diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d5d6c7914..e18dc7042 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -185,42 +185,6 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2)
optional_policy(`
- xdg_manage_all_cache($2)
- xdg_relabel_all_cache($2)
- xdg_watch_all_cache_dirs($2)
- xdg_manage_all_config($2)
- xdg_relabel_all_config($2)
- xdg_watch_all_config_dirs($2)
- xdg_manage_all_data($2)
- xdg_relabel_all_data($2)
- xdg_watch_all_data_dirs($2)
-
- xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
- xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
- xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
- xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
- xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
- xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
- xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
- xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
- xdg_manage_documents($2)
- xdg_relabel_documents($2)
- xdg_watch_documents_dirs($2)
- xdg_manage_downloads($2)
- xdg_relabel_downloads($2)
- xdg_watch_downloads_dirs($2)
- xdg_manage_music($2)
- xdg_relabel_music($2)
- xdg_watch_music_dirs($2)
- xdg_manage_pictures($2)
- xdg_relabel_pictures($2)
- xdg_watch_pictures_dirs($2)
- xdg_manage_videos($2)
- xdg_relabel_videos($2)
- xdg_watch_videos_dirs($2)
-
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 482af588b..7081d4167 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1195,6 +1195,9 @@ template(`userdom_unpriv_user_template', `
fs_exec_noxattr($1_t)
')
+ # Allow users to manage xdg content in their home directories
+ userdom_xdg_user_template($1_t)
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1498,6 +1501,65 @@ template(`userdom_security_admin_template',`
')
')
+########################################
+##
+## Allow user to interact with xdg content types
+##
+##
+##
+## Create rules to allow a user to manage xdg
+## content in a user home directory with an
+## automatic type transition to those types.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`userdom_xdg_user_template',`
+ xdg_manage_all_cache($1_t)
+ xdg_relabel_all_cache($1_t)
+ xdg_watch_all_cache_dirs($1_t)
+ xdg_manage_all_config($1_t)
+ xdg_relabel_all_config($1_t)
+ xdg_watch_all_config_dirs($1_t)
+ xdg_manage_all_data($1_t)
+ xdg_relabel_all_data($1_t)
+ xdg_watch_all_data_dirs($1_t)
+
+ xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+ xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+ xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+ xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+ xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
+ xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
+ xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
+ xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
+
+ xdg_manage_documents($1_t)
+ xdg_relabel_documents($1_t)
+ xdg_watch_documents_dirs($1_t)
+ xdg_manage_downloads($1_t)
+ xdg_relabel_downloads($1_t)
+ xdg_watch_downloads_dirs($1_t)
+ xdg_manage_music($1_t)
+ xdg_relabel_music($1_t)
+ xdg_watch_music_dirs($1_t)
+ xdg_manage_pictures($1_t)
+ xdg_relabel_pictures($1_t)
+ xdg_watch_pictures_dirs($1_t)
+ xdg_manage_videos($1_t)
+ xdg_relabel_videos($1_t)
+ xdg_watch_videos_dirs($1_t)
+')
+
########################################
##
## Make the specified type usable as