[refpolicy] [PATCH v2] Implement X Desktop Group

[refpolicy] [PATCH v2] Implement X Desktop Group

[Dominick Grift]

Creates 4 types for generic xdg cache, config, data and local home
content

Create the various basic interfaces that will be needed:

1. xserver_create_generic_xdg_cache, config, data and local home_dirs:
   This will be used together with
   xserver_user_home_(content|dir)_filetrans_cache, config,
   data and local_home_content and allows the caller to create ~/.cache,
   ~/.config, ~/.local and ~/.local/share directories. Each XDG aware
   program needs to be able to create these.

2. xserver_read|manage_generic_xdg_cache, config, data and
   local_home_content:
   By default content is created with a generic type and these broad
   interfaces allow the caller to read of manage content with these
   generic types

3. xserver_xdg_cache, config, data and local_home_content_filetrans:
   Allows callers to create specified objects in these location with a
   private type

Add file context specifications for ~/.cache(/.*)? (xdg_cache_home_t),
~/.config(/.*)? (xdg_config_home_t) ~/.local (xdg_local_home_t) and
~/.local/share(/.*)? (xdg_data_home_t)

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9393f65..f7e563e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,11 +1,16 @@
 #
 # HOME_DIR
 #
+
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:xdg_config_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.local	-d	gen_context(system_u:object_r:xdg_local_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..dfc457d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -22,6 +22,8 @@
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 		type iceauth_t, iceauth_exec_t, iceauth_home_t;
 		type xauth_t, xauth_exec_t, xauth_home_t;
+		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+		type xdg_local_home_t;
 	')
 
 	role $1 types { xserver_t xauth_t iceauth_t };
@@ -33,6 +35,17 @@
 	allow xserver_t $2:process signal;
 
 	allow xserver_t $2:shm rw_shm_perms;
+
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	userdom_user_home_dir_filetrans($2, xdg_cache_home_t, dir, ".cache")
+	userdom_user_home_dir_filetrans($2, xdg_config_home_t, dir, ".config")
+	userdom_user_home_dir_filetrans($2, xdg_local_home_t, dir, ".local")
+	filetrans_pattern($2, xdg_local_home_t, xdg_data_home_t, dir, "share")
 
 	allow $2 user_fonts_t:dir list_dir_perms;
 	allow $2 user_fonts_t:file read_file_perms;
@@ -1272,6 +1285,614 @@
 
 ########################################
 ## <summary>
+##	Create generic xdg cache home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_cache_home_content_dirs',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	allow $1 xdg_cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir list_dir_perms;
+	allow $1 xdg_cache_home_t:file read_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir manage_dir_perms;
+	allow $1 xdg_cache_home_t:file manage_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg cache home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg cache home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_cache_home_content_filetrans',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	cache home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_config_home_content_dirs',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	allow $1 xdg_config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir list_dir_perms;
+	allow $1 xdg_config_home_t:file read_file_perms;
+	allow $1 xdg_config_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir manage_dir_perms;
+	allow $1 xdg_config_home_t:file manage_file_perms;
+	allow $1 xdg_config_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg config home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_config_home_content_filetrans',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	config home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg data home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_data_home_content_dirs',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	allow $1 xdg_data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir list_dir_perms;
+	allow $1 xdg_data_home_t:file read_file_perms;
+	allow $1 xdg_data_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir manage_dir_perms;
+	allow $1 xdg_data_home_t:file manage_file_perms;
+	allow $1 xdg_data_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg data home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg data home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_data_home_content_filetrans',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg local home directories with the
+##	generic xdg data home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans_user_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_xdg_local_home_content_filetrans($1, xdg_data_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_local_home_content_dirs',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	allow $1 xdg_local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg local home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir list_dir_perms;
+	allow $1 xdg_local_home_t:file read_file_perms;
+	allow $1 xdg_local_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_local_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg local home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir manage_dir_perms;
+	allow $1 xdg_local_home_t:file manage_file_perms;
+	allow $1 xdg_local_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_local_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg local home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg local home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_local_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	local home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9bc86a0..baf72aa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -154,6 +154,18 @@
 fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_local_home_t;
+userdom_user_home_content(xdg_local_home_t)
+
 type xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)

