Without allow siginh, we get a huge timeout wait period (15 seconds)

Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).

Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.

However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.

The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

policy/modules/services/xserver.if

@@ -30,7 +30,6 @@ interface(`xserver_restricted_role',`
 	allow xserver_t $2:fd use;
 	allow xserver_t $2:shm rw_shm_perms;
 
-	domtrans_pattern($2, xserver_exec_t, xserver_t)
 	allow xserver_t $2:process signal;
 
 	allow xserver_t $2:shm rw_shm_perms;
@@ -96,6 +95,7 @@ interface(`xserver_restricted_role',`
 	miscfiles_read_fonts($2)
 
 	xserver_common_x_domain_template(user, $2)
+	xserver_domtrans($2)
 	xserver_unconfined($2)
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)