commit: 5d5cd5aa4b27f066010097c1779f96bcaa6fc5d8 Author: Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev> AuthorDate: Sun Jan 5 14:55:07 2025 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Mon Jan 6 22:48:58 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d5cd5aa
xserver: add xdm user with role access to system_r and xdm_r Sync with upstream's xserver changes. Previously reverted in dada9b3defc6c44e73d56adf245a5812c3f08404. The reasoning for the revert: ``` This commit added the sddm user to the xserver module. This caused problems loading the xserver module if the user did not exist on the system. ``` no longer applies, as upstream hit this issue here: https://github.com/SELinuxProject/refpolicy/issues/488 and resolved it. Fixes: https://github.com/gentoo/hardened-refpolicy/issues/7 Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev> Closes: https://github.com/gentoo/hardened-refpolicy/pull/8 Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/services/xserver.te | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index c5d7a0f03..1b843b466 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -86,6 +86,10 @@ gen_tunable(xserver_object_manager, false) ## </desc> gen_tunable(xserver_allow_dri, false) +# for sddm to use pam for greeter +role xdm_r; +allow system_r xdm_r; + attribute x_domain; # X Events @@ -169,6 +173,7 @@ fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) type xdm_t; +role xdm_r types xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -891,6 +896,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) @@ -1091,3 +1099,6 @@ ifdef(`distro_gentoo',` cgmanager_stream_connect(xdm_t) ') ') + +# for sddm to use pam for greeter +gen_user(xdm,, xdm_r system_r, s0, s0)
