From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 9 Jun 2014 11:05:14 -0400 Subject: [refpolicy] [PATCH 1/1] xserver_t needs to ender dirs labeled xdm_var_run_t In-Reply-To: <1401290749-23156-1-git-send-email-sven.vermeulen@siphos.be> References: <1401290749-23156-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <5395CD2A.1060500@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/28/2014 11:25 AM, Sven Vermeulen wrote: > The LightDM application stores its xauth file in a subdirectory > (/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result, > X11 (xserver_t) needs search rights to this location. > > With this setup, X is run as follows: > /usr/bin/X :0 -auth /var/run/lightdm/root/:0 > > Changes since v1: > - Use read_files_pattern instead of separate allow rules > > Signed-off-by: Jason Zaman > Signed-off-by: Sven Vermeulen > --- > policy/modules/services/xserver.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index f81fcac..d57d09f 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -820,7 +820,7 @@ allow xserver_t xdm_t:shm rw_shm_perms; > allow xserver_t xdm_var_lib_t:file { getattr read }; > dontaudit xserver_t xdm_var_lib_t:dir search; > > -allow xserver_t xdm_var_run_t:file read_file_perms; > +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) > > # Label pid and temporary files with derived types. > manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com