deprecate userdom_xwindows_client_template

The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().

Changelog

@@ -1,3 +1,4 @@
+- Deprecated the userdom_xwindwos_client_template().
 - Misc Gentoo fixes from Corentin Labbe.
 - Debian policykit fixes from Martin Orr.
 - Fix unconfined_r use of unconfined_java_t.

policy/modules/services/xserver.if

@@ -3,7 +3,7 @@
 ########################################
 ## <summary>
 ##	Rules required for using the X Windows server
-##	and environment.
+##	and environment, for restricted users.
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -16,7 +16,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`xserver_role',`
+interface(`xserver_restricted_role',`
 	gen_require(`
 		type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
@@ -44,41 +44,37 @@ interface(`xserver_role',`
 
 	role $1 types { xserver_t xauth_t iceauth_t };
 
+	# Xserver read/write client shm
+	allow xserver_t $2:fd use;
+	allow xserver_t $2:shm rw_shm_perms;
+
 	domtrans_pattern($2, xserver_exec_t, xserver_t)
 	allow xserver_t $2:process signal;
 
 	allow xserver_t $2:shm rw_shm_perms;
 
-	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	allow $2 user_fonts_t:dir list_dir_perms;
-	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	allow $2 user_fonts_t:file read_file_perms;
-	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+
-	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+	allow $2 user_fonts_config_t:dir list_dir_perms;
+	allow $2 user_fonts_config_t:file read_file_perms;
 
 	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
 	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-	relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-	relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
-	manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
-	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
-	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 
 	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-
+	files_search_tmp($2)
-	allow $2 xserver_tmpfs_t:file rw_file_perms;
 
 	# Communicate via System V shared memory.
-	allow xserver_t $2:shm rw_shm_perms;
+	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_t:shm rw_shm_perms;
+	allow $2 xserver_tmpfs_t:file read_file_perms;
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
 
 	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
 
-	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file read_file_perms;
-	allow $2 iceauth_home_t:file { relabelfrom relabelto };
 
 	domtrans_pattern($2, xauth_exec_t, xauth_t)
 
@@ -86,11 +82,53 @@ interface(`xserver_role',`
 
 	# allow ps to show xauth
 	ps_process_pattern($2, xauth_t)
+	allow $2 xserver_t:process signal;
 
-	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file read_file_perms;
-	allow $2 xauth_home_t:file { relabelfrom relabelto };
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
+
+	# Client read xserver shm
+	allow $2 xserver_t:fd use;
+	allow $2 xserver_tmpfs_t:file read_file_perms;
+
+	# Read /tmp/.X0-lock
+	allow $2 xserver_tmp_t:file { getattr read };
+
+	dev_rw_xserver_misc($2)
+	dev_rw_power_management($2)
+	dev_read_input($2)
+	dev_read_misc($2)
+	dev_write_misc($2)
+	# open office is looking for the following
+	dev_getattr_agp_dev($2)
+	dev_dontaudit_rw_dri($2)
+	# GNOME checks for usb and other devices:
+	dev_rw_usbfs($2)
+
+	miscfiles_read_fonts($2)
 
 	xserver_common_x_domain_template(user, $2)
+	xserver_xsession_entry_type($2)
+	xserver_dontaudit_write_log($2)
+	xserver_stream_connect_xdm($2)
+	# certain apps want to read xdm.pid file
+	xserver_read_xdm_pid($2)
+	# gnome-session creates socket under /tmp/.ICE-unix/
+	xserver_create_xdm_tmp_sockets($2)
+	# Needed for escd, remove if we get escd policy
+	xserver_manage_xdm_tmp_files($2)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $2 xserver_t:shm rw_shm_perms;
+		allow $2 xserver_tmpfs_t:file rw_file_perms;
+	')
 
 	##############################
 	#
@@ -124,6 +162,57 @@ interface(`xserver_role',`
 	allow $2 info_xproperty_t:x_property { create append write };
 ')
 
+########################################
+## <summary>
+##	Rules required for using the X Windows server
+##	and environment.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_role',`
+	gen_require(`
+		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+	')
+
+	xserver_restricted_role($1, $2)
+
+	# Communicate via System V shared memory.
+	allow $2 xserver_t:shm rw_shm_perms;
+	allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file { relabelfrom relabelto };
+
+	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file { relabelfrom relabelto };
+
+	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+	manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+')
+
 #######################################
 ## <summary>
 ##	Create sessions on the X server, with read-only

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver, 3.2.1)
+policy_module(xserver, 3.2.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

policy/modules/system/userdomain.if

@@ -412,7 +412,7 @@ template(`userdom_basic_networking_template',`
 
 #######################################
 ## <summary>
-##	The template for creating a user xwindows client.
+##	The template for creating a user xwindows client.  (Deprecated)
 ## </summary>
 ## <param name="userdomain_prefix">
 ##	<summary>
@@ -423,6 +423,7 @@ template(`userdom_basic_networking_template',`
 ## <rolebase/>
 #
 template(`userdom_xwindows_client_template',`
+	refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
 	gen_require(`
 		type $1_t, user_tmpfs_t;
 	')
@@ -499,10 +500,6 @@ template(`userdom_common_user_template',`
 
 	userdom_basic_networking_template($1)
 
-	optional_policy(`
-		userdom_xwindows_client_template($1)
-	')
-
 	##############################
 	#
 	# User domain Local policy
@@ -868,8 +865,6 @@ template(`userdom_restricted_xwindows_user_template',`
 
 	userdom_restricted_user_template($1)
 
-	userdom_xwindows_client_template($1)
-
 	##############################
 	#
 	# Local policy
@@ -890,6 +885,8 @@ template(`userdom_restricted_xwindows_user_template',`
 	logging_send_audit_msgs($1_t)
 	selinux_get_enforce_mode($1_t)
 
+	xserver_restricted_role($1_r, $1_t)
+
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 4.2.0)
+policy_module(userdomain, 4.2.1)
 
 ########################################
 #