Add MLS constraints for x_pointer and x_keyboard.

policy/mls

@@ -666,6 +666,42 @@ mlsconstrain x_application_data { paste_after_confirm }
 	( l1 dom l2 );
 
 
+#
+# MLS policy for the x_pointer class
+#
+
+# the x_pointer "read" ops
+mlsconstrain x_pointer { getattr use read getfocus grab }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_pointer "write" ops (implicit single level)
+mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_keyboard class
+#
+
+# the x_keyboard "read" ops
+mlsconstrain x_keyboard { getattr use read getfocus grab }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_keyboard "write" ops (implicit single level)
+mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
 
 #
 # MLS policy for the dbus class