From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-702285-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 6DD221393E9
	for <garchives@archives.gentoo.org>; Tue, 10 Jun 2014 18:17:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 04690E0916;
	Tue, 10 Jun 2014 18:17:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 294ECE0903
	for <gentoo-commits@lists.gentoo.org>; Tue, 10 Jun 2014 18:17:10 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id EE7AA33F619
	for <gentoo-commits@lists.gentoo.org>; Tue, 10 Jun 2014 18:17:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id B028D181A9
	for <gentoo-commits@lists.gentoo.org>; Tue, 10 Jun 2014 18:17:07 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1402423969.ee22b88958f80507f38476c8036ee1b9d24bd423.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/xserver.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: ee22b88958f80507f38476c8036ee1b9d24bd423
X-VCS-Branch: master
Date: Tue, 10 Jun 2014 18:17:07 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: e8490011-e721-4188-9709-8d355b51bdb6
X-Archives-Hash: b9277c06a1d1e30e468d662018c7e8fb

commit:     ee22b88958f80507f38476c8036ee1b9d24bd423
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 28 15:25:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:12:49 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee22b889

xserver_t needs to ender dirs labeled xdm_var_run_t

The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.

With this setup, X is run as follows:
  /usr/bin/X :0 -auth /var/run/lightdm/root/:0

Changes since v1:
- Use read_files_pattern instead of separate allow rules

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e8c8c01..c096bba 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -824,7 +824,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)