From f4ff8bb944482f84e72cabca2a4643c88452c630 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jun 12 2008 19:57:12 +0000
Subject: - Prevent applications from reading x_device


---

diff --git a/policy-20080509.patch b/policy-20080509.patch
index e0bd342..4dee3c0 100644
--- a/policy-20080509.patch
+++ b/policy-20080509.patch
@@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-05-19 10:26:38.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/xserver.if	2008-06-12 12:10:32.884486000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/xserver.if	2008-06-12 14:55:38.413681000 -0400
 @@ -16,7 +16,8 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26151,8 +26151,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	fs_search_auto_mountpoints($1_iceauth_t)
  
-@@ -470,31 +472,9 @@
- 	allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
+@@ -467,34 +469,12 @@
+ 	#
+ 
+ 	# Device rules
+-	allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
++	allow $1_x_domain $1_xserver_t:x_device { getattr use setattr setfocus grab bell };
  
  	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
 +	allow $2 $1_input_xevent_type:x_event send;
@@ -26266,7 +26270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# manage: xhost X11:ChangeHosts
 +	# freeze: metacity X11:GrabKey
 +	# force_cursor: metacity X11:GrabPointer
-+	allow $3 $1_xserver_t:x_device { read manage freeze force_cursor };
++	allow $3 $1_xserver_t:x_device { manage freeze force_cursor };
 +	allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
 +
 +	# gnome-settings-daemon XKEYBOARD:SetControls
diff --git a/selinux-policy.spec b/selinux-policy.spec
index db51aaa..69cef6f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-3
+- Prevent applications from reading x_device
+
 * Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-2
 - Add /var/lib/selinux context