From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 28 May 2014 17:25:49 +0200
Subject: [refpolicy] [PATCH 1/1] xserver_t needs to ender dirs labeled
	xdm_var_run_t
Message-ID: <1401290749-23156-1-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.

With this setup, X is run as follows:
  /usr/bin/X :0 -auth /var/run/lightdm/root/:0

Changes since v1:
- Use read_files_pattern instead of separate allow rules

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f81fcac..d57d09f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -820,7 +820,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-- 
1.8.5.5