I am wondering whether the following are needed:

allow $1_$2_t xdm_t:fd use;
allow $1_$2_t xdm_t:fifo_file rw_file_perms; dontaudit $1_$2_t xdm_t:tcp_socket { read write };

allow $1_t $2_xserver_t:process signal;

I also plan on moving this out of x_client and into each separate client:

# Allow the user domain to send any signal to the $2 process.
can_ps($1_t, $1_$2_t)
allow $1_t $1_$2_t:process signal_perms;

And I've introduced a boolean here:

# Client write xserver shm

if (allow_write_xshm) {
allow $1_t $2_xserver_t:shm write;
allow $1_t $2_xserver_tmpfs_t:file write; }

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.