[refpolicy] [PATCH v2] Implement X Desktop Group

[grift]

ouch , there is a cosmetic issue in there. expect a new version soon

On Thu, 2012-11-29 at 17:41 +0100, Dominick Grift wrote:
> Creates 4 types for generic xdg cache, config, data and local home
> content
> 
> Create the various basic interfaces that will be needed:
> 
> 1. xserver_create_generic_xdg_cache, config, data and local home_dirs:
>    This will be used together with
>    xserver_user_home_(content|dir)_filetrans_cache, config,
>    data and local_home_content and allows the caller to create ~/.cache,
>    ~/.config, ~/.local and ~/.local/share directories. Each XDG aware
>    program needs to be able to create these.
> 
> 2. xserver_read|manage_generic_xdg_cache, config, data and
>    local_home_content:
>    By default content is created with a generic type and these broad
>    interfaces allow the caller to read of manage content with these
>    generic types
> 
> 3. xserver_xdg_cache, config, data and local_home_content_filetrans:
>    Allows callers to create specified objects in these location with a
>    private type
> 
> Add file context specifications for ~/.cache(/.*)? (xdg_cache_home_t),
> ~/.config(/.*)? (xdg_config_home_t) ~/.local (xdg_local_home_t) and
> ~/.local/share(/.*)? (xdg_data_home_t)
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> 
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 9393f65..f7e563e 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -1,11 +1,16 @@
>  #
>  # HOME_DIR
>  #
> +
> +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:xdg_cache_home_t,s0)
> +HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:xdg_config_home_t,s0)
>  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
>  HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
>  HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
>  HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
>  HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
> +HOME_DIR/\.local	-d	gen_context(system_u:object_r:xdg_local_home_t,s0)
> +HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
>  HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index 6bf0ecc..dfc457d 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -22,6 +22,8 @@
>  		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
>  		type iceauth_t, iceauth_exec_t, iceauth_home_t;
>  		type xauth_t, xauth_exec_t, xauth_home_t;
> +		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
> +		type xdg_local_home_t;
>  	')
>  
>  	role $1 types { xserver_t xauth_t iceauth_t };
> @@ -33,6 +35,17 @@
>  	allow xserver_t $2:process signal;
>  
>  	allow xserver_t $2:shm rw_shm_perms;
> +
> +	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:dir { manage_dir_perms relabel_dir_perms };
> +	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
> +	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:file { manage_file_perms relabel_file_perms };
> +	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
> +	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> +
> +	userdom_user_home_dir_filetrans($2, xdg_cache_home_t, dir, ".cache")
> +	userdom_user_home_dir_filetrans($2, xdg_config_home_t, dir, ".config")
> +	userdom_user_home_dir_filetrans($2, xdg_local_home_t, dir, ".local")
> +	filetrans_pattern($2, xdg_local_home_t, xdg_data_home_t, dir, "share")
>  
>  	allow $2 user_fonts_t:dir list_dir_perms;
>  	allow $2 user_fonts_t:file read_file_perms;
> @@ -1272,6 +1285,614 @@
>  
>  ########################################
>  ## <summary>
> +##	Create generic xdg cache home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_create_generic_xdg_cache_home_content_dirs',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	allow $1 xdg_cache_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read generic xdg cache home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_read_generic_xdg_cache_home_content',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_cache_home_t:dir list_dir_perms;
> +	allow $1 xdg_cache_home_t:file read_file_perms;
> +	allow $1 xdg_cache_home_t:fifo_file read_fifo_file_perms;
> +	allow $1 xdg_cache_home_t:lnk_file read_lnk_file_perms;
> +	allow $1 xdg_cache_home_t:sock_file read_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	generic xdg cache home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_generic_xdg_cache_home_content',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_cache_home_t:dir manage_dir_perms;
> +	allow $1 xdg_cache_home_t:file manage_file_perms;
> +	allow $1 xdg_cache_home_t:fifo_file manage_fifo_file_perms;
> +	allow $1 xdg_cache_home_t:lnk_file manage_lnk_file_perms;
> +	allow $1 xdg_cache_home_t:sock_file manage_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Search generic xdg cache home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_search_generic_xdg_cache_home_content',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_cache_home_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	xdg cache home content directories
> +##	with a private type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private_type">
> +##	<summary>
> +##	Private file type.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_xdg_cache_home_content_filetrans',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in user home
> +##	directories with the generic xdg
> +##	cache home content type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_xdg_cache_home_content',`
> +	gen_require(`
> +		type xdg_cache_home_t;
> +	')
> +
> +	userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +##	Create generic xdg config home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_create_generic_xdg_config_home_content_dirs',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	allow $1 xdg_config_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read generic xdg config home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_read_generic_xdg_config_home_content',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_config_home_t:dir list_dir_perms;
> +	allow $1 xdg_config_home_t:file read_file_perms;
> +	allow $1 xdg_config_home_t:fifo_file read_fifo_file_perms;
> +	allow $1 xdg_config_home_t:lnk_file read_lnk_file_perms;
> +	allow $1 xdg_config_home_t:sock_file read_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	generic xdg config home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_generic_xdg_config_home_content',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_config_home_t:dir manage_dir_perms;
