Merge branch 'base'

diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index d73e7c8265d499e09bb99a841bbe67d16976878c..2e50976513875e41a91a539de192b05704e8ba09 100644 (file)
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -303,12 +303,15 @@ template(`userhelper_console_role_template',`
 
        auth_use_pam($1_consolehelper_t)
 
+       userdom_manage_tmpfs_role($2, $1_consolehelper_t)
+
        optional_policy(`
                shutdown_run($1_consolehelper_t, $2)
                shutdown_send_sigchld($3)
        ')
 
        optional_policy(`
+               xserver_run_xauth($1_consolehelper_t, $2)
                xserver_read_xdm_pid($1_consolehelper_t)
        ')
 ')

diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index f62c171b7d5a638f26206d14dd2b3e3dcaa0c36f..b46a20ebbcbffcdf91ff815417c2c701438cf1f5 100644 (file)
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -22,6 +22,7 @@ application_executable_file(consolehelper_exec_t)
 # consolehelper local policy
 #
 
+allow consolehelper_domain self:shm create_shm_perms;
 allow consolehelper_domain self:capability { setgid setuid }; 
 
 dontaudit consolehelper_domain  userhelper_conf_t:file write;
@@ -47,13 +48,19 @@ auth_read_pam_pid(consolehelper_domain)
 init_read_utmp(consolehelper_domain)
 
 miscfiles_read_localization(consolehelper_domain)
+miscfiles_read_fonts(consolehelper_domain)
 
 userhelper_exec(consolehelper_domain)
 
 userdom_use_user_ptys(consolehelper_domain)
 userdom_use_user_ttys(consolehelper_domain)
-userdom_search_user_home_content(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
 
 optional_policy(`
+       gnome_read_gconf_home_files(consolehelper_domain)
+')
+
+optional_policy(`
+       xserver_read_home_fonts(consolehelper_domain)
        xserver_stream_connect(consolehelper_domain)
 ')

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 61cc0213ebe849d5723fb572c257b05a4a721d22..ef2a773d594e294c8035218153d1daf77f73452f 100644 (file)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1558,7 +1558,7 @@ interface(`xserver_read_user_iceauth',`
 
 ########################################
 ## <summary>
-##     Read user homedir fonts.
+##     Read/write inherited user homedir fonts.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -1664,6 +1664,7 @@ interface(`xserver_run_xauth',`
        xserver_domtrans_xauth($1)
        role $2 types xauth_t;
 ')
+
 ########################################
 ## <summary>
 ##     Read user homedir fonts.
@@ -1675,6 +1676,29 @@ interface(`xserver_run_xauth',`
 ## </param>
 ## <rolecap/>
 #
+interface(`xserver_read_home_fonts',`
+       gen_require(`
+               type user_fonts_t, user_fonts_config_t;
+       ')
+
+       list_dirs_pattern($1, user_fonts_t, user_fonts_t)
+       read_files_pattern($1, user_fonts_t, user_fonts_t)
+       read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+       read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+##     Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
 interface(`xserver_manage_home_fonts',`
        gen_require(`
                type user_fonts_t, user_fonts_config_t;