diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc index 304418fc7..30c93e0e4 100644 --- a/policy/modules/apps/xscreensaver.fc +++ b/policy/modules/apps/xscreensaver.fc @@ -5,4 +5,10 @@ HOME_DIR/XScreenSaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0 /usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) /usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) -/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) +/usr/lib/misc/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) +/usr/lib/misc/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) +/usr/lib/misc/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) + +/usr/libexec/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) +/usr/libexec/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) +/usr/libexec/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if index 0c8c145b1..1a22549cf 100644 --- a/policy/modules/apps/xscreensaver.if +++ b/policy/modules/apps/xscreensaver.if @@ -49,6 +49,7 @@ template(`xscreensaver_role',` allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; allow xscreensaver_helper_t $3:fd use; + allow xscreensaver_helper_t $3:fifo_file read_fifo_file_perms; optional_policy(` systemd_user_app_status($1, xscreensaver_t) diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te index 18c552953..4c8834e1e 100644 --- a/policy/modules/apps/xscreensaver.te +++ b/policy/modules/apps/xscreensaver.te @@ -44,6 +44,8 @@ allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop }; allow xscreensaver_t xscreensaver_config_t:file manage_file_perms; +can_exec(xscreensaver_t, xscreensaver_exec_t) + kernel_read_system_state(xscreensaver_t) files_read_usr_files(xscreensaver_t) @@ -61,6 +63,7 @@ init_read_utmp(xscreensaver_t) logging_send_audit_msgs(xscreensaver_t) logging_send_syslog_msg(xscreensaver_t) +miscfiles_read_fonts(xscreensaver_t) miscfiles_read_localization(xscreensaver_t) userdom_use_user_terminals(xscreensaver_t) @@ -86,6 +89,10 @@ tunable_policy(`xscreensaver_read_generic_user_content',` userdom_dontaudit_read_user_tmp_files(xscreensaver_t) ') +optional_policy(` + dbus_all_session_bus_client(xscreensaver_t) +') + ######################################## # # Helper local policy @@ -93,7 +100,7 @@ tunable_policy(`xscreensaver_read_generic_user_content',` allow xscreensaver_helper_t self:capability { setuid setgid }; dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search }; -allow xscreensaver_helper_t self:process { execmem getcap getsched signal }; +allow xscreensaver_helper_t self:process { execmem getcap getsched setsched signal }; allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms; allow xscreensaver_helper_t xscreensaver_helper_exec_t:file execute_no_trans;