Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp10030193ybl;
        Thu, 26 Dec 2019 09:30:02 -0800 (PST)
X-Google-Smtp-Source: APXvYqxVI+4fx4nG8XyKJQMyNU5zol+hFTcq5h+4oKWIqV1VRJUcO52GfdGqQHQESY5ZEZVVMo1C
X-Received: by 2002:a9d:f26:: with SMTP id 35mr53982625ott.260.1577381402681;
        Thu, 26 Dec 2019 09:30:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1577381402; cv=none;
        d=google.com; s=arc-20160816;
        b=wKiYep8AoDW9l0fXjmbFaMCxTlctDIFDCxHlSwMfUuDYKXHMUIrFivFvN58arNalPU
         bTBavUPlD8+o7Z2Z+E7aFA96JrqiZr7wHMdPJ3F0+j6cFyvC4KWeMmZEwi/hhJZUuF9W
         c9j9ktP2L/9GB3C9Lpp18+m4w2zrkdmuof09YRv+HlKDK4lcX7HjyQJ+LKEJeWf/wEvK
         4FMJCuFwa9ifDi0b9C3nRgeVI1L389aNxkoJsWrvnHEsLEdpUwTXqUjig9bY2AwR7VYV
         C+XP3BcTGPAthgn4qjOUqSO5Sb1QinXBGHbbXflQooQXhyQ4hWRD2q9fGf3FOWLN1SDh
         +UbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=VSD5EBACvPH19lu5cACjw7kMzv0pnmE9rAS2gtS5aAs=;
        b=bmKBfy4HSxJiDp9lE8NrwfNsfPMInDQrABE1fLQaxlvyait2yWL0EdihkPEb8PzV9a
         E6AY9LbSzPR7yLLd0sGnO3hqRqisoBvujGNB5QM+pZB0HCtgSCtdjUfKv+cKxS6iA366
         Mgry3LpbkVPqEz69Bxym+LoqiUakBOiFkVLyAD0N87jPL8IMjypuMu23rEQfsUA6vh1x
         Xn+MPmR8nhZIWG6TEGlbDqDfj8TqanUZG5AcQ3a7YG7ssXilaXb7X3kYiTskrYjKllC3
         sCZuY5txstpaM86u8PSKhVht4pxDKLtf6iTX8L8wVTLUmBvpLLnZW3DSmRVSKGofyBs5
         HebA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=UnIzsNam;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l10si16837235otr.159.2019.12.26.09.30.01;
        Thu, 26 Dec 2019 09:30:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=UnIzsNam;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726697AbfLZR36 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Thu, 26 Dec 2019 12:29:58 -0500
Received: from mail-qt1-f194.google.com ([209.85.160.194]:38763 "EHLO
        mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726480AbfLZR36 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 26 Dec 2019 12:29:58 -0500
Received: by mail-qt1-f194.google.com with SMTP id n15so22765899qtp.5
        for <selinux-refpolicy@vger.kernel.org>; Thu, 26 Dec 2019 09:29:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=VSD5EBACvPH19lu5cACjw7kMzv0pnmE9rAS2gtS5aAs=;
        b=UnIzsNamYGZ4ilUFMrslU9FcEwU/zi6wI4N5Pd8S4BoQpAJPoRKbL8RXZ1Zm1JFCWJ
         C3j0smRA3U7e7BmkJvoG0Q+KiXOms2+BKbvYhjnrNvSv/F2q+I3sBuwTsEZ3JSOEWmBs
         JSZPRWDxXyUojaGoStCSvhFDLI4K76s9IYd28=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=VSD5EBACvPH19lu5cACjw7kMzv0pnmE9rAS2gtS5aAs=;
        b=qDbC3ah/ChhWSkMZbtF+kXLLSXh6A/13SPr6jpFiPi3UafHYJRwfgbUOErMwtr5bbO
         nEVoWy0McWollF8HilWlLrBdVmIZHXiSdCc95pTs64MDqo/nJdyYPxhUfTdyCoufDaVC
         JM/hT4Z1uhsM0JvHS51vYt5oDXcufTjiaYgD7n3h4nhyljJo2ESE2AhXOUldG+cY3tTJ
         ziRHLK0DezA1nXSfmRBrGSX118X7K0v3afihvX9YG+KTVmgogPrihPRyxrGx8MF/g9sT
         17+ngLlc1nvbiOLOS24Pb9BmoUN/77l5K9m7IlQKnszZYpATUUDKH8REOBRBsmlt2C2d
         L/hg==
X-Gm-Message-State: APjAAAUTmGluOTRAnhxCFuCxBwS74aUwonXImUWUyvrqIr2c/tAmFH8y
        2SfOGVqSfF/+d1AlUkGJ+HyUwA==
X-Received: by 2002:ac8:16ca:: with SMTP id y10mr36469176qtk.340.1577381397185;
        Thu, 26 Dec 2019 09:29:57 -0800 (PST)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id i7sm6538853qkf.38.2019.12.26.09.29.56
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 26 Dec 2019 09:29:56 -0800 (PST)
Subject: Re: [PATCH 3/9] xserver: ICEauthority can be in /run/user
To:     Jason Zaman <jason@perfinion.com>,
        selinux-refpolicy@vger.kernel.org
Cc:     Jason Zaman <perfinion@gentoo.org>
References: <20191224101043.58122-1-jason@perfinion.com>
 <20191224101043.58122-3-jason@perfinion.com>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <14dadb3e-9741-8d66-8d84-292977abec36@ieee.org>
Date:   Thu, 26 Dec 2019 12:24:06 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <20191224101043.58122-3-jason@perfinion.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 12/24/19 5:10 AM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/xserver.fc | 2 ++
>   policy/modules/services/xserver.te | 2 ++
>   2 files changed, 4 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index fa8db862..df06151e 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -143,6 +143,8 @@ ifndef(`distro_debian',`
>   /run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   /run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   
> +/run/user/%{USERID}/ICEauthority.*	--	gen_context(system_u:object_r:iceauth_home_t,s0)
> +
>   ifdef(`distro_suse',`
>   /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
>   ')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f016d429..499f03a6 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
>   
>   type iceauth_home_t;
>   userdom_user_home_content(iceauth_home_t)
> +userdom_user_runtime_content(iceauth_home_t)
>   
>   type xauth_t;
>   type xauth_exec_t;
> @@ -211,6 +212,7 @@ optional_policy(`
>   
>   allow iceauth_t iceauth_home_t:file manage_file_perms;
>   userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
> +userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)
>   
>   allow xdm_t iceauth_home_t:file read_file_perms;

Merged.

-- 
Chris PeBenito