From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:29:34 +0100 Subject: [refpolicy] [PATCH v2 5/7] Allow X server users to manage all xdg resources In-Reply-To: <20171120132936.25695-1-sven.vermeulen@siphos.be> References: <20171120132936.25695-1-sven.vermeulen@siphos.be> Message-ID: <20171120132936.25695-6-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With the introduction of the freedesktop XDG location support in the policy, end users need to be allowed to manage these locations from their main user domain. The necessary privileges are added to the xserver_role() interface, which is in use by the unconfined user domain as well as the main other user domains (like user, sysadm and staff). The necessary file transitions for the directories are added as well. Signed-off-by: Sven Vermeulen --- policy/modules/services/xserver.if | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index e70046db..17f84ae5 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -170,6 +170,36 @@ interface(`xserver_role',` xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") xserver_read_xkb_libs($2) + + optional_policy(` + xdg_manage_all_cache($2) + xdg_relabel_all_cache($2) + xdg_manage_all_config($2) + xdg_relabel_all_config($2) + xdg_manage_all_data($2) + xdg_relabel_all_data($2) + + xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") + xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") + xdg_generic_user_home_dir_filetrans_data($2, dir, ".local") + + xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") + xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") + xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") + xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") + xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") + + xdg_manage_documents($2) + xdg_relabel_documents($2) + xdg_manage_downloads($2) + xdg_relabel_downloads($2) + xdg_manage_music($2) + xdg_relabel_music($2) + xdg_manage_pictures($2) + xdg_relabel_pictures($2) + xdg_manage_videos($2) + xdg_relabel_videos($2) + ') ') ####################################### -- 2.13.6