From 7c94a3ab0d804df599dbfd33fe74db32fba381d3 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 23 Sep 2010 15:14:34 -0400 Subject: [PATCH] Allow consolehelper to read fonts and config files in user homedir --- policy/modules/apps/userhelper.if | 3 +++ policy/modules/apps/userhelper.te | 9 ++++++++- policy/modules/services/xserver.if | 26 +++++++++++++++++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if index d73e7c82..019df01d 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -303,12 +303,15 @@ template(`userhelper_console_role_template',` auth_use_pam($1_consolehelper_t) + userdom_manage_tmpfs_role(#2, $1_consolehelper_t) + optional_policy(` shutdown_run($1_consolehelper_t, $2) shutdown_send_sigchld($3) ') optional_policy(` + xserver_run_xauth($1_consolehelper_t, $2) xserver_read_xdm_pid($1_consolehelper_t) ') ') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index f62c171b..b46a20eb 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -22,6 +22,7 @@ application_executable_file(consolehelper_exec_t) # consolehelper local policy # +allow consolehelper_domain self:shm create_shm_perms; allow consolehelper_domain self:capability { setgid setuid }; dontaudit consolehelper_domain userhelper_conf_t:file write; @@ -47,13 +48,19 @@ auth_read_pam_pid(consolehelper_domain) init_read_utmp(consolehelper_domain) miscfiles_read_localization(consolehelper_domain) +miscfiles_read_fonts(consolehelper_domain) userhelper_exec(consolehelper_domain) userdom_use_user_ptys(consolehelper_domain) userdom_use_user_ttys(consolehelper_domain) -userdom_search_user_home_content(consolehelper_domain) +userdom_read_user_home_content_files(consolehelper_domain) optional_policy(` + gnome_read_gconf_home_files(consolehelper_domain) +') + +optional_policy(` + xserver_read_home_fonts(consolehelper_domain) xserver_stream_connect(consolehelper_domain) ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 61cc0213..11314dd2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1558,7 +1558,7 @@ interface(`xserver_read_user_iceauth',` ######################################## ## -## Read user homedir fonts. +## Read/write inherited user homedir fonts. ## ## ## @@ -1664,6 +1664,7 @@ interface(`xserver_run_xauth',` xserver_domtrans_xauth($1) role $2 types xauth_t; ') + ######################################## ## ## Read user homedir fonts. @@ -1675,6 +1676,29 @@ interface(`xserver_run_xauth',` ## ## # +interface(`xserver_read_home_fonts',` + gen_require(` + type user_fonts_t, user_fonts_config_t; + ') + + read_dirs_pattern($1, user_fonts_t, user_fonts_t) + read_files_pattern($1, user_fonts_t, user_fonts_t) + read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') + +######################################## +## +## Manage user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# interface(`xserver_manage_home_fonts',` gen_require(` type user_fonts_t, user_fonts_config_t;