> +	allow $1 xdg_config_home_t:file manage_file_perms;
> +	allow $1 xdg_config_home_t:fifo_file manage_fifo_file_perms;
> +	allow $1 xdg_config_home_t:lnk_file manage_lnk_file_perms;
> +	allow $1 xdg_config_home_t:sock_file manage_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Search generic xdg config home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_search_generic_xdg_config_home_content',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_config_home_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	xdg config home content directories
> +##	with a private type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private_type">
> +##	<summary>
> +##	Private file type.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_xdg_config_home_content_filetrans',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in user home
> +##	directories with the generic xdg
> +##	config home content type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_xdg_config_home_content',`
> +	gen_require(`
> +		type xdg_config_home_t;
> +	')
> +
> +	userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +##	Create generic xdg data home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_create_generic_xdg_data_home_content_dirs',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	allow $1 xdg_data_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read generic xdg data home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_read_generic_xdg_data_home_content',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	xserver_search_generic_xdg_local_home_content($1)
> +	allow $1 xdg_data_home_t:dir list_dir_perms;
> +	allow $1 xdg_data_home_t:file read_file_perms;
> +	allow $1 xdg_data_home_t:fifo_file read_fifo_file_perms;
> +	allow $1 xdg_data_home_t:lnk_file read_lnk_file_perms;
> +	allow $1 xdg_data_home_t:sock_file read_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	generic xdg data home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_generic_xdg_data_home_content',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	xserver_search_generic_xdg_local_home_content($1)
> +	allow $1 xdg_data_home_t:dir manage_dir_perms;
> +	allow $1 xdg_data_home_t:file manage_file_perms;
> +	allow $1 xdg_data_home_t:fifo_file manage_fifo_file_perms;
> +	allow $1 xdg_data_home_t:lnk_file manage_lnk_file_perms;
> +	allow $1 xdg_data_home_t:sock_file manage_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Search generic xdg data home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_search_generic_xdg_data_home_content',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	xserver_search_generic_xdg_local_home_content($1)
> +	allow $1 xdg_data_home_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	xdg data home content directories
> +##	with a private type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private_type">
> +##	<summary>
> +##	Private file type.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_xdg_data_home_content_filetrans',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	xserver_search_generic_xdg_local_home_content($1)
> +	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	xdg local home directories with the
> +##	generic xdg data home content type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_xdg_local_home_content_filetrans_user_data_home_content',`
> +	gen_require(`
> +		type xdg_data_home_t;
> +	')
> +
> +	xserver_xdg_local_home_content_filetrans($1, xdg_data_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +##	Create generic xdg config home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_create_generic_xdg_local_home_content_dirs',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	allow $1 xdg_local_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read generic xdg local home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_read_generic_xdg_local_home_content',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_local_home_t:dir list_dir_perms;
> +	allow $1 xdg_local_home_t:file read_file_perms;
> +	allow $1 xdg_local_home_t:fifo_file read_fifo_file_perms;
> +	allow $1 xdg_local_home_t:lnk_file read_lnk_file_perms;
> +	allow $1 xdg_local_home_t:sock_file read_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	generic xdg local home content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_generic_xdg_local_home_content',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_local_home_t:dir manage_dir_perms;
> +	allow $1 xdg_local_home_t:file manage_file_perms;
> +	allow $1 xdg_local_home_t:fifo_file manage_fifo_file_perms;
> +	allow $1 xdg_local_home_t:lnk_file manage_lnk_file_perms;
> +	allow $1 xdg_local_home_t:sock_file manage_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Search generic xdg local home
> +##	content directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_search_generic_xdg_local_home_content',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	allow $1 xdg_local_home_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	xdg local home content directories
> +##	with a private type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private_type">
> +##	<summary>
> +##	Private file type.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_xdg_local_home_content_filetrans',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	userdom_search_user_home_dirs($1)
> +	filetrans_pattern($1, xdg_local_home_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in user home
> +##	directories with the generic xdg
> +##	local home content type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_xdg_local_home_content',`
> +	gen_require(`
> +		type xdg_local_home_t;
> +	')
> +
> +	userdom_user_home_dir_filetrans($1, xdg_local_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>  ##	Interface to provide X object permissions on a given X server to
>  ##	an X client domain.  Gives the domain complete control over the
>  ##	display.
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 9bc86a0..baf72aa 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -154,6 +154,18 @@
>  fs_associate_tmpfs(xconsole_device_t)
>  files_associate_tmp(xconsole_device_t)
>  
> +type xdg_cache_home_t;
> +userdom_user_home_content(xdg_cache_home_t)
> +
> +type xdg_config_home_t;
> +userdom_user_home_content(xdg_config_home_t)
> +
> +type xdg_data_home_t;
> +userdom_user_home_content(xdg_data_home_t)
> +
> +type xdg_local_home_t;
> +userdom_user_home_content(xdg_local_home_t)
> +
>  type xdm_t;
>  type xdm_exec_t;
>  auth_login_pgm_domain(xdm_t)