xscreensaver: allow exec auth and systemd tools

perfinion · perfinion · commit 72795596fee6 · 2023-11-19T12:59:55.000-08:00
Xscreensaver needs to be able to exec xscreensaver-auth to prompt for
the password.
xscreensaver-systemd locks during suspend and handles inhibiting through
the dbus interface.

Signed-off-by: Jason Zaman &lt;perfinion@gentoo.org&gt;
diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc
@@ -5,4 +5,10 @@ HOME_DIR/XScreenSaver		--	gen_context(system_u:object_r:xscreensaver_config_t,s0
 /usr/bin/xscreensaver-getimage.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
 /usr/bin/xscreensaver-gl-helper	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
 
-/usr/libexec/xscreensaver(/.*)?	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+/usr/lib/misc/xscreensaver/xscreensaver-auth	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/lib/misc/xscreensaver/xscreensaver-systemd	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/lib/misc/xscreensaver/.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+
+/usr/libexec/xscreensaver/xscreensaver-auth	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/libexec/xscreensaver/xscreensaver-systemd	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/libexec/xscreensaver/.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if
@@ -49,6 +49,7 @@ template(`xscreensaver_role',`
 	allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
 
 	allow xscreensaver_helper_t $3:fd use;
+	allow xscreensaver_helper_t $3:fifo_file read_fifo_file_perms;
 
 	optional_policy(`
 		systemd_user_app_status($1, xscreensaver_t)
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
@@ -44,6 +44,8 @@ allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
 
 allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
 
+can_exec(xscreensaver_t, xscreensaver_exec_t)
+
 kernel_read_system_state(xscreensaver_t)
 
 files_read_usr_files(xscreensaver_t)
@@ -61,6 +63,7 @@ init_read_utmp(xscreensaver_t)
 logging_send_audit_msgs(xscreensaver_t)
 logging_send_syslog_msg(xscreensaver_t)
 
+miscfiles_read_fonts(xscreensaver_t)
 miscfiles_read_localization(xscreensaver_t)
 
 userdom_use_user_terminals(xscreensaver_t)
@@ -86,14 +89,18 @@ tunable_policy(`xscreensaver_read_generic_user_content',`
 	userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
 ')
 
+optional_policy(`
+    dbus_all_session_bus_client(xscreensaver_t)
+')
+
 ########################################
 #
 # Helper local policy
 #
 
 allow xscreensaver_helper_t self:capability { setuid setgid };
 dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search };
-allow xscreensaver_helper_t self:process { execmem getcap getsched signal };
+allow xscreensaver_helper_t self:process { execmem getcap getsched setsched signal };
 allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
 
 allow xscreensaver_helper_t xscreensaver_helper_exec_t:file execute_no_trans;
