From a3bf298d2702dfadfb2d9f622262d6cea88692d4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 13 Nov 2023 15:35:05 +0100
Subject: [PATCH] Allow map xserver_tmpfs_t files when
 xserver_clients_write_xshm is on

The xserver_clients_write_xshm boolean allows writing to xserver_tmpfs_t
files, this commit also adds the map permission.

The commit addresses the following AVC denial:
type=AVC msg=audit(1699352146.594:3256): avc:  denied  { map } for  pid=481494 comm="Xephyr" path=2F6D656D66643A786F7267202864656C6574656429 dev="tmpfs" ino=92915 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c10,c580 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=1

Resolves: rhbz#2248488
---
 policy/modules/services/xserver.if | 4 ++--
 policy/modules/services/xserver.te | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 76332dffc3..f7da583549 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -255,7 +255,7 @@ interface(`xserver_user_client',`
 	# Client write xserver shm
 	tunable_policy(`xserver_clients_write_xshm',`
 		allow $1 xserver_t:shm rw_shm_perms;
-		allow $1 xserver_tmpfs_t:file rw_file_perms;
+		allow $1 xserver_tmpfs_t:file mmap_rw_file_perms;
 	')
 ')
 
@@ -439,7 +439,7 @@ template(`xserver_user_x_domain_template',`
 	# Client write xserver shm
 	tunable_policy(`xserver_clients_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
-		allow $2 xserver_tmpfs_t:file rw_file_perms;
+		allow $2 xserver_tmpfs_t:file mmap_rw_file_perms;
 	')
 
 	tunable_policy(`selinuxuser_direct_dri_enabled',`
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7fcbb32b3b..41927cef4a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1824,7 +1824,7 @@ term_use_virtio_console(x_userdomain)
 # Client write xserver shm
 tunable_policy(`xserver_clients_write_xshm',`
 	allow x_userdomain xserver_t:shm rw_shm_perms;
-	allow x_userdomain xserver_tmpfs_t:file rw_file_perms;
+	allow x_userdomain xserver_tmpfs_t:file mmap_rw_file_perms;
 ')
 
 optional_policy(`