The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/xserver.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f81fcac..d57d09f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -820,7 +820,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
--
1.8.5.5
On 05/28/2014 11:25 AM, Sven Vermeulen wrote:
> The LightDM application stores its xauth file in a subdirectory
> (/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
> X11 (xserver_t) needs search rights to this location.
>
> With this setup, X is run as follows:
> /usr/bin/X :0 -auth /var/run/lightdm/root/:0
>
> Changes since v1:
> - Use read_files_pattern instead of separate allow rules
>
> Signed-off-by: Jason Zaman <[email protected]>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/services/xserver.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f81fcac..d57d09f 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -820,7 +820,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
> allow xserver_t xdm_var_lib_t:file { getattr read };
> dontaudit xserver_t xdm_var_lib_t:dir search;
>
> -allow xserver_t xdm_var_run_t:file read_file_perms;
> +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
>
> # Label pid and temporary files with derived types.
> manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com