From 32adc20d898b42554195387e5519a619e614cbdc Mon Sep 17 00:00:00 2001
From: Fredrik Eriksson <feffe@fulh.ax>
Date: Sat, 23 May 2020 09:39:34 +0200
Subject: [PATCH] fixed policy for xscreensaver with opengl

---
 .../selinux-feffe-policies/files/feffe.te     | 30 +++++++------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/sec-policy/selinux-feffe-policies/files/feffe.te b/sec-policy/selinux-feffe-policies/files/feffe.te
index dd29aec..9b49f77 100644
--- a/sec-policy/selinux-feffe-policies/files/feffe.te
+++ b/sec-policy/selinux-feffe-policies/files/feffe.te
@@ -59,30 +59,26 @@ tunable_policy(`feffe_use_xdm',`
   allow system_dbusd_t self:netlink_kobject_uevent_socket {create setopt bind getattr read};
 ')
 
-
-gen_tunable(feffe_xscreensaver_read_home, false)
-tunable_policy(`feffe_xscreensaver_read_home',`
+gen_tunable(feffe_xscreensaver_gl, false)
+tunable_policy(`feffe_xscreensaver_gl',`
   gen_require(`
-    attribute user_home_content_type;
     attribute non_security_file_type;
+    attribute user_home_content_type;
 
-    type user_t;
-    type xscreensaver_helper_t;
     type xscreensaver_t;
+    type xscreensaver_helper_exec_t;
+    type xscreensaver_helper_t;
     type xdm_t;
     type lib_t;
     type tmpfs_t;
     type bin_t;
-    type xscreensaver_helper_exec_t;
-    type fs_t;
     type xserver_t;
   ')
+  read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
   dev_rw_dri(xscreensaver_helper_t)
   dev_rw_dri(xscreensaver_t)
   allow xscreensaver_helper_t xdm_t:fd use;
-  search_dirs_pattern(xscreensaver_helper_t, home_root_t, user_home_dir_t)
-  list_dirs_pattern(xscreensaver_helper_t, user_home_dir_t, user_home_t)
-  read_files_pattern(xscreensaver_helper_t, user_home_t, user_home_t)
+  allow xscreensaver_helper_t xserver_t:fd use;
   exec_files_pattern(xscreensaver_t, lib_t, lib_t)
   dev_read_sysfs(xscreensaver_t)
   xserver_rw_mesa_shader_cache(xscreensaver_t)
@@ -93,15 +89,9 @@ tunable_policy(`feffe_xscreensaver_read_home',`
   exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
   exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
   allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown };
-  read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
-
-  allow xscreensaver_t fs_t:filesystem getattr;
   xdg_manage_cache(xscreensaver_helper_t)
 
-  dontaudit xscreensaver_helper_t non_security_file_type:file map;
-  dontaudit xscreensaver_helper_t non_security_file_type:dir search;
-  dontaudit xscreensaver_helper_t xserver_t:fd use;
-  dontaudit xscreensaver_t self:process execmem;
-  dontaudit xscreensaver_t user_home_content_type:dir search;
+  dontaudit xscreensaver_helper_t non_security_file_type:filesystem getattr;
+  dontaudit xscreensaver_helper_t non_security_file_type:dir { getattr search };
+  dontaudit xscreensaver_helper_t non_security_file_type:{fifo_file file} {getattr read map};
 ')
-