1_wm_t $2_xserver_t:x_resource write;
+ allow $1_wm_t $2_xserver_t:x_screen setattr;
+ allow $1_wm_t xselection_t:x_selection setattr;
+ allow $1_wm_t $2_rootwindow_t:x_colormap uninstall;
+ allow $1_wm_t $2_xserver_t:x_device force_cursor;
+
+ ifdef(`enable_mls',`
+ mls_file_read_all_levels($1_wm_t)
+ mls_xwin_write_to_clearance($1_wm_t)
+ ')
+
+ allow $1_t $1_wm_t:unix_stream_socket connectto;
+ allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child };
+')
+
--- serefpolicy-3.4.1/policy/modules/apps/wm.te 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.te 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1,8 @@
+policy_module(wm,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
--- serefpolicy-3.4.1/policy/modules/apps/wm.fc 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.fc 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1 @@
+
--- serefpolicy-3.4.1/policy/modules/apps/metacity.fc 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.fc 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
--- serefpolicy-3.4.1/policy/modules/apps/metacity.if 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.if 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1 @@
+## <summary></summary>
--- serefpolicy-3.4.1/policy/modules/apps/metacity.te 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.te 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1,8 @@
+policy_module(metacity,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+wm_domain_template(user,xdm)
[root@localhost SOURCES]# cat wm-policy.patch
--- serefpolicy-3.4.1/policy/modules/apps/wm.if 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.if 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1,105 @@
+## <summary>Window Manager.</summary>
+
+#######################################
+## <summary>
+## Template to create types and rules common to
+## any window manager domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="prefix">
+## <summary>
+## The prefix of the X server domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`wm_domain_template',`
+ gen_require(`
+ type $1_t;
+ type wm_exec_t;
+ type tmpfs_t;
+ type $1_dbusd_t;
+ type $1_tmp_t;
+ type $2_rootwindow_t, $2_xproperty_t, $2_xserver_t, $2_var_run_t;
+ type $1_xproperty_t, $1_input_xevent_t, $1_manage_xevent_t,
$1_property_xevent_t;
+ type $1_focus_xevent_t, $1_client_xevent_t;
+ type output_xext_t;
+ class x_colormap { install uninstall };
+ class x_drawable manage;
+ class x_property write;
+ class x_device { setfocus grab force_cursor freeze };
+ class x_screen setattr;
+ ')
+
+ type $1_wm_t;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t,wm_exec_t)
+ role $1_r types $1_wm_t;
+
+ domtrans_pattern($1_t, wm_exec_t, $1_wm_t)
+
+ type $1_wm_tmpfs_t;
+ xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t)
+
+ files_read_etc_files($1_wm_t)
+
+ libs_use_ld_so($1_wm_t)
+ libs_use_shared_libs($1_wm_t)
+
+ nscd_dontaudit_search_pid($1_wm_t)
+
+ miscfiles_read_localization($1_wm_t)
+
+ dev_read_urand($1_wm_t)
+
+ files_list_tmp($1_wm_t)
+
+ dbus_user_bus_client_template($1,$1,$1_wm_t)
+
+ allow $1_wm_t info_xproperty_t:x_property write;
+
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:x_drawable blend;
+
+ allow $1_wm_t tmpfs_t:file { read write };
+ allow $1_wm_t $1_client_xevent_t:x_synthetic_event send;
+ allow $1_wm_t $1_focus_xevent_t:x_event receive;
+ allow $1_wm_t $1_home_t:dir search;
+ allow $1_wm_t $1_home_t:file { read append };
+ allow $1_wm_t $1_input_xevent_t:x_event receive;
+ allow $1_wm_t $1_manage_xevent_t:x_event receive;
+ allow $1_wm_t $1_manage_xevent_t:x_synthetic_event { receive send };
+ allow $1_wm_t $1_property_xevent_t:x_event receive;
+ allow $1_wm_t $1_t:unix_stream_socket connectto;
+ allow $1_wm_t $1_t:x_drawable { get_property setattr show receive
manage send read getattr list_child set_property };
+ allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name
getattr add_name };
+ allow $1_wm_t $1_tmp_t:sock_file { write create unlink };
+ allow $1_wm_t $1_xproperty_t:x_property { read write };
+ allow $1_wm_t usr_t:file { read getattr };
+ allow $1_wm_t usr_t:lnk_file read;
+ allow $1_wm_t $2_rootwindow_t:x_colormap install;
+ allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr };
+ allow $1_wm_t $2_var_run_t:dir search;
+ allow $1_wm_t $2_var_run_t:file { read getattr };
+ allow $1_wm_t $2_xproperty_t:x_property { write read };
+ allow $1_wm_t $2_xserver_t:x_device { setfocus use setattr grab
manage getattr freeze };
+ allow $1_wm_t $2_xserver_t:x_resource write;
+ allow $1_wm_t $2_xserver_t:x_screen setattr;
+ allow $1_wm_t xselection_t:x_selection setattr;
+ allow $1_wm_t $2_rootwindow_t:x_colormap uninstall;
+ allow $1_wm_t $2_xserver_t:x_device force_cursor;
+
+ ifdef(`enable_mls',`
+ mls_file_read_all_levels($1_wm_t)
+ mls_xwin_write_to_clearance($1_wm_t)
+ ')
+
+ allow $1_t $1_wm_t:unix_stream_socket connectto;
+ allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child };
+')
+
--- serefpolicy-3.4.1/policy/modules/apps/wm.te 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.te 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1,8 @@
+policy_module(wm,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
--- serefpolicy-3.4.1/policy/modules/apps/wm.fc 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/wm.fc 2008-06-24
12:01:56.000000000 -0500
@@ -0,0 +1 @@
+
--- serefpolicy-3.4.1/policy/modules/apps/metacity.fc 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.fc 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
--- serefpolicy-3.4.1/policy/modules/apps/metacity.if 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.if 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1 @@
+## <summary></summary>
--- serefpolicy-3.4.1/policy/modules/apps/metacity.te 1969-12-31
17:00:00.000000000 -0700
+++ serefpolicy-3.4.1.new/policy/modules/apps/metacity.te 2008-06-24
12:01:26.000000000 -0500
@@ -0,0 +1,8 @@
+policy_module(metacity,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+wm_domain_template(user,xdm)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
