Merge pull request #320 from 0xC0ncord/master

policy/modules/services/xserver.if

@@ -185,42 +185,6 @@ interface(`xserver_role',`
 	xserver_read_xkb_libs($2)
 
 	optional_policy(`
-		xdg_manage_all_cache($2)
-		xdg_relabel_all_cache($2)
-		xdg_watch_all_cache_dirs($2)
-		xdg_manage_all_config($2)
-		xdg_relabel_all_config($2)
-		xdg_watch_all_config_dirs($2)
-		xdg_manage_all_data($2)
-		xdg_relabel_all_data($2)
-		xdg_watch_all_data_dirs($2)
-
-		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
-		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
-		xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
-		xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
-		xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
-		xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
-		xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
-		xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
-		xdg_manage_documents($2)
-		xdg_relabel_documents($2)
-		xdg_watch_documents_dirs($2)
-		xdg_manage_downloads($2)
-		xdg_relabel_downloads($2)
-		xdg_watch_downloads_dirs($2)
-		xdg_manage_music($2)
-		xdg_relabel_music($2)
-		xdg_watch_music_dirs($2)
-		xdg_manage_pictures($2)
-		xdg_relabel_pictures($2)
-		xdg_watch_pictures_dirs($2)
-		xdg_manage_videos($2)
-		xdg_relabel_videos($2)
-		xdg_watch_videos_dirs($2)
-
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
 ')

policy/modules/system/userdomain.if

@@ -1195,6 +1195,9 @@ template(`userdom_unpriv_user_template', `
 		fs_exec_noxattr($1_t)
 	')
 
+	# Allow users to manage xdg content in their home directories
+	userdom_xdg_user_template($1_t)
+
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users) disabling this forces FTP passive mode
 	# and may change other protocols
@@ -1498,6 +1501,65 @@ template(`userdom_security_admin_template',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow user to interact with xdg content types
+## </summary>
+## <desc>
+##	<p>
+##  Create rules to allow a user to manage xdg
+##  content in a user home directory with an
+##  automatic type transition to those types.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`userdom_xdg_user_template',`
+	xdg_manage_all_cache($1_t)
+	xdg_relabel_all_cache($1_t)
+	xdg_watch_all_cache_dirs($1_t)
+	xdg_manage_all_config($1_t)
+	xdg_relabel_all_config($1_t)
+	xdg_watch_all_config_dirs($1_t)
+	xdg_manage_all_data($1_t)
+	xdg_relabel_all_data($1_t)
+	xdg_watch_all_data_dirs($1_t)
+
+	xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+	xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+	xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+	xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+	xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
+	xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
+	xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
+	xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
+
+	xdg_manage_documents($1_t)
+	xdg_relabel_documents($1_t)
+	xdg_watch_documents_dirs($1_t)
+	xdg_manage_downloads($1_t)
+	xdg_relabel_downloads($1_t)
+	xdg_watch_downloads_dirs($1_t)
+	xdg_manage_music($1_t)
+	xdg_relabel_music($1_t)
+	xdg_watch_music_dirs($1_t)
+	xdg_manage_pictures($1_t)
+	xdg_relabel_pictures($1_t)
+	xdg_watch_pictures_dirs($1_t)
+	xdg_manage_videos($1_t)
+	xdg_relabel_videos($1_t)
+	xdg_watch_videos_dirs($1_t)
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable as