[selinux-policy: 1301/3172] add user fonts to xserver.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:57:46 UTC 2010 

commit 1786478c7bf054d2dae9c267ca2bc3c73a54e989
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 28 18:29:52 2006 +0000

    add user fonts to xserver.

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/services/xserver.fc  |    4 +
 refpolicy/policy/modules/services/xserver.if  |  115 +++++++++++++++++++++++--
 refpolicy/policy/modules/services/xserver.te  |   13 ++--
 refpolicy/policy/modules/system/userdomain.if |   19 ++++
 refpolicy/policy/modules/system/userdomain.te |    2 +-
 6 files changed, 140 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 73851b2..f78c716 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add user fonts to xserver.
 - Additional interfaces in corecommands, miscfiles, and userdomain
   from Joy Latten.
 - Miscellaneous fixes from Thomas Bleher.
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 3d19691..77f634b 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -2,6 +2,10 @@
 # HOME_DIR
 #
 ifdef(`strict_policy',`
+HOME_DIR/\.fonts.conf	--	gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:ROLE_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
+HOME_DIR/\.fonts.cache-.* --	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index c928d83..f0e8a8e 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
+	type $1_fonts_t, fonts_type;
+	userdom_user_home_content($1,$1_fonts_t)
+
+	type $1_fonts_cache_t, fonts_cache_type;
+	userdom_user_home_content($1,$1_fonts_cache_t)
+
+	type $1_fonts_config_t, fonts_config_type;
+	userdom_user_home_content($1,$1_fonts_cache_t)
+
 	type $1_iceauth_t;
 	domain_type($1_iceauth_t)
 	role $3 types $1_iceauth_t;
@@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`
 
 	allow $1_xserver_t $2:shm rw_shm_perms;
 
+	allow $2 $1_fonts_t:dir manage_dir_perms;
+	allow $2 $1_fonts_t:file manage_file_perms;
+	allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+	allow $2 $1_fonts_config_t:dir manage_dir_perms;
+	allow $2 $1_fonts_config_t:file manage_file_perms;
+	allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
+
+	# For startup relabel
+	allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
 	allow $2 $1_xserver_tmp_t:dir r_dir_perms;
 	allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
 	allow $2 $1_xserver_t:unix_stream_socket connectto;
@@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
 	userdom_setattr_user_ttys($1,$1_xserver_t)
 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
 
+	xserver_use_user_fonts($1,$1_xserver_t)
+
 	optional_policy(`
 		userhelper_search_config($1_xserver_t)
 	')
 
 	ifdef(`TODO',`
-	# Read fonts
-	read_fonts($1_xserver_t, $1)
-
 	allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
 	allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 
@@ -559,6 +578,7 @@ template(`xserver_user_client_template',`
 
 	xserver_ro_session_template(xdm,$2,$3)
 	xserver_rw_session_template($1,$2,$3)
+	xserver_use_user_fonts($1,$2)
 
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
@@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
 		kernel_tcp_recvfrom($2)
 		ssh_tcp_connect($2)
 	')
+')
 
-	ifdef(`TODO',`
-	# cjp: need to implement the user-specific fonts part
-	read_fonts($2, $1)
+########################################
+## <summary>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+## </summary>
+## <desc>
+##	<p>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_use_user_fonts',`
+	gen_require(`
+		type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+	')
+
+	# Read per user fonts
+	allow $2 $1_fonts_t:dir list_dir_perms;
+	allow $2 $1_fonts_t:file read_file_perms;
+
+	# Manipulate the global font cache
+	allow $2 $1_fonts_cache_t:dir manage_dir_perms;
+	allow $2 $1_fonts_cache_t:file manage_file_perms;
+
+	# Read per user font config
+	allow $2 $1_fonts_config_t:dir list_dir_perms;
+	allow $2 $1_fonts_config_t:file read_file_perms;
+
+	userdom_search_user_home_dirs($1,$2)
+
+	# There are some fonts in .gnome2
+	ifdef(`gnome.te', `
+	allow $2 $1_gnome_settings_t:dir { getattr search };
 	')
 ')
 
@@ -617,6 +684,42 @@ template(`xserver_domtrans_user_xauth',`
 
 ########################################
 ## <summary>
+##	Read all users fonts, user font configurations,
+##	and manage all users font caches.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+	gen_require(`
+		attribute fonts_type, fonts_cache_type, fonts_config_type;
+	')
+
+	# Read per user fonts
+	allow $1 fonts_type:dir list_dir_perms;
+	allow $1 fonts_type:file read_file_perms;
+
+	# Manipulate the global font cache
+	allow $1 fonts_cache_type:dir manage_dir_perms;
+	allow $1 fonts_cache_type:file manage_file_perms;
+
+	# Read per user font config
+	allow $1 fonts_config_type:dir list_dir_perms;
+	allow $1 fonts_config_type:file read_file_perms;
+
+	userdom_search_all_users_home_dirs($1)
+
+	# There are some fonts in .gnome2
+	ifdef(`gnome.te', `
+	allow $1 $1_gnome_settings_t:dir { getattr search };
+	')
+')
+
+########################################
+## <summary>
 ##	Connect to XDM over a unix domain
 ##	stream socket.
 ## </summary>
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index ae96e2e..06867a9 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,11 +1,15 @@
 
-policy_module(xserver,1.1.1)
+policy_module(xserver,1.1.2)
 
 ########################################
 #
 # Declarations
 #
 
+attribute fonts_type;
+attribute fonts_cache_type;
+attribute fonts_config_type;
+
 type ice_tmp_t;
 files_tmp_file(ice_tmp_t)
 
@@ -414,12 +418,7 @@ ifdef(`strict_policy',`
 	# (xauth?)
 	userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
 
-	ifdef(`TODO',`
-	# Read all global and per user fonts
-	read_fonts(xdm_xserver_t, sysadm)
-	read_fonts(xdm_xserver_t, staff)
-	read_fonts(xdm_xserver_t, user)
-	') dnl end TODO
+	xserver_use_all_users_fonts(xdm_xserver_t)
 ')
 
 ifdef(`targeted_policy',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index dc63864..336f06b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3873,6 +3873,25 @@ interface(`userdom_read_sysadm_home_content_files',`
 
 ########################################
 ## <summary>
+##	Search all users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_dirs',`
+	gen_require(`
+		attribute home_dir_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	List all users home directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index fda1e87..eda29fa 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.6)
+policy_module(userdomain,1.3.7)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;

More information about the scm-commits mailing list