Update the xscreensaver module in order to work with

the latest version (tested with version 6.06).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/wm.if           |    4 +++
 policy/modules/apps/xscreensaver.fc |    1
 policy/modules/apps/xscreensaver.if |   46 ++++++++++++++++++++++++++++++++++++
 policy/modules/apps/xscreensaver.te |   16 ++++++++++--
 4 files changed, 65 insertions(+), 2 deletions(-)

policy/modules/apps/wm.if

@@ -111,6 +111,10 @@ template(`wm_role_template',`
 	optional_policy(`
 		systemd_user_app_status($1, $1_wm_t)
 	')
+
+	optional_policy(`
+		xscreensaver_run($1_wm_t, $4)
+	')
 ')
 
 ########################################

policy/modules/apps/xscreensaver.fc

@@ -1,4 +1,5 @@
 HOME_DIR/\.xscreensaver		--	gen_context(system_u:object_r:xscreensaver_config_t,s0)
+HOME_DIR/XScreenSaver		--	gen_context(system_u:object_r:xscreensaver_config_t,s0)
 
 /usr/bin/xscreensaver		--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
 /usr/bin/xscreensaver-getimage.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)

policy/modules/apps/xscreensaver.if

@@ -54,3 +54,49 @@ template(`xscreensaver_role',`
 		systemd_user_app_status($1, xscreensaver_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Make a domain transition to the
+##	xscreensaver target domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xscreensaver_domtrans',`
+	gen_require(`
+		type xscreensaver_t, xscreensaver_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, xscreensaver_exec_t, xscreensaver_t)
+')
+
+########################################
+## <summary>
+##	Execute xscreensaver in the xscreensaver
+##	domain, and allow the specified role
+##	the xscreensaver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`xscreensaver_run',`
+	gen_require(`
+		attribute_role xscreensaver_roles;
+	')
+
+	xscreensaver_domtrans($1)
+	roleattribute $2 xscreensaver_roles;
+')

policy/modules/apps/xscreensaver.te

@@ -37,7 +37,7 @@ userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
 #
 
 allow xscreensaver_t self:capability { setgid setuid };
-allow xscreensaver_t self:process { setsched signal sigstop };
+allow xscreensaver_t self:process { setsched setpgid signal sigstop };
 allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
 
 allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
@@ -50,6 +50,7 @@ files_read_usr_files(xscreensaver_t)
 
 fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
 
+auth_dontaudit_read_shadow(xscreensaver_t)
 auth_use_nsswitch(xscreensaver_t)
 auth_domtrans_chk_passwd(xscreensaver_t)
 
@@ -90,14 +91,20 @@ tunable_policy(`xscreensaver_read_generic_user_content',`
 # Helper local policy
 #
 
-allow xscreensaver_helper_t self:process { execmem signal };
+allow xscreensaver_helper_t self:capability { setuid setgid };
+dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search };
+allow xscreensaver_helper_t self:process { execmem getcap getsched signal };
 allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
 
+allow xscreensaver_helper_t xscreensaver_helper_exec_t:file execute_no_trans;
+
 allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
 
 dev_read_sysfs(xscreensaver_helper_t)
 
+kernel_getattr_proc(xscreensaver_helper_t)
 kernel_read_system_state(xscreensaver_helper_t)
+kernel_read_kernel_sysctls(xscreensaver_helper_t)
 
 files_dontaudit_search_home(xscreensaver_helper_t)
 
@@ -108,8 +115,13 @@ files_read_usr_files(xscreensaver_helper_t)
 
 fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
 
+auth_dontaudit_read_shadow(xscreensaver_helper_t)
+auth_use_nsswitch(xscreensaver_helper_t)
+auth_domtrans_chk_passwd(xscreensaver_helper_t)
+
 miscfiles_read_fonts(xscreensaver_helper_t)
 miscfiles_read_localization(xscreensaver_helper_t)
 
 xserver_rw_xsession_log(xscreensaver_helper_t)
+xserver_read_user_xauth(xscreensaver_helper_t)
 xserver_stream_connect(xscreensaver_helper_t)