Allow consolehelper to read fonts and config files in user homedir

2010-09-23 15:14:34 -04:00 · 2010-09-23 15:14:34 -04:00 · 7c94a3ab0d
commit 7c94a3ab0d
parent f4dc198843
3 changed files with 36 additions and 2 deletions
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@ -303,12 +303,15 @@ template(`userhelper_console_role_template',`

 	auth_use_pam($1_consolehelper_t)

+	userdom_manage_tmpfs_role(#2, $1_consolehelper_t)
+
 	optional_policy(`
 		shutdown_run($1_consolehelper_t, $2)
 		shutdown_send_sigchld($3)
 	')

 	optional_policy(`
+		xserver_run_xauth($1_consolehelper_t, $2)
 		xserver_read_xdm_pid($1_consolehelper_t)
 	')
 ')
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@ -22,6 +22,7 @@ application_executable_file(consolehelper_exec_t)
 # consolehelper local policy
 #

+allow consolehelper_domain self:shm create_shm_perms;
 allow consolehelper_domain self:capability { setgid setuid }; 

 dontaudit consolehelper_domain  userhelper_conf_t:file write;
@ -47,13 +48,19 @@ auth_read_pam_pid(consolehelper_domain)
 init_read_utmp(consolehelper_domain)

 miscfiles_read_localization(consolehelper_domain)
+miscfiles_read_fonts(consolehelper_domain)

 userhelper_exec(consolehelper_domain)

 userdom_use_user_ptys(consolehelper_domain)
 userdom_use_user_ttys(consolehelper_domain)
-userdom_search_user_home_content(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)

 optional_policy(`
+	gnome_read_gconf_home_files(consolehelper_domain)
+')
+
+optional_policy(`
+	xserver_read_home_fonts(consolehelper_domain)
 	xserver_stream_connect(consolehelper_domain)
 ')
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -1558,7 +1558,7 @@ interface(`xserver_read_user_iceauth',`

 ########################################
 ## <summary>
-##	Read user homedir fonts.
+##	Read/write inherited user homedir fonts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1664,6 +1664,7 @@ interface(`xserver_run_xauth',`
 	xserver_domtrans_xauth($1)
 	role $2 types xauth_t;
 ')
+
 ########################################
 ## <summary>
 ##	Read user homedir fonts.
@ -1675,6 +1676,29 @@ interface(`xserver_run_xauth',`
 ## </param>
 ## <rolecap/>
 #
+interface(`xserver_read_home_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_config_t;
+	')
+
+	read_dirs_pattern($1, user_fonts_t, user_fonts_t)
+	read_files_pattern($1, user_fonts_t, user_fonts_t)
+	read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+	read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+##	Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
 interface(`xserver_manage_home_fonts',`
 	gen_require(`
 		type user_fonts_t, user_fonts_config_t;