xscreensaver-systemd now belongs to the default installation of xscreensaver since xscreensaver-5.44. It works to lock the screen when the system goes into sleep mode.
However, the security rules for xscreensaver-systemd are not yet common, and we set it up in this article
We first declare the role group xscreensaver_systemd_roles, the type of domain and the type of the binary file
attribute_role xscreensaver_systemd_roles; type xscreensaver_systemd_t; type xscreensaver_systemd_exec_t;
Then install the domain xscreensaver_systemd_t with the binary xscreensaver-systemd of type xscreensaver_systemd_exec_t
In this step the domain xscreensaver_systemd_t is allowed to have an entry point for xscreensaver_systemd_exec_t.
Next we assign the role group xscreensaver_systemd_roles to the domain xscreensaver_systemd_t
role xscreensaver_systemd_roles types xscreensaver_systemd_t;
The user roles need to be associated to the xscreensaver_systemd_roles group to perform domain transition
roleattribute staff_r xscreensaver_systemd_roles; roleattribute user_r xscreensaver_systemd_roles;
Finally, the xscreensaver binary running in the xscreensaver_t domain calls xscreensaver-systemd, we transition domain from xscreensaver_t to the xscreensaver_systemd_t
domtrans_pattern(xscreensaver_t, xscreensaver_systemd_exec_t, xscreensaver_systemd_t)
Note that the
domtrans_pattern macro is not enough to transition the domain if we have not installed an entry point for xscreensaver_systemd_t in the
userdom_user_application_domain macro as above
In addition to security rules, a new file context needs to be added to the policy, in the .fc file
/usr/bin/xscreensaver-systemd -- gen_context(system_u:object_r:xscreensaver_systemd_exec_t,s0)Share on Twitter Share on Facebook
Can't see mail in Inbox? Check your Spam folder.