Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155798 - Proper labeling for .ICEauthority and .ICE-unix
Summary: Proper labeling for .ICEauthority and .ICE-unix
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: 155800
TreeView+ depends on / blocked
Reported: 2005-04-23 12:53 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-07-13 11:36:59 UTC

Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-04-23 12:53:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
My version of the policy restricts various desktop applications from
access to ROLE_home_t, which results in denials.

I think .ICEauthority (and/or) .ICE-unix need to be labeled with more
specific types, but I'm not familiar with how those files are used yet.

Example denials:

audit(1114184601.178:0): avc:  denied  { read } for  pid=338 exe=/usr/bin/gataxx name=.ICEauthority dev=dm-2 ino=324496 scontext=phantom:staff_r:staff_games_t tcontext=phantom:object_r:staff_home_t tclass=file

audit(1114184601.178:0): avc:  denied  { getattr } for  pid=338 exe=/usr/bin/gataxx path=/home/phantom/.ICEauthority dev=dm-2 ino=324496 scontext=phantom:staff_r:staff_games_t tcontext=phantom:object_r:staff_home_t tclass=file

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:

Additional info:

Comment 1 Ivan Gyurdiev 2005-06-18 07:17:49 UTC
Status after untrusted patch:

.ICE-unix needs to be pre-created somehow.
.ICEautority stuff needs to be moved into a subfolder that is precreated
(since things use libICE instead of the iceauth program).

Comment 2 Ivan Gyurdiev 2005-11-10 16:29:44 UTC
In general, ice_* in the current policy is incomplete..
I'm not sure what shape those rules will have after the reference policy is merged.

Comment 4 Daniel Walsh 2006-06-15 19:17:14 UTC
We are working eliminating /tmp usage from ice and X Windows.

Note You need to log in before you can comment on or make changes to this bug.