From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 20 Apr 2017 19:20:13 -0400 Subject: [refpolicy] [PATCH] xserver: fix iceauth_home_t file context creation In-Reply-To: <1492616142.5407.1.camel@trentalancia.net> References: <1492616142.5407.1.camel@trentalancia.net> Message-ID: <377ee080-0475-64ac-7b71-266a52f09cd6@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/19/2017 11:35 AM, Guido Trentalancia via refpolicy wrote: > This patch fixes the xserver module so that the hidden .ICEauthority > file is created with the proper context (file transition). > > It also optimizes a similar interface used for xauth home files. Merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.if | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > > --- refpolicy-2.20170204-orig/policy/modules/services/xserver.if 2017-01-29 18:47:23.000000000 +0100 > +++ refpolicy-2.20170204/policy/modules/services/xserver.if 2017-04-19 17:07:06.659759701 +0200 > @@ -167,6 +167,8 @@ interface(`xserver_role',` > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > > + xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") > + > xserver_read_xkb_libs($2) > ') > > @@ -561,13 +563,42 @@ interface(`xserver_domtrans_xauth',` > ## Domain allowed access. > ## > ## > +## > +## > +## The name of the object being created. > +## > +## > # > interface(`xserver_user_home_dir_filetrans_user_xauth',` > gen_require(` > type xauth_home_t; > ') > > - userdom_user_home_dir_filetrans($1, xauth_home_t, file) > + userdom_user_home_dir_filetrans($1, xauth_home_t, file, $2) > +') > + > +####################################### > +## > +## Create a ICEauthority file in > +## the user home directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`xserver_user_home_dir_filetrans_user_iceauth',` > + gen_require(` > + type iceauth_home_t; > + ') > + > + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, $2) > ') -- Chris PeBenito