Currently xdm_tmp_t is applied to /tmp/.ICE-unix/ which is writable by user_t (EG for dcopserver in KDE which creates sockets there). xdm_tmp_t is defined in the xserver module which currently on Debian is only loaded if you have packages like xdm installed. But if for example you have a blade server or Xen DomU that has no ability to have a local X server (and therefore no need for xdm) then you can still run "ssh -X" and launch KDE programs. With the current way the Debian policy works if you don't have the xserver policy module loaded then the <<none>> labelling policy is used and you end up with /tmp/.ICE-unix/ labelled as initrc_tmp_t which denies access to user_t and prevents running KDE programs. It seems to me that there are three viable possibilities to deal with this: 1) Load xserver.pp unconditionally (or build it into the policy). 2) Move the xdm_tmp_t definition to something that's in base. 3) Just label the directory in question as tmp_t - it seems that there is little protection if user_t can put whatever they want there. As an aside allowing user_t to create files of type xdm_tmp_t seems like it might be a mistake. Is this ever necessary? -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
