From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 3 Dec 2017 16:34:49 -0500
Subject: [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors
In-Reply-To: <CO1PR15MB10322370FC191AACC2E5F127B9380@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB10322370FC191AACC2E5F127B9380@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <d57fb0fa-bde9-6111-bc1a-ae3eeed3ad09@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/30/2017 06:04 PM, David Sugar via refpolicy wrote:
> Currently .xsession-errors is labeled user_home_t when created by xdm_t.  Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t.  This includes using the interface manage the type xsession_log_t.
> 
> type=AVC msg=audit(1511962175.985:77): avc:  denied  { create } for  pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962175.985:77): avc:  denied  { write open } for  pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962941.991:268): avc:  denied  { rename } for  pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962977.779:419): avc:  denied  { unlink } for  pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/xserver.te | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f858da33..9cd153c4 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>   
>   allow xdm_t xauth_home_t:file manage_file_perms;
>   userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
> -userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
>   
>   allow xauth_t xdm_t:process sigchld;
>   allow xauth_t xdm_t:fd use;
> @@ -500,8 +499,10 @@ userdom_signal_all_users(xdm_t)
>   # and it is now obsolete in Gnome3
>   xserver_read_user_dmrc(xdm_t)
>   
> +xserver_manage_xsession_log(xdm_t)
>   xserver_rw_session(xdm_t, xdm_tmpfs_t)
>   xserver_unconfined(xdm_t)
> +xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
>   
>   tunable_policy(`use_nfs_home_dirs',`
>   	fs_manage_nfs_dirs(xdm_t)

Merged.

-- 
Chris PeBenito