* xauth type
@ 2025-07-19 11:36 Russell Coker
2025-07-22 13:03 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2025-07-19 11:36 UTC (permalink / raw)
To: SELinux Reference Policy mailing list
# sesearch -T -D xauth_home_t
type_transition auditadm_su_t user_home_dir_t:file xauth_home_t;
type_transition secadm_su_t user_home_dir_t:file xauth_home_t;
type_transition staff_su_t user_home_dir_t:file xauth_home_t;
type_transition sysadm_su_t user_home_dir_t:file xauth_home_t;
type_transition user_su_t user_home_dir_t:file xauth_home_t;
type_transition xauth_t user_home_dir_t:file xauth_home_t;
type_transition xauth_t user_tmp_t:file xauth_home_t;
type_transition xdm_t user_home_dir_t:file xauth_home_t .Xauthority;
The above are the transition rules to label xauth files with X11 (xdm, su,
etc).
When running Wayland the window manager does this, kwin uses
/run/user/$UID/xauth_$RAND and GNOME uses
/run/user/$UID/.mutter.XWaylandauth-$RAND and they get labeled as either
user_tmp_t or user_runtime_t neither of which is good and as the filename is
random we can't have a domain transition rule.
The Window manager does many things so having it create all files as
xauth_home_t isn't going to work.
Any suggestions?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: xauth type
2025-07-19 11:36 xauth type Russell Coker
@ 2025-07-22 13:03 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2025-07-22 13:03 UTC (permalink / raw)
To: russell, SELinux Reference Policy mailing list
On 7/19/2025 7:36 AM, Russell Coker wrote:
> # sesearch -T -D xauth_home_t
> type_transition auditadm_su_t user_home_dir_t:file xauth_home_t;
> type_transition secadm_su_t user_home_dir_t:file xauth_home_t;
> type_transition staff_su_t user_home_dir_t:file xauth_home_t;
> type_transition sysadm_su_t user_home_dir_t:file xauth_home_t;
> type_transition user_su_t user_home_dir_t:file xauth_home_t;
> type_transition xauth_t user_home_dir_t:file xauth_home_t;
> type_transition xauth_t user_tmp_t:file xauth_home_t;
> type_transition xdm_t user_home_dir_t:file xauth_home_t .Xauthority;
>
> The above are the transition rules to label xauth files with X11 (xdm, su,
> etc).
>
> When running Wayland the window manager does this, kwin uses
> /run/user/$UID/xauth_$RAND and GNOME uses
> /run/user/$UID/.mutter.XWaylandauth-$RAND and they get labeled as either
> user_tmp_t or user_runtime_t neither of which is good and as the filename is
> random we can't have a domain transition rule.
>
> The Window manager does many things so having it create all files as
> xauth_home_t isn't going to work.
>
> Any suggestions?
This sounds like a perfect use for type_transition prefix matching.[1]
I'm told it hasn't yet been merged because of performance problems.
My only idea is to write file contexts for the paths and trying to
precreate the dirs, e.g. by systemd-tmpfiles, before they're needed.
[1]
https://lore.kernel.org/all/20231108103345.4014148-1-juraj@jurajmarcin.com/
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-22 13:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-19 11:36 xauth type Russell Coker
2025-07-22 13:03 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).