Grant all permissions neccessary for Xorg and basic X clients

Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.

2 files changed, 5 insertions, 1 deletions

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d14bf3c0..13f80093 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -197,7 +197,7 @@ interface(`xserver_ro_session',`
 	# Xserver read/write client shm
 	allow xserver_t $1:fd use;
 	allow xserver_t $1:shm rw_shm_perms;
-	allow xserver_t $2:file rw_file_perms;
+	allow xserver_t $2:file { rw_file_perms map };
 
 	# Connect to xserver
 	allow $1 xserver_t:unix_stream_socket connectto;
@@ -210,6 +210,8 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:fd use;
 	allow $1 xserver_t:shm r_shm_perms;
 	allow $1 xserver_tmpfs_t:file read_file_perms;
+
+	allow $1 $2:file map;
 ')
 
 #######################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a88e4af5..5c40fec4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -673,6 +673,7 @@ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow xserver_t xserver_tmpfs_t:file map;
 
 # Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -778,6 +779,7 @@ userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
 userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
 xserver_use_user_fonts(xserver_t)