From: domg472@gmail.com (Dominick Grift) Date: Mon, 14 Feb 2011 16:35:24 +0100 Subject: [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information In-Reply-To: <4D594099.9040507@tresys.com> References: <20110206151446.GA13019@siphos.be> <4D594099.9040507@tresys.com> Message-ID: <4D594BBC.5000003@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2011 03:47 PM, Christopher J. PeBenito wrote: > On 2/6/2011 10:14 AM, Sven Vermeulen wrote: >> On my system, I use XFCE and start X from the commandline (using "startx") >> rather than through a graphical DM. During the start-up, XFCE4 creates >> temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later >> read in by iceauth and at some point X. >> >> I'm not that good at the entire ICE stuff, but without this, I was unable to >> shut down my session ("log off"). > > What specific process was creating the files? Do you still have the > logs? I'm interested in seeing them, as user processes creating ICE > files seems wrong. You'd be surprised who all maintained these: manage_dirs_pattern($1_gsession_t, gsession_ice_tmp_t, gsession_ice_tmp_t) manage_sock_files_pattern($1_gsession_t, gsession_ice_tmp_t, gsession_ice_tmp_t) files_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, dir) # for when /tmp/.ICE is created with initrc_tmp_t init_script_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file) # for when /tmp/.ICE is created with xdm_tmp_t xserver_xdm_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file) >> Signed-off-by: Sven Vermeulen >> --- >> policy/modules/services/xserver.te | 3 +++ >> 1 files changed, 3 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te >> index 33b91be..34ed5a7 100644 >> --- a/policy/modules/services/xserver.te >> +++ b/policy/modules/services/xserver.te >> @@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) >> >> allow xdm_t iceauth_home_t:file read_file_perms; >> >> +files_search_tmp(iceauth_t) >> fs_search_auto_mountpoints(iceauth_t) >> >> userdom_use_user_terminals(iceauth_t) >> +userdom_read_user_tmp_files(iceauth_t) >> >> tunable_policy(`use_nfs_home_dirs',` >> fs_manage_nfs_files(iceauth_t) >> @@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t) >> userdom_search_user_home_dirs(xserver_t) >> userdom_use_user_ttys(xserver_t) >> userdom_setattr_user_ttys(xserver_t) >> +userdom_read_user_tmp_files(xserver_t) >> userdom_rw_user_tmpfs_files(xserver_t) >> >> xserver_use_user_fonts(xserver_t) > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ZS7wACgkQMlxVo39jgT+2CwCfQInjHtvGMJ1mfitDGTqoWd14 dOMAn00xGceE12MhrM1V6mDjXMTvxn6O =j9VA -----END PGP SIGNATURE-----