Add separate x_pointer and x_keyboard classes inheriting from x_device.

This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

2 files changed, 38 insertions, 21 deletions

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3998b774..6620e4cc 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -94,6 +94,33 @@ common database
 }
 
 #
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -525,27 +552,7 @@ class x_client
 }
 
 class x_device
-{
-	getattr
-	setattr
-	use
-	read
-	write
-	getfocus
-	setfocus
-	bell
-	force_cursor
-	freeze
-	grab
-	manage
-	list_property
-	get_property
-	set_property
-	add
-	remove
-	create
-	destroy
-}
+inherits x_device
 
 class x_server
 {
@@ -802,3 +809,9 @@ class kernel_service
 
 class tun_socket
 inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2bd1bf6d..fa65db2c 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,4 +121,8 @@ class kernel_service
 
 class tun_socket
 
+# Still More SE-X Windows stuff
+class x_pointer			# userspace
+class x_keyboard		# userspace
+
 # FLASK