add user fonts to xserver.

This commit is contained in:
Chris PeBenito 2006-03-28 18:29:52 +00:00
parent a5d54655dd
commit 1786478c7b
6 changed files with 140 additions and 14 deletions

View File

@ -1,3 +1,4 @@
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.

View File

@ -2,6 +2,10 @@
# HOME_DIR
#
ifdef(`strict_policy',`
HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)

View File

@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
type $1_fonts_t, fonts_type;
userdom_user_home_content($1,$1_fonts_t)
type $1_fonts_cache_t, fonts_cache_type;
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_iceauth_t;
domain_type($1_iceauth_t)
role $3 types $1_iceauth_t;
@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`
allow $1_xserver_t $2:shm rw_shm_perms;
allow $2 $1_fonts_t:dir manage_dir_perms;
allow $2 $1_fonts_t:file manage_file_perms;
allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
allow $2 $1_fonts_config_t:dir manage_dir_perms;
allow $2 $1_fonts_config_t:file manage_file_perms;
allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
# For startup relabel
allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
allow $2 $1_xserver_t:unix_stream_socket connectto;
@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
optional_policy(`
userhelper_search_config($1_xserver_t)
')
ifdef(`TODO',`
# Read fonts
read_fonts($1_xserver_t, $1)
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
@ -559,6 +578,7 @@ template(`xserver_user_client_template',`
xserver_ro_session_template(xdm,$2,$3)
xserver_rw_session_template($1,$2,$3)
xserver_use_user_fonts($1,$2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
kernel_tcp_recvfrom($2)
ssh_tcp_connect($2)
')
')
ifdef(`TODO',`
# cjp: need to implement the user-specific fonts part
read_fonts($2, $1)
########################################
## <summary>
## Read user fonts, user font configuration,
## and manage the user font cache.
## </summary>
## <desc>
## <p>
## Read user fonts, user font configuration,
## and manage the user font cache.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`xserver_use_user_fonts',`
gen_require(`
type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
')
# Read per user fonts
allow $2 $1_fonts_t:dir list_dir_perms;
allow $2 $1_fonts_t:file read_file_perms;
# Manipulate the global font cache
allow $2 $1_fonts_cache_t:dir manage_dir_perms;
allow $2 $1_fonts_cache_t:file manage_file_perms;
# Read per user font config
allow $2 $1_fonts_config_t:dir list_dir_perms;
allow $2 $1_fonts_config_t:file read_file_perms;
userdom_search_user_home_dirs($1,$2)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $2 $1_gnome_settings_t:dir { getattr search };
')
')
@ -615,6 +682,42 @@ template(`xserver_domtrans_user_xauth',`
allow $1_xauth_t $2:process sigchld;
')
########################################
## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_use_all_users_fonts',`
gen_require(`
attribute fonts_type, fonts_cache_type, fonts_config_type;
')
# Read per user fonts
allow $1 fonts_type:dir list_dir_perms;
allow $1 fonts_type:file read_file_perms;
# Manipulate the global font cache
allow $1 fonts_cache_type:dir manage_dir_perms;
allow $1 fonts_cache_type:file manage_file_perms;
# Read per user font config
allow $1 fonts_config_type:dir list_dir_perms;
allow $1 fonts_config_type:file read_file_perms;
userdom_search_all_users_home_dirs($1)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $1 $1_gnome_settings_t:dir { getattr search };
')
')
########################################
## <summary>
## Connect to XDM over a unix domain

View File

@ -1,11 +1,15 @@
policy_module(xserver,1.1.1)
policy_module(xserver,1.1.2)
########################################
#
# Declarations
#
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;
type ice_tmp_t;
files_tmp_file(ice_tmp_t)
@ -414,12 +418,7 @@ ifdef(`strict_policy',`
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
ifdef(`TODO',`
# Read all global and per user fonts
read_fonts(xdm_xserver_t, sysadm)
read_fonts(xdm_xserver_t, staff)
read_fonts(xdm_xserver_t, user)
') dnl end TODO
xserver_use_all_users_fonts(xdm_xserver_t)
')
ifdef(`targeted_policy',`

View File

@ -3871,6 +3871,25 @@ interface(`userdom_read_sysadm_home_content_files',`
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Search all users home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
########################################
## <summary>
## List all users home directories.

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.6)
policy_module(userdomain,1.3.7)
gen_require(`
role sysadm_r, staff_r, user_r;