[refpolicy] [PATCH v3 18/19] Make xscreensaver user content access optional

[sven.vermeulen@siphos.be (Sven Vermeulen)]

The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 xscreensaver.te | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/xscreensaver.te b/xscreensaver.te
index 1f58110..e6f5e64 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Grant the xscreensaver domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
 attribute_role xscreensaver_roles;
 attribute_role xscreensaver_helper_roles;
 
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
 miscfiles_read_localization(xscreensaver_t)
 
 userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
 
 xserver_rw_xsession_log(xscreensaver_t)
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
 
+tunable_policy(`xscreensaver_read_generic_user_content',`
+	userdom_list_user_tmp(xscreensaver_t)
+	userdom_list_user_home_content(xscreensaver_t)
+	userdom_read_user_home_content_files(xscreensaver_t)
+	userdom_read_user_home_content_symlinks(xscreensaver_t)
+	userdom_read_user_tmp_files(xscreensaver_t)
+',`
+	files_dontaudit_list_home(xscreensaver_t)
+	files_dontaudit_list_tmp(xscreensaver_t)
+
+	userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+	userdom_dontaudit_list_user_tmp(xscreensaver_t)
+	userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+	userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
 ########################################
 #
 # Helper local policy
-- 
2.16.1