* [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t
@ 2017-12-04 21:34 David Sugar
2017-12-05 8:09 ` Dominick Grift
0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-12-04 21:34 UTC (permalink / raw)
To: refpolicy
Allow dbus to write the the xserver log
type=AVC msg=audit(1511920435.381:102): avc: denied { write } for pid=904 comm="dbus-daemon" path="/var/log/lightdm/seat0-greeter.log" dev="dm-0" ino=17320832 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file
---
dbus.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/dbus.te b/dbus.te
index 5f2199c..015f1e1 100644
--- a/dbus.te
+++ b/dbus.te
@@ -274,6 +274,7 @@ optional_policy(`
xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
+ xserver_write_log(session_bus_type)
')
########################################
--
2.13.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t
2017-12-04 21:34 [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t David Sugar
@ 2017-12-05 8:09 ` Dominick Grift
0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2017-12-05 8:09 UTC (permalink / raw)
To: refpolicy
On Mon, Dec 04, 2017 at 09:34:59PM +0000, David Sugar via refpolicy wrote:
> Allow dbus to write the the xserver log
>
> type=AVC msg=audit(1511920435.381:102): avc: denied { write } for pid=904 comm="dbus-daemon" path="/var/log/lightdm/seat0-greeter.log" dev="dm-0" ino=17320832 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file
> ---
> dbus.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/dbus.te b/dbus.te
> index 5f2199c..015f1e1 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -274,6 +274,7 @@ optional_policy(`
> xserver_rw_xsession_log(session_bus_type)
> xserver_use_xdm_fds(session_bus_type)
> xserver_rw_xdm_pipes(session_bus_type)
> + xserver_write_log(session_bus_type)
Assuming this is not a leak. Pity that it doesnt append instead. You could potentialy leverage the open permission here and use a xserver_write_inherited_log_files() instead
> ')
>
> ########################################
> --
> 2.13.6
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/abaee7d0/attachment-0001.bin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-12-05 8:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-04 21:34 [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t David Sugar
2017-12-05 8:09 ` Dominick Grift
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).