* [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information
@ 2011-02-06 15:14 Sven Vermeulen
2011-02-14 14:47 ` Christopher J. PeBenito
2011-02-18 13:54 ` Christopher J. PeBenito
0 siblings, 2 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-02-06 15:14 UTC (permalink / raw)
To: refpolicy
On my system, I use XFCE and start X from the commandline (using "startx")
rather than through a graphical DM. During the start-up, XFCE4 creates
temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later
read in by iceauth and at some point X.
I'm not that good at the entire ICE stuff, but without this, I was unable to
shut down my session ("log off").
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/xserver.te | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 33b91be..34ed5a7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
+files_search_tmp(iceauth_t)
fs_search_auto_mountpoints(iceauth_t)
userdom_use_user_terminals(iceauth_t)
+userdom_read_user_tmp_files(iceauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
@@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t)
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
userdom_setattr_user_ttys(xserver_t)
+userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information 2011-02-06 15:14 [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information Sven Vermeulen @ 2011-02-14 14:47 ` Christopher J. PeBenito 2011-02-14 15:35 ` Dominick Grift 2011-02-14 18:44 ` Sven Vermeulen 2011-02-18 13:54 ` Christopher J. PeBenito 1 sibling, 2 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2011-02-14 14:47 UTC (permalink / raw) To: refpolicy On 2/6/2011 10:14 AM, Sven Vermeulen wrote: > On my system, I use XFCE and start X from the commandline (using "startx") > rather than through a graphical DM. During the start-up, XFCE4 creates > temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later > read in by iceauth and at some point X. > > I'm not that good at the entire ICE stuff, but without this, I was unable to > shut down my session ("log off"). What specific process was creating the files? Do you still have the logs? I'm interested in seeing them, as user processes creating ICE files seems wrong. > Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be> > --- > policy/modules/services/xserver.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 33b91be..34ed5a7 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) > > allow xdm_t iceauth_home_t:file read_file_perms; > > +files_search_tmp(iceauth_t) > fs_search_auto_mountpoints(iceauth_t) > > userdom_use_user_terminals(iceauth_t) > +userdom_read_user_tmp_files(iceauth_t) > > tunable_policy(`use_nfs_home_dirs',` > fs_manage_nfs_files(iceauth_t) > @@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t) > userdom_search_user_home_dirs(xserver_t) > userdom_use_user_ttys(xserver_t) > userdom_setattr_user_ttys(xserver_t) > +userdom_read_user_tmp_files(xserver_t) > userdom_rw_user_tmpfs_files(xserver_t) > > xserver_use_user_fonts(xserver_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information 2011-02-14 14:47 ` Christopher J. PeBenito @ 2011-02-14 15:35 ` Dominick Grift 2011-02-14 18:44 ` Sven Vermeulen 1 sibling, 0 replies; 5+ messages in thread From: Dominick Grift @ 2011-02-14 15:35 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2011 03:47 PM, Christopher J. PeBenito wrote: > On 2/6/2011 10:14 AM, Sven Vermeulen wrote: >> On my system, I use XFCE and start X from the commandline (using "startx") >> rather than through a graphical DM. During the start-up, XFCE4 creates >> temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later >> read in by iceauth and at some point X. >> >> I'm not that good at the entire ICE stuff, but without this, I was unable to >> shut down my session ("log off"). > > What specific process was creating the files? Do you still have the > logs? I'm interested in seeing them, as user processes creating ICE > files seems wrong. You'd be surprised who all maintained these: manage_dirs_pattern($1_gsession_t, gsession_ice_tmp_t, gsession_ice_tmp_t) manage_sock_files_pattern($1_gsession_t, gsession_ice_tmp_t, gsession_ice_tmp_t) files_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, dir) # for when /tmp/.ICE is created with initrc_tmp_t init_script_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file) # for when /tmp/.ICE is created with xdm_tmp_t xserver_xdm_tmp_filetrans($1_gsession_t, gsession_ice_tmp_t, sock_file) >> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be> >> --- >> policy/modules/services/xserver.te | 3 +++ >> 1 files changed, 3 