Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.
There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
Chris PeBenito
Sven Vermeulen
Luis Ressel
Laurent Bigonville
Chris PeBenito
Dominick Grift
Dominick Grift