* [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors
@ 2017-11-30 23:04 David Sugar
2017-12-03 21:34 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-11-30 23:04 UTC (permalink / raw)
To: refpolicy
Currently .xsession-errors is labeled user_home_t when created by xdm_t. Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t. This includes using the interface manage the type xsession_log_t.
type=AVC msg=audit(1511962175.985:77): avc: denied { create } for pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962175.985:77): avc: denied { write open } for pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962941.991:268): avc: denied { rename } for pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962977.779:419): avc: denied { unlink } for pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/xserver.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f858da33..9cd153c4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
-userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
allow xauth_t xdm_t:process sigchld;
allow xauth_t xdm_t:fd use;
@@ -500,8 +499,10 @@ userdom_signal_all_users(xdm_t)
# and it is now obsolete in Gnome3
xserver_read_user_dmrc(xdm_t)
+xserver_manage_xsession_log(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
+xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
--
2.13.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors
2017-11-30 23:04 [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors David Sugar
@ 2017-12-03 21:34 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-12-03 21:34 UTC (permalink / raw)
To: refpolicy
On 11/30/2017 06:04 PM, David Sugar via refpolicy wrote:
> Currently .xsession-errors is labeled user_home_t when created by xdm_t. Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t. This includes using the interface manage the type xsession_log_t.
>
> type=AVC msg=audit(1511962175.985:77): avc: denied { create } for pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962175.985:77): avc: denied { write open } for pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962941.991:268): avc: denied { rename } for pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962977.779:419): avc: denied { unlink } for pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/xserver.te | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f858da33..9cd153c4 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>
> allow xdm_t xauth_home_t:file manage_file_perms;
> userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
> -userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
>
> allow xauth_t xdm_t:process sigchld;
> allow xauth_t xdm_t:fd use;
> @@ -500,8 +499,10 @@ userdom_signal_all_users(xdm_t)
> # and it is now obsolete in Gnome3
> xserver_read_user_dmrc(xdm_t)
>
> +xserver_manage_xsession_log(xdm_t)
> xserver_rw_session(xdm_t, xdm_tmpfs_t)
> xserver_unconfined(xdm_t)
> +xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(xdm_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-12-03 21:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-30 23:04 [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors David Sugar
2017-12-03 21:34 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).