systemd_logind links /run/user/$USER/X11/display to /tmp/.X11-unix/X*

sock_file

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 3afa206c08dad37c7ac3399718a769929384045d..10b57e0a438734ef69e2f87ba6547596e6568fc1 100644 (file)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -864,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',`
        allow $1 xdm_rw_etc_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     Search XDM temporary directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_search_xdm_tmp_dirs',`
+       gen_require(`
+               type xdm_tmp_t;
+       ')
+
+       files_search_tmp($1)
+       allow $1 xdm_tmp_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Set the attributes of XDM temporary directories.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a884be6750408ecbea65582b3af128bcb515ad5f..fdc509dbc5cd44047ae82db7e8f5039c298c0bf1 100644 (file)
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -114,8 +114,8 @@ optional_policy(`
 optional_policy(`
        xserver_dbus_chat_xdm(systemd_logind_t)
        xserver_read_state_xdm(systemd_logind_t)
-       # Only search is confirmed (/tmp/$USER/X11-unix)
-       xserver_read_xdm_tmp_files(systemd_logind_t)
+       # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+       xserver_search_xdm_tmp_dirs(systemd_logind_t)
 ')
 
 #######################################