login fixes and pieces of xserver

refpolicy/policy/modules/apps/userhelper.if

@@ -202,10 +202,27 @@ template(`userhelper_per_userdomain_template',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search userhelp configuration
+##	Search the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
-##      The type of the process performing this action.
+##      Domain allowed access.
+## </param>
+#
+interface(`userhelper_search_config',`
+	gen_require(`
+		type userhelper_conf_t;
+	')
+
+	allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search 
+##	the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+##      Domain to not audit.
 ## </param>
 #
 interface(`userhelper_dontaudit_search_config',`
@@ -213,5 +230,5 @@ interface(`userhelper_dontaudit_search_config',`
 		type userhelper_conf_t;
 	')
 
-	dontaudit $1 userhelper_conf_t:dir search;
+	dontaudit $1 userhelper_conf_t:dir search_dir_perms;
 ')

refpolicy/policy/modules/kernel/corecommands.fc

@@ -140,7 +140,7 @@ ifdef(`distro_gentoo',`
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/X11R6/lib/X11/xkb/xkbcomp	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo', `
 /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)

refpolicy/policy/modules/kernel/devices.if

@@ -670,6 +670,23 @@ interface(`dev_manage_all_chr_files',`
 	typeattribute $1 memory_raw_read, memory_raw_write;
 ')
 
+########################################
+## <summary>
+##	Getattr the agp devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 agp_device_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the agp devices.
@@ -914,23 +931,6 @@ interface(`dev_rw_crypto',`
 	allow $1 crypt_device_t:chr_file rw_file_perms;
 ')
 
-########################################
-## <summary>
-##	Getattr the agp devices.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_getattr_agp_dev',`
-	gen_require(`
-		type device_t, dri_device_t;
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 dri_device_t:chr_file getattr;
-')
-
 ########################################
 ## <summary>
 ##	Read and write the dri devices.
@@ -964,6 +964,24 @@ interface(`dev_dontaudit_rw_dri_dev',`
 	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete the dri devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_manage_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 dri_device_t:chr_file manage_file_perms;
+	type_transition $1 device_t:chr_file dri_device_t;
+')
+
 ########################################
 ## <summary>
 ##	Read input event devices (/dev/input).
@@ -981,6 +999,23 @@ interface(`dev_read_input',`
 	allow $1 event_device_t:chr_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 event_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the framebuffer device node.
@@ -1082,6 +1117,23 @@ interface(`dev_write_framebuffer',`
 	allow $1 framebuf_device_t:chr_file { getattr write ioctl };
 ')
 
+########################################
+## <summary>
+##	Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 framebuf_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
@@ -1448,6 +1500,19 @@ interface(`dev_write_mtrr',`
 	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
 ')
 
+########################################
+## <summary>
+##	Read and write the mtrr device.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_mtrr',`
+	dev_read_mtrr($1)
+	dev_write_mtrr($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the null device (/dev/null).
@@ -2227,6 +2292,23 @@ interface(`dev_setattr_xserver_misc_dev',`
 	allow $1 xserver_misc_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the zero device (/dev/zero).

refpolicy/policy/modules/system/userdomain.if

@@ -2319,6 +2319,72 @@ interface(`userdom_read_all_tmp_untrusted_content',`
 	allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of a user domain tty.
+## </summary>
+## <desc>
+##	<p>
+##	Set the attributes of a user domain tty.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+template(`userdom_setattr_user_tty',`
+	ifdef(`targeted_policy',`
+		term_setattr_unallocated_ttys($2)
+	',`
+		gen_require(`
+			type $1_tty_device_t;
+		')
+
+		allow $2 $1_tty_device_t:chr_file setattr;
+	')
+')
+
+########################################
+## <summary>
+##	Read and write a user domain tty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write a user domain tty.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+template(`userdom_use_user_tty',`
+	ifdef(`targeted_policy',`
+		term_use_unallocated_tty($2)
+	',`
+		gen_require(`
+			type $1_tty_device_t;
+		')
+
+		allow $2 $1_tty_device_t:chr_file rw_term_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and write a user domain tty and pty.
@@ -2403,6 +2469,10 @@ interface(`userdom_spec_domtrans_all_users',`
 	')
 
 	corecmd_shell_spec_domtrans($1,userdomain)
+	allow $1 userdomain:fd use;
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
 ')
 
 ########################################
@@ -2421,6 +2491,10 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	')
 
 	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################