[selinux-policy: 3119/3172] Allow consolehelper to read fonts and config files in user homedir

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:37:23 UTC 2010 

commit 7c94a3ab0d804df599dbfd33fe74db32fba381d3
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Sep 23 15:14:34 2010 -0400

     Allow consolehelper to read fonts and config files in user homedir

 policy/modules/apps/userhelper.if  |    3 +++
 policy/modules/apps/userhelper.te  |    9 ++++++++-
 policy/modules/services/xserver.if |   26 +++++++++++++++++++++++++-
 3 files changed, 36 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index d73e7c8..019df01 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -303,12 +303,15 @@ template(`userhelper_console_role_template',`
 
 	auth_use_pam($1_consolehelper_t)
 
+	userdom_manage_tmpfs_role(#2, $1_consolehelper_t)
+
 	optional_policy(`
 		shutdown_run($1_consolehelper_t, $2)
 		shutdown_send_sigchld($3)
 	')
 
 	optional_policy(`
+		xserver_run_xauth($1_consolehelper_t, $2)
 		xserver_read_xdm_pid($1_consolehelper_t)
 	')
 ')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index f62c171..b46a20e 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -22,6 +22,7 @@ application_executable_file(consolehelper_exec_t)
 # consolehelper local policy
 #
 
+allow consolehelper_domain self:shm create_shm_perms;
 allow consolehelper_domain self:capability { setgid setuid }; 
 
 dontaudit consolehelper_domain  userhelper_conf_t:file write;
@@ -47,13 +48,19 @@ auth_read_pam_pid(consolehelper_domain)
 init_read_utmp(consolehelper_domain)
 
 miscfiles_read_localization(consolehelper_domain)
+miscfiles_read_fonts(consolehelper_domain)
 
 userhelper_exec(consolehelper_domain)
 
 userdom_use_user_ptys(consolehelper_domain)
 userdom_use_user_ttys(consolehelper_domain)
-userdom_search_user_home_content(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
 
 optional_policy(`
+	gnome_read_gconf_home_files(consolehelper_domain)
+')
+
+optional_policy(`
+	xserver_read_home_fonts(consolehelper_domain)
 	xserver_stream_connect(consolehelper_domain)
 ')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 61cc021..11314dd 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1558,7 +1558,7 @@ interface(`xserver_read_user_iceauth',`
 
 ########################################
 ## <summary>
-##	Read user homedir fonts.
+##	Read/write inherited user homedir fonts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1664,6 +1664,7 @@ interface(`xserver_run_xauth',`
 	xserver_domtrans_xauth($1)
 	role $2 types xauth_t;
 ')
+
 ########################################
 ## <summary>
 ##	Read user homedir fonts.
@@ -1675,6 +1676,29 @@ interface(`xserver_run_xauth',`
 ## </param>
 ## <rolecap/>
 #
+interface(`xserver_read_home_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_config_t;
+	')
+
+	read_dirs_pattern($1, user_fonts_t, user_fonts_t)
+	read_files_pattern($1, user_fonts_t, user_fonts_t)
+	read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+	read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+##	Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
 interface(`xserver_manage_home_fonts',`
 	gen_require(`
 		type user_fonts_t, user_fonts_config_t;

More information about the scm-commits mailing list