From: dac.override@gmail.com (Dominick Grift) Date: Tue, 5 Dec 2017 09:09:34 +0100 Subject: [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t In-Reply-To: References: Message-ID: <20171205080934.GC19951@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Dec 04, 2017 at 09:34:59PM +0000, David Sugar via refpolicy wrote: > Allow dbus to write the the xserver log > > type=AVC msg=audit(1511920435.381:102): avc: denied { write } for pid=904 comm="dbus-daemon" path="/var/log/lightdm/seat0-greeter.log" dev="dm-0" ino=17320832 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file > --- > dbus.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/dbus.te b/dbus.te > index 5f2199c..015f1e1 100644 > --- a/dbus.te > +++ b/dbus.te > @@ -274,6 +274,7 @@ optional_policy(` > xserver_rw_xsession_log(session_bus_type) > xserver_use_xdm_fds(session_bus_type) > xserver_rw_xdm_pipes(session_bus_type) > + xserver_write_log(session_bus_type) Assuming this is not a leak. Pity that it doesnt append instead. You could potentialy leverage the open permission here and use a xserver_write_inherited_log_files() instead > ') > > ######################################## > -- > 2.13.6 > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/abaee7d0/attachment-0001.bin