From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0BA0A15812D for ; Mon, 06 Jan 2025 22:49:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 27528E07AE; Mon, 06 Jan 2025 22:49:36 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 09418E07AE for ; Mon, 06 Jan 2025 22:49:36 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1A3D033FEF1 for ; Mon, 06 Jan 2025 22:49:35 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 99290AF3 for ; Mon, 06 Jan 2025 22:49:33 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1736203738.5d5cd5aa4b27f066010097c1779f96bcaa6fc5d8.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/xserver.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 5d5cd5aa4b27f066010097c1779f96bcaa6fc5d8 X-VCS-Branch: master Date: Mon, 06 Jan 2025 22:49:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 38f2b973-f630-4da5-a2f4-6f823f608c4a X-Archives-Hash: b4184840055b190aaad820511725c76e commit: 5d5cd5aa4b27f066010097c1779f96bcaa6fc5d8 Author: Rahul Sandhu sandhuservices dev> AuthorDate: Sun Jan 5 14:55:07 2025 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Mon Jan 6 22:48:58 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d5cd5aa xserver: add xdm user with role access to system_r and xdm_r Sync with upstream's xserver changes. Previously reverted in dada9b3defc6c44e73d56adf245a5812c3f08404. The reasoning for the revert: ``` This commit added the sddm user to the xserver module. This caused problems loading the xserver module if the user did not exist on the system. ``` no longer applies, as upstream hit this issue here: https://github.com/SELinuxProject/refpolicy/issues/488 and resolved it. Fixes: https://github.com/gentoo/hardened-refpolicy/issues/7 Signed-off-by: Rahul Sandhu sandhuservices.dev> Closes: https://github.com/gentoo/hardened-refpolicy/pull/8 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/xserver.te | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index c5d7a0f03..1b843b466 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -86,6 +86,10 @@ gen_tunable(xserver_object_manager, false) ## gen_tunable(xserver_allow_dri, false) +# for sddm to use pam for greeter +role xdm_r; +allow system_r xdm_r; + attribute x_domain; # X Events @@ -169,6 +173,7 @@ fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) type xdm_t; +role xdm_r types xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -891,6 +896,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) @@ -1091,3 +1099,6 @@ ifdef(`distro_gentoo',` cgmanager_stream_connect(xdm_t) ') ') + +# for sddm to use pam for greeter +gen_user(xdm,, xdm_r system_r, s0, s0)