Users using slim or lxdm will not have a working system when running SELinux in enforcing mode with the current policy. Attached patch provides a (huge) list of changes needed (courtesy of Fedora) Reproducible: Always
Created attachment 294891 [details, diff] Fedora provided patch on refpolicy for xserver
For feedback/testing => Anarchy
Created attachment 294903 [details, diff] slim/lxdm support Patch only implements support for slim/lxdm. It will require that lxdm for sure has 'session optional pam_selinux.so' add to /etc/pam.d/lxdm
On the following snippet: HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) What file(s) do you want to match with that? The rule you added also already matches .Xauthority so if that context is needed, the other one can be removed. On the following: +/var/log/slim\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/(l)?xdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) Are the trailing regular expressions needed? As far as I know, slim.log is the log file, all slim.log.* matches are then rotated log files and do not need to use the same context.
Patch will be partially included. The Xauth.* won't be, nor will slim.log.*.
In hardened-dev overlay
~arch'ed since 2011-12-17
Stabilized