59e00c5580
On Arch Linux, /usr/bin/Xorg is only a shell script which executes /usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around /usr/lib/xorg-server/Xorg. Even though Xorg.wrap is not a full X server, it reads X11 configuration files, uses the DRM interface to detect KMS, etc. (cf. http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0 for more details). Therefore label it as xserver_exec_t. This makes the following AVC appear: denied { execute_no_trans } for pid=927 comm="X" path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592 scontext=system_u:system_r:xserver_t tcontext=system_u:object_r:xserver_exec_t tclass=file Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement. |
||
|---|---|---|
| .. | ||
| metadata.xml | ||
| postgresql.fc | ||
| postgresql.if | ||
| postgresql.te | ||
| ssh.fc | ||
| ssh.if | ||
| ssh.te | ||
| xserver.fc | ||
| xserver.if | ||
| xserver.te | ||