Make consolekit_t and system_dbusd_t unconfined in X.

Both of these types have been observed trying to touch the user's X display, one example being through /usr/libexec/ck-get-x11-server-pid and /usr/libexec/ck-get-x11-display-device. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
author: Eamon Walsh <ewalsh@tycho.nsa.gov> 2009-10-13 19:46:57 -0400
committer: Eamon Walsh <ewalsh@tycho.nsa.gov> 2009-10-13 20:01:01 -0400
commit: e9f458e3f0fc3ccaa1f5470c934362d135508eba (patch)
tree: c1a96935000d5f53644045efa1db8e254c8d14e0
parent: 431c98dc3b846a20bd36cb0e946698bfdfa8b006 (diff)
2 files changed, 3 insertions, 0 deletions
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 1ead55d0..4f9b9924 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -108,6 +108,7 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(consolekit_t)
 	xserver_read_user_xauth(consolekit_t)
+	xserver_unconfined(consolekit_t)
 	corenet_tcp_connect_xserver_port(consolekit_t)
 ')
 
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index aa857cb2..f60e1f16 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -135,6 +135,8 @@ seutil_sigchld_newrole(system_dbusd_t)
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
+xserver_unconfined(system_dbusd_t)
+
 optional_policy(`
 	bind_domtrans(system_dbusd_t)
 ')
author	Eamon Walsh <ewalsh@tycho.nsa.gov>	2009-10-13 19:46:57 -0400
committer	Eamon Walsh <ewalsh@tycho.nsa.gov>	2009-10-13 20:01:01 -0400
commit	e9f458e3f0fc3ccaa1f5470c934362d135508eba (patch)
tree	c1a96935000d5f53644045efa1db8e254c8d14e0
parent	431c98dc3b846a20bd36cb0e946698bfdfa8b006 (diff)