This patch adds a role for the xdm program. It's needed by sddm because it uses PAM to run it's own worker process and thus needs to do all the checks for a valid session for it's own UID. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20220216/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/services/xserver.te +++ refpolicy-2.20220216/policy/modules/services/xserver.te @@ -18,6 +18,7 @@ gen_require(` class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; + role xdm_r; ') ######################################## @@ -152,6 +153,10 @@ init_daemon_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) +# for sddm to use pam for greeter +role xdm_r types xdm_t; +allow system_r xdm_r; + type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) Index: refpolicy-2.20220216/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20220216/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0 Index: refpolicy-2.20220216/policy/users =================================================================== --- refpolicy-2.20220216.orig/policy/users +++ refpolicy-2.20220216/policy/users @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(xdm, user, xdm_r, s0, s0) # Until order dependence is fixed for users: ifdef(`direct_sysadm_daemon',` Index: refpolicy-2.20220216/config/appconfig-mcs/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220216/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 xdm_r:xdm_t:s0 Index: refpolicy-2.20220216/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/kernel/kernel.te +++ refpolicy-2.20220216/policy/modules/kernel/kernel.te @@ -32,6 +32,7 @@ role system_r; role sysadm_r; role staff_r; role user_r; +role xdm_r; # here until order dependence is fixed: role unconfined_r;