From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 28 Feb 2011 20:38:01 +0100 Subject: [refpolicy] [PATCH]: xauth label and module request Message-ID: <1298921881.3123.22.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When starting the X server from the console (using the startx script that is being shipped with package xinit from X.Org), a few more permissions are needed from the reference policy. The label is for a file created by the startx script (from X.Org) and the module being requested is ipv6 (which can be disabled by other means). --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.te 2011-02-20 06:35:17.092746837 +0100 +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.te 2011-02-28 20:34:42.602106786 +0100 @@ -269,6 +269,8 @@ domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) files_search_pids(xauth_t) +kernel_request_load_module(xauth_t) + fs_getattr_xattr_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) --- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.fc 2011-01-08 19:07:21.343757306 +0100 +++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.fc 2011-02-27 21:11:12.475768819 +0100 @@ -8,6 +8,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev