From: dsugar@tresys.com (David Sugar) Date: Tue, 5 Dec 2017 13:25:58 +0000 Subject: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files In-Reply-To: <20171205080134.GA19951@julius.enp8s0.d30> References: <20171205080134.GA19951@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > Sent: Tuesday, December 05, 2017 3:02 AM > To: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage > xdm_tmp_t files > > On Mon, Dec 04, 2017 at 09:49:56PM +0000, David Sugar via refpolicy > wrote: > > Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/. > These files get removed by systemd_logind. > > > > type=AVC msg=audit(1511920346.734:199): avc: denied { read } for > > pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC > > msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 > > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC > > msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 > > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC > > msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 > > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC > > msg=audit(1511920346.734:201): avc: denied { remove_name } for > > pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC > > msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 > > comm="systemd-logind" name="user" dev="tmpfs" ino=14746 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC > > msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 > > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir > > > > Signed-off-by: Dave Sugar > > --- > > policy/modules/system/systemd.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/systemd.te > > b/policy/modules/system/systemd.te > > index 5051b87c..6606d793 100644 > > --- a/policy/modules/system/systemd.te > > +++ b/policy/modules/system/systemd.te > > @@ -481,6 +481,7 @@ optional_policy(` > > xserver_dbus_chat(systemd_logind_t) > > xserver_dbus_chat_xdm(systemd_logind_t) > > xserver_read_xdm_state(systemd_logind_t) > > + xserver_manage_xdm_tmp_files(systemd_logind_t) > > It only needs to be able to delete it. plus this applies for all of > XDG_RUNTIME_DIR and so you might be able to use a higher-level solution > for this Are you suggesting something like creating an attribute 'user_runtime_type' then assigning that attribute to xdm_tmp_t. Then create an interface to allow deletion of files 'user_runtime_type' rather than using the xserver_manage_xdm_tmp_file interface? I think that is what you are saying. There is already the interface 'userdom_delete_user_runtime_files' but I didn't see a way for xserver to create/write user_runtime_t files thus the filetrans commit. > > > ') > > > > optional_policy(` > > -- > > 2.13.6 > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift Dave Sugar dsugar at tresys.com