add user fonts to xserver.
This commit is contained in:
parent
a5d54655dd
commit
1786478c7b
|
@ -1,3 +1,4 @@
|
||||||
|
- Add user fonts to xserver.
|
||||||
- Additional interfaces in corecommands, miscfiles, and userdomain
|
- Additional interfaces in corecommands, miscfiles, and userdomain
|
||||||
from Joy Latten.
|
from Joy Latten.
|
||||||
- Miscellaneous fixes from Thomas Bleher.
|
- Miscellaneous fixes from Thomas Bleher.
|
||||||
|
|
|
@ -2,6 +2,10 @@
|
||||||
# HOME_DIR
|
# HOME_DIR
|
||||||
#
|
#
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
|
HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
|
||||||
|
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
|
||||||
|
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
|
||||||
|
HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
|
||||||
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
|
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
|
||||||
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
|
|
|
@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
|
||||||
xserver_common_domain_template($1)
|
xserver_common_domain_template($1)
|
||||||
role $3 types $1_xserver_t;
|
role $3 types $1_xserver_t;
|
||||||
|
|
||||||
|
type $1_fonts_t, fonts_type;
|
||||||
|
userdom_user_home_content($1,$1_fonts_t)
|
||||||
|
|
||||||
|
type $1_fonts_cache_t, fonts_cache_type;
|
||||||
|
userdom_user_home_content($1,$1_fonts_cache_t)
|
||||||
|
|
||||||
|
type $1_fonts_config_t, fonts_config_type;
|
||||||
|
userdom_user_home_content($1,$1_fonts_cache_t)
|
||||||
|
|
||||||
type $1_iceauth_t;
|
type $1_iceauth_t;
|
||||||
domain_type($1_iceauth_t)
|
domain_type($1_iceauth_t)
|
||||||
role $3 types $1_iceauth_t;
|
role $3 types $1_iceauth_t;
|
||||||
|
@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`
|
||||||
|
|
||||||
allow $1_xserver_t $2:shm rw_shm_perms;
|
allow $1_xserver_t $2:shm rw_shm_perms;
|
||||||
|
|
||||||
|
allow $2 $1_fonts_t:dir manage_dir_perms;
|
||||||
|
allow $2 $1_fonts_t:file manage_file_perms;
|
||||||
|
allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
|
||||||
|
|
||||||
|
allow $2 $1_fonts_config_t:dir manage_dir_perms;
|
||||||
|
allow $2 $1_fonts_config_t:file manage_file_perms;
|
||||||
|
allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
|
||||||
|
|
||||||
|
# For startup relabel
|
||||||
|
allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
|
||||||
|
|
||||||
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
|
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
|
||||||
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
|
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
|
||||||
allow $2 $1_xserver_t:unix_stream_socket connectto;
|
allow $2 $1_xserver_t:unix_stream_socket connectto;
|
||||||
|
@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
|
||||||
userdom_setattr_user_ttys($1,$1_xserver_t)
|
userdom_setattr_user_ttys($1,$1_xserver_t)
|
||||||
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
||||||
|
|
||||||
|
xserver_use_user_fonts($1,$1_xserver_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_search_config($1_xserver_t)
|
userhelper_search_config($1_xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Read fonts
|
|
||||||
read_fonts($1_xserver_t, $1)
|
|
||||||
|
|
||||||
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
||||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
|
@ -559,6 +578,7 @@ template(`xserver_user_client_template',`
|
||||||
|
|
||||||
xserver_ro_session_template(xdm,$2,$3)
|
xserver_ro_session_template(xdm,$2,$3)
|
||||||
xserver_rw_session_template($1,$2,$3)
|
xserver_rw_session_template($1,$2,$3)
|
||||||
|
xserver_use_user_fonts($1,$2)
|
||||||
|
|
||||||
# Client write xserver shm
|
# Client write xserver shm
|
||||||
tunable_policy(`allow_write_xshm',`
|
tunable_policy(`allow_write_xshm',`
|
||||||
|
@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
|
||||||
kernel_tcp_recvfrom($2)
|
kernel_tcp_recvfrom($2)
|
||||||
ssh_tcp_connect($2)
|
ssh_tcp_connect($2)
|
||||||
')
|
')
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
