From: dsugar@tresys.com (David Sugar)
Date: Mon, 4 Dec 2017 21:49:56 +0000
Subject: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t
	files
Message-ID: <CO1PR15MB10323A5F1150FCA8FFBDC285B93C0@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/.  These files get removed by systemd_logind.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5051b87c..6606d793 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -481,6 +481,7 @@ optional_policy(`
 	xserver_dbus_chat(systemd_logind_t)
 	xserver_dbus_chat_xdm(systemd_logind_t)
 	xserver_read_xdm_state(systemd_logind_t)
+	xserver_manage_xdm_tmp_files(systemd_logind_t)
 ')
 
 optional_policy(`
-- 
2.13.6