From: dsugar@tresys.com (David Sugar) Date: Mon, 4 Dec 2017 21:49:56 +0000 Subject: [refpolicy] [PATCH 1/1] xdm files in /run/user/$(UID) Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add filetrans so that when xdm is creating files in /run/user/$(UID) they get labeled xdm_tmp_t. type=AVC msg=audit(1511962167.495:64): avc: denied { write } for pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:64): avc: denied { add_name } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:64): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:65): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962167.495:65): avc: denied { read write open } for pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962199.010:144): avc: denied { read write } for pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962199.010:144): avc: denied { open } for pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962947.864:350): avc: denied { read write } for pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962947.864:350): avc: denied { open } for pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962981.011:440): avc: denied { read write } for pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962981.011:440): avc: denied { open } for pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file Signed-off-by: Dave Sugar --- policy/modules/services/xserver.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 0b59b83b..fb996199 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -494,6 +494,7 @@ userdom_create_all_users_keys(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_user_runtime_filetrans(xdm_t, xdm_tmp_t, dir) # for .dmrc: this was used by the Gnome Display Manager (gdm) # and it is now obsolete in Gnome3 -- 2.13.6