rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add user fonts to xserver.

This commit is contained in:
Chris PeBenito 2006-03-28 18:29:52 +00:00
parent a5d54655dd
commit 1786478c7b
6 changed files with 140 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
refpolicy/Changelog
View File

@ -1,3 +1,4 @@
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain - Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten. from Joy Latten.
- Miscellaneous fixes from Thomas Bleher. - Miscellaneous fixes from Thomas Bleher.

4
refpolicy/policy/modules/services/xserver.fc
View File

@ -2,6 +2,10 @@
# HOME_DIR # HOME_DIR
# #
ifdef(`strict_policy',` ifdef(`strict_policy',`
HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)

115
refpolicy/policy/modules/services/xserver.if
View File

@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
xserver_common_domain_template($1) xserver_common_domain_template($1)
role $3 types $1_xserver_t; role $3 types $1_xserver_t;
type $1_fonts_t, fonts_type;
userdom_user_home_content($1,$1_fonts_t)
type $1_fonts_cache_t, fonts_cache_type;
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_iceauth_t; type $1_iceauth_t;
domain_type($1_iceauth_t) domain_type($1_iceauth_t)
role $3 types $1_iceauth_t; role $3 types $1_iceauth_t;
@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`
allow $1_xserver_t $2:shm rw_shm_perms; allow $1_xserver_t $2:shm rw_shm_perms;
allow $2 $1_fonts_t:dir manage_dir_perms;
allow $2 $1_fonts_t:file manage_file_perms;
allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
allow $2 $1_fonts_config_t:dir manage_dir_perms;
allow $2 $1_fonts_config_t:file manage_file_perms;
allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
# For startup relabel
allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
allow $2 $1_xserver_tmp_t:dir r_dir_perms; allow $2 $1_xserver_tmp_t:dir r_dir_perms;
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms; allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
allow $2 $1_xserver_t:unix_stream_socket connectto; allow $2 $1_xserver_t:unix_stream_socket connectto;
@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
userdom_setattr_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
optional_policy(` optional_policy(`
userhelper_search_config($1_xserver_t) userhelper_search_config($1_xserver_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
# Read fonts
read_fonts($1_xserver_t, $1)
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto; allow $1_t xdm_xserver_t:unix_stream_socket connectto;
@ -559,6 +578,7 @@ template(`xserver_user_client_template',`
xserver_ro_session_template(xdm,$2,$3) xserver_ro_session_template(xdm,$2,$3)
xserver_rw_session_template($1,$2,$3) xserver_rw_session_template($1,$2,$3)
xserver_use_user_fonts($1,$2)
# Client write xserver shm # Client write xserver shm
tunable_policy(`allow_write_xshm',` tunable_policy(`allow_write_xshm',`
@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
kernel_tcp_recvfrom($2) kernel_tcp_recvfrom($2)
ssh_tcp_connect($2) ssh_tcp_connect($2)
') ')
')
ifdef(`TODO',` ########################################
# cjp: need to implement the user-specific fonts part ## <summary>
read_fonts($2, $1) ## Read user fonts, user font configuration,
## and manage the user font cache.
## </summary>
## <desc>
## <p>
## Read user fonts, user font configuration,
## and manage the user font cache.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`xserver_use_user_fonts',`
gen_require(`
type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
')
# Read per user fonts
allow $2 $1_fonts_t:dir list_dir_perms;
allow $2 $1_fonts_t:file read_file_perms;
# Manipulate the global font cache
allow $2 $1_fonts_cache_t:dir manage_dir_perms;
allow $2 $1_fonts_cache_t:file manage_file_perms;
# Read per user font config
allow $2 $1_fonts_config_t:dir list_dir_perms;
allow $2 $1_fonts_config_t:file read_file_perms;
userdom_search_user_home_dirs($1,$2)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $2 $1_gnome_settings_t:dir { getattr search };
') ')
') ')
@ -615,6 +682,42 @@ template(`xserver_domtrans_user_xauth',`
allow $1_xauth_t $2:process sigchld; allow $1_xauth_t $2:process sigchld;
') ')
########################################
## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_use_all_users_fonts',`
gen_require(`
attribute fonts_type, fonts_cache_type, fonts_config_type;
')
# Read per user fonts
allow $1 fonts_type:dir list_dir_perms;
allow $1 fonts_type:file read_file_perms;
# Manipulate the global font cache
allow $1 fonts_cache_type:dir manage_dir_perms;
allow $1 fonts_cache_type:file manage_file_perms;
# Read per user font config
allow $1 fonts_config_type:dir list_dir_perms;
allow $1 fonts_config_type:file read_file_perms;
userdom_search_all_users_home_dirs($1)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $1 $1_gnome_settings_t:dir { getattr search };
')
')
######################################## ########################################
## <summary> ## <summary>
## Connect to XDM over a unix domain ## Connect to XDM over a unix domain

13
refpolicy/policy/modules/services/xserver.te
View File

@ -1,11 +1,15 @@
policy_module(xserver,1.1.1) policy_module(xserver,1.1.2)
######################################## ########################################
# #
# Declarations # Declarations
# #
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;
type ice_tmp_t; type ice_tmp_t;
files_tmp_file(ice_tmp_t) files_tmp_file(ice_tmp_t)
@ -414,12 +418,7 @@ ifdef(`strict_policy',`
# (xauth?) # (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t) userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
ifdef(`TODO',` xserver_use_all_users_fonts(xdm_xserver_t)
# Read all global and per user fonts
read_fonts(xdm_xserver_t, sysadm)
read_fonts(xdm_xserver_t, staff)
read_fonts(xdm_xserver_t, user)
') dnl end TODO
') ')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`

19
refpolicy/policy/modules/system/userdomain.if
View File

@ -3871,6 +3871,25 @@ interface(`userdom_read_sysadm_home_content_files',`
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
') ')
########################################
## <summary>
## Search all users home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## List all users home directories. ## List all users home directories.

2
refpolicy/policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.6) policy_module(userdomain,1.3.7)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;