diff --git a/Changelog b/Changelog
index 28115b8..babf18e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Deprecated the userdom_xwindwos_client_template().
- Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 208ea7a..88f0dcc 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -3,7 +3,7 @@
########################################
##
## Rules required for using the X Windows server
-## and environment.
+## and environment, for restricted users.
##
##
##
@@ -16,7 +16,7 @@
##
##
#
-interface(`xserver_role',`
+interface(`xserver_restricted_role',`
gen_require(`
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
@@ -44,41 +44,37 @@ interface(`xserver_role',`
role $1 types { xserver_t xauth_t iceauth_t };
+ # Xserver read/write client shm
+ allow xserver_t $2:fd use;
+ allow xserver_t $2:shm rw_shm_perms;
+
domtrans_pattern($2, xserver_exec_t, xserver_t)
allow xserver_t $2:process signal;
allow xserver_t $2:shm rw_shm_perms;
- manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
- manage_files_pattern($2, user_fonts_t, user_fonts_t)
- relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
- relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
+
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
- manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-
- allow $2 xserver_tmpfs_t:file rw_file_perms;
+ files_search_tmp($2)
# Communicate via System V shared memory.
- allow xserver_t $2:shm rw_shm_perms;
- allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_t:shm r_shm_perms;
+ allow $2 xserver_tmpfs_t:file read_file_perms;
# allow ps to show iceauth
ps_process_pattern($2, iceauth_t)
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
- allow $2 iceauth_home_t:file manage_file_perms;
- allow $2 iceauth_home_t:file { relabelfrom relabelto };
+ allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
@@ -86,11 +82,53 @@ interface(`xserver_role',`
# allow ps to show xauth
ps_process_pattern($2, xauth_t)
+ allow $2 xserver_t:process signal;
- allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
+ allow $2 xauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_tmp_t:dir search;
+ allow $2 xdm_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Client read xserver shm
+ allow $2 xserver_t:fd use;
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # Read /tmp/.X0-lock
+ allow $2 xserver_tmp_t:file { getattr read };
+
+ dev_rw_xserver_misc($2)
+ dev_rw_power_management($2)
+ dev_read_input($2)
+ dev_read_misc($2)
+ dev_write_misc($2)
+ # open office is looking for the following
+ dev_getattr_agp_dev($2)
+ dev_dontaudit_rw_dri($2)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($2)
+
+ miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2)
+ xserver_xsession_entry_type($2)
+ xserver_dontaudit_write_log($2)
+ xserver_stream_connect_xdm($2)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($2)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($2)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($2)
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
##############################
#
@@ -124,6 +162,57 @@ interface(`xserver_role',`
allow $2 info_xproperty_t:x_property { create append write };
')
+########################################
+##
+## Rules required for using the X Windows server
+## and environment.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_role',`
+ gen_require(`
+ type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ ')
+
+ xserver_restricted_role($1, $2)
+
+ # Communicate via System V shared memory.
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
+
+ allow $2 xauth_home_t:file manage_file_perms;
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
+
+ manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ manage_files_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+ manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+ manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+')
+
#######################################
##
## Create sessions on the X server, with read-only
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5462968..69b8308 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.2.1)
+policy_module(xserver, 3.2.2)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 49ac3fd..09cc86d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -412,7 +412,7 @@ template(`userdom_basic_networking_template',`
#######################################
##
-## The template for creating a user xwindows client.
+## The template for creating a user xwindows client. (Deprecated)
##
##
##
@@ -423,6 +423,7 @@ template(`userdom_basic_networking_template',`
##
#
template(`userdom_xwindows_client_template',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
gen_require(`
type $1_t, user_tmpfs_t;
')
@@ -499,10 +500,6 @@ template(`userdom_common_user_template',`
userdom_basic_networking_template($1)
- optional_policy(`
- userdom_xwindows_client_template($1)
- ')
-
##############################
#
# User domain Local policy
@@ -868,8 +865,6 @@ template(`userdom_restricted_xwindows_user_template',`
userdom_restricted_user_template($1)
- userdom_xwindows_client_template($1)
-
##############################
#
# Local policy
@@ -890,6 +885,8 @@ template(`userdom_restricted_xwindows_user_template',`
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
+ xserver_restricted_role($1_r, $1_t)
+
optional_policy(`
alsa_read_rw_config($1_t)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 48e9070..c940bc9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain, 4.2.0)
+policy_module(userdomain, 4.2.1)
########################################
#