RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change label for ~/.xsession-errors 

Currently .xsession-errors is labeled user_home_t when created by xdm_t.  Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t.  This includes using the interface manage the type xsession_log_t.

type=AVC msg=audit(1511962175.985:77): avc:  denied  { create } for  pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962175.985:77): avc:  denied  { write open } for  pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962941.991:268): avc:  denied  { rename } for  pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962977.779:419): avc:  denied  { unlink } for  pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar 2017-11-30 23:04:44 +00:00 committed by Chris PeBenito
parent 26de5aca83
commit e6f28c51a2
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
policy/modules/services/xserver.te
View File

@ -274,7 +274,6 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
allow xdm_t xauth_home_t:file manage_file_perms; allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority") userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
userdom_user_home_dir_filetrans_user_home_content(xdm_t, file, ".xsession-errors")
allow xauth_t xdm_t:process sigchld; allow xauth_t xdm_t:process sigchld;
allow xauth_t xdm_t:fd use; allow xauth_t xdm_t:fd use;
@ -498,8 +497,10 @@ userdom_signal_all_users(xdm_t)
# and it is now obsolete in Gnome3 # and it is now obsolete in Gnome3
xserver_read_user_dmrc(xdm_t) xserver_read_user_dmrc(xdm_t)
xserver_manage_xsession_log(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t) xserver_unconfined(xdm_t)
xserver_user_home_dir_filetrans_user_xsession_log(xdm_t)
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_dirs(xdm_t)