From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 28 Feb 2011 20:38:01 +0100
Subject: [refpolicy] [PATCH]: xauth label and module request
Message-ID: <1298921881.3123.22.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.

The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).

--- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.te	2011-02-20 06:35:17.092746837 +0100
+++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.te	2011-02-28 20:34:42.602106786 +0100
@@ -269,6 +269,8 @@ domain_use_interactive_fds(xauth_t)
 files_read_etc_files(xauth_t)
 files_search_pids(xauth_t)
 
+kernel_request_load_module(xauth_t)
+
 fs_getattr_xattr_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
--- refpolicy-git-15022011-under-test-and-use/policy/modules/services/xserver.fc	2011-01-08 19:07:21.343757306 +0100
+++ refpolicy-git-15022011-xauth-insmod/policy/modules/services/xserver.fc	2011-02-27 21:11:12.475768819 +0100
@@ -8,6 +8,7 @@ HOME_DIR/\.fonts\.cache-.* --	gen_contex
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
 # /dev