Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on

The xserver_clients_write_xshm boolean allows writing to xserver_tmpfs_t files, this commit also adds the map permission. The commit addresses the following AVC denial: type=AVC msg=audit(1699352146.594:3256): avc: denied { map } for pid=481494 comm="Xephyr" path=2F6D656D66643A786F7267202864656C6574656429 dev="tmpfs" ino=92915 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c10,c580 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=1 Resolves: rhbz#2248488
zpytela · Nov 14, 2023 · a3bf298 · a3bf298
1 parent 42b74e4
commit a3bf298
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
@@ -255,7 +255,7 @@ interface(`xserver_user_client',`
 	# Client write xserver shm
 	tunable_policy(`xserver_clients_write_xshm',`
 		allow $1 xserver_t:shm rw_shm_perms;
-		allow $1 xserver_tmpfs_t:file rw_file_perms;
+		allow $1 xserver_tmpfs_t:file mmap_rw_file_perms;
 	')
 ')
 
@@ -439,7 +439,7 @@ template(`xserver_user_x_domain_template',`
 	# Client write xserver shm
 	tunable_policy(`xserver_clients_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
-		allow $2 xserver_tmpfs_t:file rw_file_perms;
+		allow $2 xserver_tmpfs_t:file mmap_rw_file_perms;
 	')
 
 	tunable_policy(`selinuxuser_direct_dri_enabled',`

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
@@ -1824,7 +1824,7 @@ term_use_virtio_console(x_userdomain)
 # Client write xserver shm
 tunable_policy(`xserver_clients_write_xshm',`
 	allow x_userdomain xserver_t:shm rw_shm_perms;
-	allow x_userdomain xserver_tmpfs_t:file rw_file_perms;
+	allow x_userdomain xserver_tmpfs_t:file mmap_rw_file_perms;
 ')
 
 optional_policy(`