Allow X server users to manage all xdg resources

With the introduction of the freedesktop XDG location support in the policy, end users need to be allowed to manage these locations from their main user domain. The necessary privileges are added to the xserver_role() interface, which is in use by the unconfined user domain as well as the main other user domains (like user, sysadm and staff). The necessary file transitions for the directories are added as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 13:56:39 +02:00 · 2018-03-25 13:56:39 +02:00 · 442849be7f
parent 0a4d55da7a
commit 442849be7f
1 changed files with 30 additions and 0 deletions
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -170,6 +170,36 @@ interface(`xserver_role',`
 	xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")

 	xserver_read_xkb_libs($2)
+
+	optional_policy(`
+		xdg_manage_all_cache($2)
+		xdg_relabel_all_cache($2)
+		xdg_manage_all_config($2)
+		xdg_relabel_all_config($2)
+		xdg_manage_all_data($2)
+		xdg_relabel_all_data($2)
+	
+		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
+		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
+		xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
+	
+		xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
+		xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
+		xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
+		xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
+		xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
+	
+		xdg_manage_documents($2)
+		xdg_relabel_documents($2)
+		xdg_manage_downloads($2)
+		xdg_relabel_downloads($2)
+		xdg_manage_music($2)
+		xdg_relabel_music($2)
+		xdg_manage_pictures($2)
+		xdg_relabel_pictures($2)
+		xdg_manage_videos($2)
+		xdg_relabel_videos($2)
+	')
 ')

 #######################################