[refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information
Date: Mon, 14 Feb 2011 16:35:24 +0100	[thread overview]
Message-ID: <4D594BBC.5000003@gmail.com> (raw)
In-Reply-To: <4D594099.9040507@tresys.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2011 03:47 PM, Christopher J. PeBenito wrote:
> On 2/6/2011 10:14 AM, Sven Vermeulen wrote:
>> On my system, I use XFCE and start X from the commandline (using "startx")
>> rather than through a graphical DM. During the start-up, XFCE4 creates
>> temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later
>> read in by iceauth and at some point X.
>>
>> I'm not that good at the entire ICE stuff, but without this, I was unable to
>> shut down my session ("log off").
> 
> What specific process was creating the files?  Do you still have the 
> logs?  I'm interested in seeing them, as user processes creating ICE 
> files seems wrong.

You'd be surprised who all maintained these:

	manage_dirs_pattern($1_gsession_t, gsession_ice_tmp_t, gsession_ice_tmp_t)
	manage_sock_files_pattern($1_gsession_t, gsession_ice_tmp_t,
gsession_ice_tmp_t)
	files_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, dir)
	# for when /tmp/.ICE is created with initrc_tmp_t
	init_script_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file)
	# for when /tmp/.ICE is created with xdm_tmp_t
	xserver_xdm_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file)

>> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
>> ---
>>   policy/modules/services/xserver.te |    3 +++
>>   1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
>> index 33b91be..34ed5a7 100644
>> --- a/policy/modules/services/xserver.te
>> +++ b/policy/modules/services/xserver.te
>> @@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
>>
>>   allow xdm_t iceauth_home_t:file read_file_perms;
>>
>> +files_search_tmp(iceauth_t)
>>   fs_search_auto_mountpoints(iceauth_t)
>>
>>   userdom_use_user_terminals(iceauth_t)
>> +userdom_read_user_tmp_files(iceauth_t)
>>
>>   tunable_policy(`use_nfs_home_dirs',`
>>   	fs_manage_nfs_files(iceauth_t)
>> @@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t)
>>   userdom_search_user_home_dirs(xserver_t)
>>   userdom_use_user_ttys(xserver_t)
>>   userdom_setattr_user_ttys(xserver_t)
>> +userdom_read_user_tmp_files(xserver_t)
>>   userdom_rw_user_tmpfs_files(xserver_t)
>>
>>   xserver_use_user_fonts(xserver_t)
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ZS7wACgkQMlxVo39jgT+2CwCfQInjHtvGMJ1mfitDGTqoWd14
dOMAn00xGceE12MhrM1V6mDjXMTvxn6O
=j9VA
-----END PGP SIGNATURE-----