Re: [PATCH 3/9] xserver: ICEauthority can be in /run/user

[Chris PeBenito <pebenito@xxxxxxxx>]

On 12/24/19 5:10 AM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@xxxxxxxxxx>
>
> Signed-off-by: Jason Zaman <jason@xxxxxxxxxxxxx>
> ---
>   policy/modules/services/xserver.fc | 2 ++
>   policy/modules/services/xserver.te | 2 ++
>   2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index fa8db862..df06151e 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -143,6 +143,8 @@ ifndef(`distro_debian',`
>   /run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   /run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   
> +/run/user/%{USERID}/ICEauthority.*	--	gen_context(system_u:object_r:iceauth_home_t,s0)
> +
>   ifdef(`distro_suse',`
>   /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
>   ')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f016d429..499f03a6 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
>   
>   type iceauth_home_t;
>   userdom_user_home_content(iceauth_home_t)
> +userdom_user_runtime_content(iceauth_home_t)
>   
>   type xauth_t;
>   type xauth_exec_t;
> @@ -211,6 +212,7 @@ optional_policy(`
>   
>   allow iceauth_t iceauth_home_t:file manage_file_perms;
>   userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
> +userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)
>   
>   allow xdm_t iceauth_home_t:file read_file_perms;

Merged.

--
Chris PeBenito