[selinux-policy: 1301/3172] add user fonts to xserver.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:57:46 UTC 2010
commit 1786478c7bf054d2dae9c267ca2bc3c73a54e989
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 28 18:29:52 2006 +0000
add user fonts to xserver.
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/xserver.fc | 4 +
refpolicy/policy/modules/services/xserver.if | 115 +++++++++++++++++++++++--
refpolicy/policy/modules/services/xserver.te | 13 ++--
refpolicy/policy/modules/system/userdomain.if | 19 ++++
refpolicy/policy/modules/system/userdomain.te | 2 +-
6 files changed, 140 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 73851b2..f78c716 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 3d19691..77f634b 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -2,6 +2,10 @@
# HOME_DIR
#
ifdef(`strict_policy',`
+HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
+HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index c928d83..f0e8a8e 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
+ type $1_fonts_t, fonts_type;
+ userdom_user_home_content($1,$1_fonts_t)
+
+ type $1_fonts_cache_t, fonts_cache_type;
+ userdom_user_home_content($1,$1_fonts_cache_t)
+
+ type $1_fonts_config_t, fonts_config_type;
+ userdom_user_home_content($1,$1_fonts_cache_t)
+
type $1_iceauth_t;
domain_type($1_iceauth_t)
role $3 types $1_iceauth_t;
@@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`
allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $2 $1_fonts_t:dir manage_dir_perms;
+ allow $2 $1_fonts_t:file manage_file_perms;
+ allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+ allow $2 $1_fonts_config_t:dir manage_dir_perms;
+ allow $2 $1_fonts_config_t:file manage_file_perms;
+ allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
+
+ # For startup relabel
+ allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
allow $2 $1_xserver_t:unix_stream_socket connectto;
@@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
+ xserver_use_user_fonts($1,$1_xserver_t)
+
optional_policy(`
userhelper_search_config($1_xserver_t)
')
ifdef(`TODO',`
- # Read fonts
- read_fonts($1_xserver_t, $1)
-
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
@@ -559,6 +578,7 @@ template(`xserver_user_client_template',`
xserver_ro_session_template(xdm,$2,$3)
xserver_rw_session_template($1,$2,$3)
+ xserver_use_user_fonts($1,$2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
@@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
kernel_tcp_recvfrom($2)
ssh_tcp_connect($2)
')
+')
- ifdef(`TODO',`
- # cjp: need to implement the user-specific fonts part
- read_fonts($2, $1)
+########################################
+## <summary>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </summary>
+## <desc>
+## <p>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_use_user_fonts',`
+ gen_require(`
+ type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+ ')
+
+ # Read per user fonts
+ allow $2 $1_fonts_t:dir list_dir_perms;
+ allow $2 $1_fonts_t:file read_file_perms;
+
+ # Manipulate the global font cache
+ allow $2 $1_fonts_cache_t:dir manage_dir_perms;
+ allow $2 $1_fonts_cache_t:file manage_file_perms;
+
+ # Read per user font config
+ allow $2 $1_fonts_config_t:dir list_dir_perms;
+ allow $2 $1_fonts_config_t:file read_file_perms;
+
+ userdom_search_user_home_dirs($1,$2)
+
+ # There are some fonts in .gnome2
+ ifdef(`gnome.te', `
+ allow $2 $1_gnome_settings_t:dir { getattr search };
')
')
@@ -617,6 +684,42 @@ template(`xserver_domtrans_user_xauth',`
########################################
## <summary>
+## Read all users fonts, user font configurations,
+## and manage all users font caches.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+ gen_require(`
+ attribute fonts_type, fonts_cache_type, fonts_config_type;
+ ')
+
+ # Read per user fonts
+ allow $1 fonts_type:dir list_dir_perms;
+ allow $1 fonts_type:file read_file_perms;
+
+ # Manipulate the global font cache
+ allow $1 fonts_cache_type:dir manage_dir_perms;
+ allow $1 fonts_cache_type:file manage_file_perms;
+
+ # Read per user font config
+ allow $1 fonts_config_type:dir list_dir_perms;
+ allow $1 fonts_config_type:file read_file_perms;
+
+ userdom_search_all_users_home_dirs($1)
+
+ # There are some fonts in .gnome2
+ ifdef(`gnome.te', `
+ allow $1 $1_gnome_settings_t:dir { getattr search };
+ ')
+')
+
+########################################
+## <summary>
## Connect to XDM over a unix domain
## stream socket.
## </summary>
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index ae96e2e..06867a9 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,11 +1,15 @@
-policy_module(xserver,1.1.1)
+policy_module(xserver,1.1.2)
########################################
#
# Declarations
#
+attribute fonts_type;
+attribute fonts_cache_type;
+attribute fonts_config_type;
+
type ice_tmp_t;
files_tmp_file(ice_tmp_t)
@@ -414,12 +418,7 @@ ifdef(`strict_policy',`
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
- ifdef(`TODO',`
- # Read all global and per user fonts
- read_fonts(xdm_xserver_t, sysadm)
- read_fonts(xdm_xserver_t, staff)
- read_fonts(xdm_xserver_t, user)
- ') dnl end TODO
+ xserver_use_all_users_fonts(xdm_xserver_t)
')
ifdef(`targeted_policy',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index dc63864..336f06b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3873,6 +3873,25 @@ interface(`userdom_read_sysadm_home_content_files',`
########################################
## <summary>
+## Search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_dirs',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List all users home directories.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index fda1e87..eda29fa 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.6)
+policy_module(userdomain,1.3.7)
gen_require(`
role sysadm_r, staff_r, user_r;
More information about the scm-commits
mailing list