Separate the tunable permissions to write xserver

tmpfs files from the tunable permissions to write
X server shared memory.

Indeed some applications such as vlc (media player)
only require the former, so this change opts for a
stricter, yet more customizable policy.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    7 +++++++
 policy/modules/services/xserver.te |    8 ++++++++
 2 files changed, 15 insertions(+)

policy/modules/services/xserver.if

@@ -125,8 +125,12 @@ template(`xserver_restricted_role',`
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
+	')
+
+	tunable_policy(`allow_write_xserver_tmpfs',`
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+
 	tunable_policy(`xserver_allow_dri',`
 		dev_rw_dri($2)
 	')
@@ -482,6 +486,9 @@ template(`xserver_user_x_domain_template',`
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
+	')
+
+	tunable_policy(`allow_write_xserver_tmpfs',`
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
 ')

policy/modules/services/xserver.te

@@ -33,6 +33,14 @@ gen_require(`
 ## </desc>
 gen_tunable(allow_write_xshm, false)
 
+## <desc>
+## <p>
+## Allows clients to write to the X server tmpfs
+## files.
+## </p>
+## </desc>
+gen_tunable(allow_write_xserver_tmpfs, false)
+
 ## <desc>
 ## <p>
 ## Allow xdm logins as sysadm