From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 9 Jun 2014 11:05:14 -0400
Subject: [refpolicy] [PATCH 1/1] xserver_t needs to ender dirs labeled
 xdm_var_run_t
In-Reply-To: <1401290749-23156-1-git-send-email-sven.vermeulen@siphos.be>
References: <1401290749-23156-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <5395CD2A.1060500@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/28/2014 11:25 AM, Sven Vermeulen wrote:
> The LightDM application stores its xauth file in a subdirectory
> (/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
> X11 (xserver_t) needs search rights to this location.
> 
> With this setup, X is run as follows:
>   /usr/bin/X :0 -auth /var/run/lightdm/root/:0
> 
> Changes since v1:
> - Use read_files_pattern instead of separate allow rules
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/services/xserver.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f81fcac..d57d09f 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -820,7 +820,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
>  allow xserver_t xdm_var_lib_t:file { getattr read };
>  dontaudit xserver_t xdm_var_lib_t:dir search;
>  
> -allow xserver_t xdm_var_run_t:file read_file_perms;
> +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
>  
>  # Label pid and temporary files with derived types.
>  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com