From: dac.override@gmail.com (Dominick Grift) Date: Tue, 5 Dec 2017 09:01:34 +0100 Subject: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files In-Reply-To: References: Message-ID: <20171205080134.GA19951@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Dec 04, 2017 at 09:49:56PM +0000, David Sugar via refpolicy wrote: > Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/. These files get removed by systemd_logind. > > type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file > type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > > Signed-off-by: Dave Sugar > --- > policy/modules/system/systemd.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index 5051b87c..6606d793 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -481,6 +481,7 @@ optional_policy(` > xserver_dbus_chat(systemd_logind_t) > xserver_dbus_chat_xdm(systemd_logind_t) > xserver_read_xdm_state(systemd_logind_t) > + xserver_manage_xdm_tmp_files(systemd_logind_t) It only needs to be able to delete it. plus this applies for all of XDG_RUNTIME_DIR and so you might be able to use a higher-level solution for this > ') > > optional_policy(` > -- > 2.13.6 > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/99fbdce8/attachment.bin