From 31f9c109c1e9579d11421a03fdb96179bd52924e Mon Sep 17 00:00:00 2001
From: "corentin.labbe" <corentin.labbe@geomatys.fr>
Date: Fri, 11 Sep 2009 14:21:59 +0200
Subject: [PATCH] SELinux xscreensaver policy support

Hello

This a patch for adding xscreensaver policy.

I think it need a specific policy because of the auth_domtrans_chk_passwd.

cordially

Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
---
 policy/modules/apps/xscreensaver.fc |  1 +
 policy/modules/apps/xscreensaver.if | 34 +++++++++++++++++++
 policy/modules/apps/xscreensaver.te | 52 +++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 policy/modules/apps/xscreensaver.fc
 create mode 100644 policy/modules/apps/xscreensaver.if
 create mode 100644 policy/modules/apps/xscreensaver.te

diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc
new file mode 100644
index 00000000..64cd5fc2
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.fc
@@ -0,0 +1 @@
+/usr/bin/xscreensaver	-- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if
new file mode 100644
index 00000000..5a1c63c7
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.if
@@ -0,0 +1,34 @@
+## <summary>xscreensaver policy interface</summary>
+
+########################################
+## <summary>
+##	Role access for xscreensaver
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`xscreensaver_role',`
+	gen_require(`
+		type xscreensaver_t, xscreensaver_exec_t;
+	')
+
+	role $1 types xscreensaver_t;
+
+	domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
+
+	allow xscreensaver_t $2:fd use;
+
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, xscreensaver_t)
+	allow $2 xscreensaver_t:process signal_perms;
+	allow xscreensaver_t $2:process sigchld;
+
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
new file mode 100644
index 00000000..f4f8b005
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.te
@@ -0,0 +1,52 @@
+policy_module(xscreensaver, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xscreensaver_t;
+type xscreensaver_exec_t;
+application_domain(xscreensaver_t, xscreensaver_exec_t)
+
+type xscreensaver_tmpfs_t;
+files_tmpfs_file(xscreensaver_tmpfs_t)
+ubac_constrained(xscreensaver_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+auth_use_nsswitch(xscreensaver_t)
+
+logging_send_audit_msgs(xscreensaver_t)
+logging_send_syslog_msg(xscreensaver_t)
+miscfiles_read_localization(xscreensaver_t)
+
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+allow xscreensaver_t self:process signal;
+
+#access to .icons and ~/.xscreensaver
+userdom_read_user_home_content_files(xscreensaver_t)
+
+userdom_use_user_ptys(xscreensaver_t)
+
+files_read_usr_files(xscreensaver_t)
+
+auth_domtrans_chk_passwd(xscreensaver_t)
+
+#/var/run/utmp
+init_read_utmp(xscreensaver_t)
+
+########################################
+#
+# X Serveur and co
+#
+xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+
+########################################
+#
+# process, kernel and /proc /dev /sys
+#
+
+kernel_read_system_state(xscreensaver_t)