Skip to content

Commit

Permalink
xscreensaver: allow exec auth and systemd tools
Browse files Browse the repository at this point in the history
Xscreensaver needs to be able to exec xscreensaver-auth to prompt for
the password.
xscreensaver-systemd locks during suspend and handles inhibiting through
the dbus interface.

Signed-off-by: Jason Zaman <[email protected]>
  • Loading branch information
perfinion committed Mar 30, 2024
1 parent afee1fa commit f0465c0
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
8 changes: 7 additions & 1 deletion policy/modules/apps/xscreensaver.fc
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,10 @@ HOME_DIR/XScreenSaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0
/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)

/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
/usr/lib/misc/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
/usr/lib/misc/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
/usr/lib/misc/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)

/usr/libexec/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
/usr/libexec/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
/usr/libexec/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
1 change: 1 addition & 0 deletions policy/modules/apps/xscreensaver.if
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ template(`xscreensaver_role',`
allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };

allow xscreensaver_helper_t $3:fd use;
allow xscreensaver_helper_t $3:fifo_file read_fifo_file_perms;

optional_policy(`
systemd_user_app_status($1, xscreensaver_t)
Expand Down
9 changes: 8 additions & 1 deletion policy/modules/apps/xscreensaver.te
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };

allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;

can_exec(xscreensaver_t, xscreensaver_exec_t)

kernel_read_system_state(xscreensaver_t)

files_read_usr_files(xscreensaver_t)
Expand All @@ -61,6 +63,7 @@ init_read_utmp(xscreensaver_t)
logging_send_audit_msgs(xscreensaver_t)
logging_send_syslog_msg(xscreensaver_t)

miscfiles_read_fonts(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)

userdom_use_user_terminals(xscreensaver_t)
Expand All @@ -86,14 +89,18 @@ tunable_policy(`xscreensaver_read_generic_user_content',`
userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
')

optional_policy(`
dbus_all_session_bus_client(xscreensaver_t)
')

########################################
#
# Helper local policy
#

allow xscreensaver_helper_t self:capability { setuid setgid };
dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search };
allow xscreensaver_helper_t self:process { execmem getcap getsched signal };
allow xscreensaver_helper_t self:process { execmem getcap getsched setsched signal };
allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;

allow xscreensaver_helper_t xscreensaver_helper_exec_t:file execute_no_trans;
Expand Down

0 comments on commit f0465c0

Please sign in to comment.