srivasta@debian.org--etch/refpolicy--debian--0.0--versionfix-13
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-7
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-8
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-20
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-29
Updated in Debian 0.2.20091117-2

Debian creates /dev/xconsole independent of the xserver

* policy/modules/services/xserver.fc: Move initial context of
  /dev/xconsole out of here

* policy/modules/services/xserver.te: Ditto.

* policy/modules/services/xserver.if: Ditto.

* policy/modules/system/init.te: Add xconsole stuff here, and also take
  care of /etc/network/run/ifstate

* policy/modules/system/logging.fc: Add /dev/console here

* policy/modules/system/logging.if: Ditto.

* policy/modules/system/logging.te: Ditto.

* Allow syslogd_t to read/write access to xconsole_device_t.

Index: policy/modules/kernel/devices.if
===================================================================
--- policy/modules/kernel/devices.if.orig
+++ policy/modules/kernel/devices.if
@@ -787,6 +787,26 @@
 
 ########################################
 ## <summary>
+##	Create FIFO pipes in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_pipes',`
+	gen_require(`
+		type device_t;
+	')
+       allow $1 device_t:dir add_entry_dir_perms;
+       allow $1 device_t:fifo_file { getattr create };
+       allow $1 device_t:dir search_dir_perms;
+       allow $1 device_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, delete, read, and write symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/services/xserver.fc
===================================================================
--- policy/modules/services/xserver.fc.orig
+++ policy/modules/services/xserver.fc
@@ -11,11 +11,6 @@
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
-# /dev
-#
-/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
 # /etc
 #
 
Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if.orig
+++ policy/modules/services/xserver.if
@@ -602,42 +602,6 @@
 
 ########################################
 ## <summary>
-##	Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file setattr;
-')
-
-########################################
-## <summary>
-##	Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_rw_console',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
 ##	Use file descriptors for xdm.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/services/xserver.te
===================================================================
--- policy/modules/services/xserver.te.orig
+++ policy/modules/services/xserver.te
@@ -151,12 +151,6 @@
 files_tmp_file(xauth_tmp_t)
 ubac_constrained(xauth_tmp_t)
 
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
 type xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
@@ -317,7 +311,8 @@
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+#allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+logging_r_xconsole(xdm_t)
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -391,6 +391,7 @@
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
+logging_setattr_xconsole(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@@ -407,9 +408,15 @@
 # started from init should be placed in their own domain.
 userdom_use_user_terminals(initrc_t)
 
+# seed udev /dev
+dev_create_generic_dirs(initrc_t)
+
 ifdef(`distro_debian',`
-	dev_setattr_generic_dirs(initrc_t)
+	# to be able to create /dev/xconsole
+	dev_create_generic_pipes(initrc_t)
 
+	# for /etc/network/run/ifstate
+	sysnet_manage_config(initrc_t)
 	fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
 
 	# for storing state under /dev/shm
@@ -845,9 +852,6 @@
 ')
 
 optional_policy(`
-	# Set device ownerships/modes.
-	xserver_setattr_console_pipes(initrc_t)
-
 	# init script wants to check if it needs to update windowmanagerlist
 	xserver_read_xdm_rw_config(initrc_t)
 ')
Index: policy/modules/system/logging.fc
===================================================================
--- policy/modules/system/logging.fc.orig
+++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
 
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
Index: policy/modules/system/logging.if
===================================================================
--- policy/modules/system/logging.if.orig
+++ policy/modules/system/logging.if
@@ -901,6 +901,41 @@
 
 ########################################
 ## <summary>
+##	Set the attributes of the xconsole named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_setattr_xconsole',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the xconsole named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_r_xconsole',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	generic log files.
 ## </summary>
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -81,6 +81,13 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
 
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
@@ -510,8 +517,3 @@
 optional_policy(`
 	udev_read_db(syslogd_t)
 ')
-
-optional_policy(`
-	# log to the xconsole
-	xserver_rw_console(syslogd_t)
-')