allow xserver domains to create content in admin home dir with a (named)

file transition

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 092ae1db6cdcce53a20dcb659be8a4ada11822d2..f17d785091ffdcbdae7b3170debfd4c1560f3ffd 100644 (file)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1862,18 +1862,14 @@ interface(`xserver_manage_home_fonts',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##      Domain allowed access.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
 interface(`xserver_filetrans_home_content',`
        gen_require(`
-               type xdm_home_t;
-               type xauth_home_t;
-               type iceauth_home_t;
-               type user_home_t;
-               type user_fonts_t;
-               type user_fonts_cache_t;
+               type xdm_home_t, xauth_home_t, iceauth_home_t;
+               type user_home_t, user_fonts_t, user_fonts_cache_t;
                type user_fonts_config_t;
        ')
 
@@ -1890,3 +1886,34 @@ interface(`xserver_filetrans_home_content',`
        userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
        filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
 ')
+
+########################################
+## <summary>
+##     Create xserver content in admin home
+##     directory with a named file transition.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_filetrans_admin_home_content',`
+       gen_require(`
+               type xdm_home_t, xauth_home_t, iceauth_home_t;
+               type user_home_t, user_fonts_t. user_fonts_cache_t;
+               type user_fonts_config_t;
+       ')
+
+       userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
+       userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
+       userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+       userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+       userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+       userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+       userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+       userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+       userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+       userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+       userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 86fb32d4973ff01e4b2e602a097105a9a81c54cf..bb93b67d6125b55e124c028f4fdc487c379f9539 100644 (file)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -438,7 +438,9 @@ manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 
 manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
 xserver_filetrans_home_content(xdm_t)
+xserver_filetrans_admin_home_content(xdm_t)
 
 #Handle mislabeled files in homedir
 userdom_delete_user_home_content_files(xdm_t)