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te >> index 33b91be..34ed5a7 100644 >> --- a/policy/modules/services/xserver.te >> +++ b/policy/modules/services/xserver.te >> @@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) >> >> allow xdm_t iceauth_home_t:file read_file_perms; >> >> +files_search_tmp(iceauth_t) >> fs_search_auto_mountpoints(iceauth_t) >> >> userdom_use_user_terminals(iceauth_t) >> +userdom_read_user_tmp_files(iceauth_t) >> >> tunable_policy(`use_nfs_home_dirs',` >> fs_manage_nfs_files(iceauth_t) >> @@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t) >> userdom_search_user_home_dirs(xserver_t) >> userdom_use_user_ttys(xserver_t) >> userdom_setattr_user_ttys(xserver_t) >> +userdom_read_user_tmp_files(xserver_t) >> userdom_rw_user_tmpfs_files(xserver_t) >> >> xserver_use_user_fonts(xserver_t) > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ZS7wACgkQMlxVo39jgT+2CwCfQInjHtvGMJ1mfitDGTqoWd14 dOMAn00xGceE12MhrM1V6mDjXMTvxn6O =j9VA -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information 2011-02-14 14:47 ` Christopher J. PeBenito 2011-02-14 15:35 ` Dominick Grift @ 2011-02-14 18:44 ` Sven Vermeulen 1 sibling, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2011-02-14 18:44 UTC (permalink / raw) To: refpolicy On Mon, Feb 14, 2011 at 09:47:53AM -0500, Christopher J. PeBenito wrote: > On 2/6/2011 10:14 AM, Sven Vermeulen wrote: > > On my system, I use XFCE and start X from the commandline (using "startx") > > rather than through a graphical DM. During the start-up, XFCE4 creates > > temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later > > read in by iceauth and at some point X. > > > > I'm not that good at the entire ICE stuff, but without this, I was unable to > > shut down my session ("log off"). > > What specific process was creating the files? Do you still have the > logs? I'm interested in seeing them, as user processes creating ICE > files seems wrong. Sure, easily reconstructed, it's xfce4-session (as per the following auditallow granted log lines): Feb 14 19:40:29 hpl kernel: [ 7182.399817] type=1400 audit(1297708829.027:209): avc: granted { create } for pid=13133 comm="xfce4-session" name=".xfsm-ICE-IU6VQV" scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:user_tmp_t tclass=file Feb 14 19:40:29 hpl kernel: [ 7182.399848] type=1400 audit(1297708829.027:210): avc: granted { create } for pid=13133 comm="xfce4-session" name=".xfsm-ICE-4U6VQV" scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:user_tmp_t tclass=file Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information 2011-02-06 15:14 [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information Sven Vermeulen 2011-02-14 14:47 ` Christopher J. PeBenito @ 2011-02-18 13:54 ` Christopher J. PeBenito 1 sibling, 0 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2011-02-18 13:54 UTC (permalink / raw) To: refpolicy On 02/06/11 10:14, Sven Vermeulen wrote: > On my system, I use XFCE and start X from the commandline (using "startx") > rather than through a graphical DM. During the start-up, XFCE4 creates > temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later > read in by iceauth and at some point X. > > I'm not that good at the entire ICE stuff, but without this, I was unable to > shut down my session ("log off"). > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> Merged. > --- > policy/modules/services/xserver.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 33b91be..34ed5a7 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -234,9 +234,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) > > allow xdm_t iceauth_home_t:file read_file_perms; > > +files_search_tmp(iceauth_t) > fs_search_auto_mountpoints(iceauth_t) > > userdom_use_user_terminals(iceauth_t) > +userdom_read_user_tmp_files(iceauth_t) > > tunable_policy(`use_nfs_home_dirs',` > fs_manage_nfs_files(iceauth_t) > @@ -726,6 +728,7 @@ seutil_read_default_contexts(xserver_t) > userdom_search_user_home_dirs(xserver_t) > userdom_use_user_ttys(xserver_t) > userdom_setattr_user_ttys(xserver_t) > +userdom_read_user_tmp_files(xserver_t) > userdom_rw_user_tmpfs_files(xserver_t) > > xserver_use_user_fonts(xserver_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-02-18 13:54 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-02-06 15:14 [refpolicy] [PATCH 1/1] Allow xfce (and most likely other DEs) to properly work with the authorization information Sven Vermeulen 2011-02-14 14:47 ` Christopher J. PeBenito 2011-02-14 15:35 ` Dominick Grift 2011-02-14 18:44 ` Sven Vermeulen 2011-02-18 13:54 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.