Skip to content

Commit 7279559

Browse files
committed
xscreensaver: allow exec auth and systemd tools
Xscreensaver needs to be able to exec xscreensaver-auth to prompt for the password. xscreensaver-systemd locks during suspend and handles inhibiting through the dbus interface. Signed-off-by: Jason Zaman <perfinion@gentoo.org>
1 parent ed822a1 commit 7279559

File tree

3 files changed

+16
-2
lines changed

3 files changed

+16
-2
lines changed

policy/modules/apps/xscreensaver.fc

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,10 @@ HOME_DIR/XScreenSaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0
55
/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
66
/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
77

8-
/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
8+
/usr/lib/misc/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
9+
/usr/lib/misc/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
10+
/usr/lib/misc/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
11+
12+
/usr/libexec/xscreensaver/xscreensaver-auth -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
13+
/usr/libexec/xscreensaver/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
14+
/usr/libexec/xscreensaver/.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)

policy/modules/apps/xscreensaver.if

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@ template(`xscreensaver_role',`
4949
allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
5050

5151
allow xscreensaver_helper_t $3:fd use;
52+
allow xscreensaver_helper_t $3:fifo_file read_fifo_file_perms;
5253

5354
optional_policy(`
5455
systemd_user_app_status($1, xscreensaver_t)

policy/modules/apps/xscreensaver.te

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,8 @@ allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
4444

4545
allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
4646

47+
can_exec(xscreensaver_t, xscreensaver_exec_t)
48+
4749
kernel_read_system_state(xscreensaver_t)
4850

4951
files_read_usr_files(xscreensaver_t)
@@ -61,6 +63,7 @@ init_read_utmp(xscreensaver_t)
6163
logging_send_audit_msgs(xscreensaver_t)
6264
logging_send_syslog_msg(xscreensaver_t)
6365

66+
miscfiles_read_fonts(xscreensaver_t)
6467
miscfiles_read_localization(xscreensaver_t)
6568

6669
userdom_use_user_terminals(xscreensaver_t)
@@ -86,14 +89,18 @@ tunable_policy(`xscreensaver_read_generic_user_content',`
8689
userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
8790
')
8891

92+
optional_policy(`
93+
dbus_all_session_bus_client(xscreensaver_t)
94+
')
95+
8996
########################################
9097
#
9198
# Helper local policy
9299
#
93100

94101
allow xscreensaver_helper_t self:capability { setuid setgid };
95102
dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search };
96-
allow xscreensaver_helper_t self:process { execmem getcap getsched signal };
103+
allow xscreensaver_helper_t self:process { execmem getcap getsched setsched signal };
97104
allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
98105

99106
allow xscreensaver_helper_t xscreensaver_helper_exec_t:file execute_no_trans;

0 commit comments

Comments
 (0)