Non-drawing X client support for consolekit.

policy/modules/services/consolekit.te

@@ -1,5 +1,5 @@
 
-policy_module(consolekit, 1.5.0)
+policy_module(consolekit, 1.5.1)
 
 ########################################
 #
@@ -108,6 +108,7 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(consolekit_t)
 	xserver_read_user_xauth(consolekit_t)
+	xserver_non_drawing_client(consolekit_t)
 	corenet_tcp_connect_xserver_port(consolekit_t)
 ')
 

policy/modules/services/xserver.if

@@ -232,6 +232,37 @@ interface(`xserver_rw_session',`
 	allow $1 xserver_tmpfs_t:file rw_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Create non-drawing client sessions on an X server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_non_drawing_client',`
+	gen_require(`
+		class x_drawable { getattr get_property };
+		class x_extension { query use };
+		class x_gc { create setattr };
+		class x_property read;
+
+		type xserver_t, xdm_var_run_t;
+		type xextension_t, xproperty_t, root_xdrawable_t;
+	')
+
+	allow $1 self:x_gc { create setattr };
+
+	allow $1 xdm_var_run_t:dir search;
+	allow $1 xserver_t:unix_stream_socket connectto;
+
+	allow $1 xextension_t:x_extension { query use };
+	allow $1 root_xdrawable_t:x_drawable { getattr get_property };
+	allow $1 xproperty_t:x_property read;
+')
+
 #######################################
 ## <summary>
 ##	Create full client sessions

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver, 3.3.1)
+policy_module(xserver, 3.3.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;