From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> I've removed the Table 12: reference and reworded. This now just looks like a list. Also fixed a few minor nits + added a contents list. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> --- src/x_windows.md | 146 +++++++++++++++++++++++++++++------------------------- 1 file changed, 79 insertions(+), 67 deletions(-) diff --git a/src/x_windows.md b/src/x_windows.md index 6fdd39e..74edc62 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -1,5 +1,14 @@ # X-Windows SELinux Support +- [**Infrastructure Overview**](#infrastructure-overview) +- [**Polyinstantiation**](#polyinstantiation) +- [**Configuration Information**](#configuration-information) + - [**Enable/Disable the OM from Policy Decisions**](#enabledisable-the-om-from-policy-decisions) + - [**Configure OM Enforcement Mode**](#configure-om-enforcement-mode) + - [**Determine OM X-extension Opcode**](#determine-om-x-extension-opcode) + - [**The *x_contexts* File**](#the-x_contexts-file) +- [**SELinux Extension Functions**](#selinux-extension-functions) + The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources) using an X-Windows extension acting as the object manager @@ -53,7 +62,7 @@ information that is required by the OM for labeling certain objects. The OM reads its contents using the ***selabel_lookup**(3)* function. **XSELinux Object Manager** - This is an X-extension for the X-server -process that mediates all access decisions between the the X-server (via +process that mediates all access decisions between the X-server (via the XACE interface) and the SELinux security server (via *libselinux*). The OM is initialised before any X-clients connect to the X-server. @@ -235,21 +244,30 @@ A full description of the *x_contexts* file format is given in the ## SELinux Extension Functions -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxQueryVersion | 0 | None | +The XSELinux Extension Functions listed below are supported by the object +manager as X-protocol extensions. + +Note that **XSELinuxGet\*** functions return a default context, however +those with Minor Parameter: 2, 6, 9, 11, 16 and 18 will not return a value +unless one has been set by the appropriate **XSELinuxSet\*** function (Minor +Parameter: 1, 5, 8, 10, 15 and 17). + +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxQueryVersion | 0 | None | Returns the XSELinux version. Fedora returns 1.1. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetDeviceCreateContext | 1 | Context + Len | + +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetDeviceCreateContext | 1 | Context + Len | Sets the context for creating a device object (*x_device*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetDeviceCreateContext | 2 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetDeviceCreateContext | 2 | None | Retrieves the context set by *XSELinuxSetDeviceCreateContext*. @@ -259,115 +277,115 @@ Retrieves the context set by *XSELinuxSetDeviceCreateContext*. Sets the context for creating the specified DeviceID object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetDeviceContext | 4 | DeviceID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetDeviceContext | 4 | DeviceID | Retrieves the context set by *XSELinuxSetDeviceContext*. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxSetWindowCreateContext | 5 | Context + Len | Set the context for creating a window object (*x_window*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetWindowCreateContext | 6 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetWindowCreateContext | 6 | None | Retrieves the context set by *XSELinuxSetWindowCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetWindowContext | 7 | WindowID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetWindowContext | 7 | WindowID | Retrieves the specified WindowID context. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetPropertyCreateContext | 8 | Context | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetPropertyCreateContext | 8 | Context | Sets the context for creating a property object (*x_property*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyCreateContext | 9 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyCreateContext | 9 | None | Retrieves the context set by *XSELinuxSetPropertyCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetPropertyUseContext | 10 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetPropertyUseContext | 10 | Context + Len | Sets the context of the property object to be retrieved when polyinstantiation is being used. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyUseContext | 11 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyUseContext | 11 | None | Retrieves the property object context set by *SELinuxSetPropertyUseContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | Retrieves the context of the property atom object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | Retrieves the context of the property atom data. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxListProperties | 14 | WindowID | Lists the object and data contexts of properties associated with the selected WindowID. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetSelectionCreateContext | 15 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetSelectionCreateContext | 15 | Context + Len | Sets the context to be used for creating a selection object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionCreateContext | 16 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionCreateContext | 16 | None | Retrieves the context set by *SELinuxSetSelectionCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetSelectionUseContext | 17 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetSelectionUseContext | 17 | Context + Len | Sets the context of the selection object to be retrieved when polyinstantiation is being used. See the *XSELinuxListSelections* function for an example. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionUseContext | 18 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionUseContext | 18 | None | Retrieves the selection object context set by *SELinuxSetSelectionUseContext*. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxGetSelectionContext | 19 | AtomID | Retrieves the context of the specified selection atom object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionDataContext | 20 | AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionDataContext | 20 | AtomID | Retrieves the context of the selection data from the current selection owner (*x_application_data* object). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxListSelections | 21 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxListSelections | 21 | None | Lists the selection atom object and data contexts associated with this display. The main difference in the listings is that when (for example) the *PRIMARY* @@ -391,18 +409,12 @@ Atom: PRIMARY - Labels for client 2: - Object Context: *system_u:object_r:x_select_paste2_t* - Data Context: *system_u:object_r:x_select_paste2_t* -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetClientContext | 22 | ResourceID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetClientContext | 22 | ResourceID | Retrieves the client context of the specified ResourceID. -**Table 12: The XSELinux Extension Functions** - *Supported by the object -manager as X-protocol extensions. Note that some functions will return -the default contexts, while others (2, 6, 9, 11, 16, 18) will not return -a value unless one has been set the the appropriate function (1, 5, 8, -10, 15, 17) by an SELinux-aware application.* - <!-- %CUTHERE% --> ---
