When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
files_read_etc_files(xauth_t)
files_search_pids(xauth_t)
+kernel_request_load_module(xauth_t)
+
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)