########################################
|
||||||
# cjp: need to implement the user-specific fonts part
|
## <summary>
|
||||||
read_fonts($2, $1)
|
## Read user fonts, user font configuration,
|
||||||
|
## and manage the user font cache.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user fonts, user font configuration,
|
||||||
|
## and manage the user font cache.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`xserver_use_user_fonts',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
# Read per user fonts
|
||||||
|
allow $2 $1_fonts_t:dir list_dir_perms;
|
||||||
|
allow $2 $1_fonts_t:file read_file_perms;
|
||||||
|
|
||||||
|
# Manipulate the global font cache
|
||||||
|
allow $2 $1_fonts_cache_t:dir manage_dir_perms;
|
||||||
|
allow $2 $1_fonts_cache_t:file manage_file_perms;
|
||||||
|
|
||||||
|
# Read per user font config
|
||||||
|
allow $2 $1_fonts_config_t:dir list_dir_perms;
|
||||||
|
allow $2 $1_fonts_config_t:file read_file_perms;
|
||||||
|
|
||||||
|
userdom_search_user_home_dirs($1,$2)
|
||||||
|
|
||||||
|
# There are some fonts in .gnome2
|
||||||
|
ifdef(`gnome.te', `
|
||||||
|
allow $2 $1_gnome_settings_t:dir { getattr search };
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -615,6 +682,42 @@ template(`xserver_domtrans_user_xauth',`
|
||||||
allow $1_xauth_t $2:process sigchld;
|
allow $1_xauth_t $2:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all users fonts, user font configurations,
|
||||||
|
## and manage all users font caches.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`xserver_use_all_users_fonts',`
|
||||||
|
gen_require(`
|
||||||
|
attribute fonts_type, fonts_cache_type, fonts_config_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
# Read per user fonts
|
||||||
|
allow $1 fonts_type:dir list_dir_perms;
|
||||||
|
allow $1 fonts_type:file read_file_perms;
|
||||||
|
|
||||||
|
# Manipulate the global font cache
|
||||||
|
allow $1 fonts_cache_type:dir manage_dir_perms;
|
||||||
|
allow $1 fonts_cache_type:file manage_file_perms;
|
||||||
|
|
||||||
|
# Read per user font config
|
||||||
|
allow $1 fonts_config_type:dir list_dir_perms;
|
||||||
|
allow $1 fonts_config_type:file read_file_perms;
|
||||||
|
|
||||||
|
userdom_search_all_users_home_dirs($1)
|
||||||
|
|
||||||
|
# There are some fonts in .gnome2
|
||||||
|
ifdef(`gnome.te', `
|
||||||
|
allow $1 $1_gnome_settings_t:dir { getattr search };
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Connect to XDM over a unix domain
|
## Connect to XDM over a unix domain
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
|
|
||||||
policy_module(xserver,1.1.1)
|
policy_module(xserver,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
attribute fonts_type;
|
||||||
|
attribute fonts_cache_type;
|
||||||
|
attribute fonts_config_type;
|
||||||
|
|
||||||
type ice_tmp_t;
|
type ice_tmp_t;
|
||||||
files_tmp_file(ice_tmp_t)
|
files_tmp_file(ice_tmp_t)
|
||||||
|
|
||||||
|
@ -414,12 +418,7 @@ ifdef(`strict_policy',`
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
xserver_use_all_users_fonts(xdm_xserver_t)
|
||||||
# Read all global and per user fonts
|
|
||||||
read_fonts(xdm_xserver_t, sysadm)
|
|
||||||
read_fonts(xdm_xserver_t, staff)
|
|
||||||
read_fonts(xdm_xserver_t, user)
|
|
||||||
') dnl end TODO
|
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
|
|
|
@ -3871,6 +3871,25 @@ interface(`userdom_read_sysadm_home_content_files',`
|
||||||
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search all users home directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_search_all_users_home_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute home_dir_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_list_home($1)
|
||||||
|
allow $1 home_dir_type:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## List all users home directories.
|
## List all users home directories.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(userdomain,1.3.6)
|
policy_module(userdomain,1.3.7)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
|
Loading…
Reference in New Issue