From 27f53bd2d61e6c0686dcd8d7df5edfe7a4d0d5b3 Mon Sep 17 00:00:00 2001
From: Rahul Sandhu <rahul@sandhuservices.dev>
Date: Sun, 5 Jan 2025 14:55:07 +0000
Subject: [PATCH] xserver: add xdm user with role access to system_r and xdm_r

Signed-off-by: Rahul Sandhu <rahul@sandhuservices.dev>
---
 policy/modules/services/xserver.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c5d7a0f03..7f5256139 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -86,6 +86,10 @@ gen_tunable(xserver_object_manager, false)
 ## </desc>
 gen_tunable(xserver_allow_dri, false)
 
+# for sddm to use pam for greeter
+role xdm_r;
+allow system_r xdm_r;
+
 attribute x_domain;
 
 # X Events
@@ -169,6 +173,7 @@ fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
 type xdm_t;
+role xdm_r types xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
 init_domain(xdm_t, xdm_exec_t)
@@ -891,6 +896,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 
@@ -1091,3 +1099,7 @@ ifdef(`distro_gentoo',`
 		cgmanager_stream_connect(xdm_t)
 	')
 ')
+
+
+# for sddm to use pam for greeter
+gen_user(xdm,, xdm_r system_r, s0, s0)