selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors
@ 2017-11-30 23:04 David Sugar
  2017-12-03 21:34 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-11-30 23:04 UTC (permalink / raw)
  To: refpolicy

Currently .xsession-errors is labeled user_home_t when created by xdm_t.  Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t.  This includes using the interface manage the type xsession_log_t.

type=AVC msg=audit(1511962175.985:77): avc:  denied  { create } for  pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962175.985:77): avc:  denied  { write open } for  pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962941.991:268): avc:  denied  { rename } for  pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962977.779:419): avc:  denied  { unlink } for  pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/xserver.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f858da33..9cd153c4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
-userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
 
 allow xauth_t xdm_t:process sigchld;
 allow xauth_t xdm_t:fd use;
@@ -500,8 +499,10 @@ userdom_signal_all_users(xdm_t)
 # and it is now obsolete in Gnome3
 xserver_read_user_dmrc(xdm_t)
 
+xserver_manage_xsession_log(xdm_t)
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
+xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
-- 
2.13.6

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors
  2017-11-30 23:04 [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors David Sugar
@ 2017-12-03 21:34 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-12-03 21:34 UTC (permalink / raw)
  To: refpolicy

On 11/30/2017 06:04 PM, David Sugar via refpolicy wrote:
> Currently .xsession-errors is labeled user_home_t when created by xdm_t.  Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t.  This includes using the interface manage the type xsession_log_t.
> 
> type=AVC msg=audit(1511962175.985:77): avc:  denied  { create } for  pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962175.985:77): avc:  denied  { write open } for  pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962941.991:268): avc:  denied  { rename } for  pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> type=AVC msg=audit(1511962977.779:419): avc:  denied  { unlink } for  pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/xserver.te | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f858da33..9cd153c4 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>   
>   allow xdm_t xauth_home_t:file manage_file_perms;
>   userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
> -userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
>   
>   allow xauth_t xdm_t:process sigchld;
>   allow xauth_t xdm_t:fd use;
> @@ -500,8 +499,10 @@ userdom_signal_all_users(xdm_t)
>   # and it is now obsolete in Gnome3
>   xserver_read_user_dmrc(xdm_t)
>   
> +xserver_manage_xsession_log(xdm_t)
>   xserver_rw_session(xdm_t, xdm_tmpfs_t)
>   xserver_unconfined(xdm_t)
> +xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
>   
>   tunable_policy(`use_nfs_home_dirs',`
>   	fs_manage_nfs_dirs(xdm_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-12-03 21:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-30 23:04 [refpolicy] [PATCH 1/1] Change label for ~/.xsession-errors David Sugar
2017-12-03 21:34 ` Chris PeBenito

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).