From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-990270-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id CAF3A1396D9
	for <garchives@archives.gentoo.org>; Thu, 14 Dec 2017 05:15:34 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EEABDE0F06;
	Thu, 14 Dec 2017 05:15:33 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id BB692E0ECC
	for <gentoo-commits@lists.gentoo.org>; Thu, 14 Dec 2017 05:15:33 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7F3DF33BF55
	for <gentoo-commits@lists.gentoo.org>; Thu, 14 Dec 2017 05:15:32 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 20BA4AE7F
	for <gentoo-commits@lists.gentoo.org>; Thu, 14 Dec 2017 05:15:31 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1513166611.fe73a7e41325536c918f4da90cf251b731d37824.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/xserver.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: fe73a7e41325536c918f4da90cf251b731d37824
X-VCS-Branch: master
Date: Thu, 14 Dec 2017 05:15:31 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 70779ab8-99e5-4043-99fa-fc803befbbcf
X-Archives-Hash: f1c729ac77ba720c7f969720a407a598

commit:     fe73a7e41325536c918f4da90cf251b731d37824
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe73a7e4

Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type)

Setup type  xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/services/xserver.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index efd965a7..6564c7f4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -186,6 +186,10 @@ files_type(xdm_var_lib_t)
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+# type for /run/user/%{USERID}/*
+type xdm_runtime_t;
+userdom_user_runtime_content(xdm_runtime_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
@@ -345,6 +349,10 @@ files_lock_filetrans(xdm_t, xdm_lock_t, file)
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
 
+# files in /run/user/%{USERID}/*
+manage_dirs_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+manage_files_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+
 manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -493,6 +501,7 @@ userdom_create_all_users_keys(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_user_runtime_filetrans(xdm_t, xdm_runtime_t, dir)
 
 # for .dmrc: this was used by the Gnome Display Manager (gdm)
 # and it is now obsolete in Gnome3