[refpolicy] [PATCH] xserver: only run in confined mode and restrict execmem permissions

[refpolicy] [PATCH] xserver: only run in confined mode and restrict execmem permissions

[Guido Trentalancia]

Update the xserver module so that both the xserver_t and xdm_t
domains always run in confined mode and never run in unconfined
mode.

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location, adds the ability to read udev pid files and
finally adds a couple of permissions so that xconsole can use
the terminals it needs to use.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    2 ++
 policy/modules/services/xserver.te |   32 ++++++++++++++++++--------------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-28 18:06:07.926688845 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-28 17:55:56.182177747 +0100
@@ -81,6 +81,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-28 17:43:34.097311192 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -450,6 +458,10 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +519,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -584,15 +600,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(xdm_t)
-	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
-')
-
-optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
 ')
 
@@ -754,6 +761,8 @@ modutils_domtrans_insmod(xserver_t)
 # read x_contexts
 seutil_read_default_contexts(xserver_t)
 
+udev_read_pid_files(xserver_t)
+
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
 userdom_setattr_user_ttys(xserver_t)
@@ -806,11 +815,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain_noaudit(xserver_t)
-	unconfined_domtrans(xserver_t)
-')
-
-optional_policy(`
 	userhelper_search_config(xserver_t)
 ')
 

[refpolicy] [PATCH v2] xserver: restrict executable memory permissions (was "only run in confined mode and restrict execmem permissions")

[Guido Trentalancia]

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location, adds the ability to read udev pid files and
finally adds a couple of permissions so that xconsole can use
the terminals it needs to use.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    2 ++
 policy/modules/services/xserver.te |   21 +++++++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-28 20:47:28.677416395 +0100
@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-28 20:50:53.138823311 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -450,6 +458,10 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +519,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +602,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -803,6 +815,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Guido Trentalancia]

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location, adds the ability to read udev pid files and
finally adds a few permissions so that xconsole can run smoothly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    2 ++
 policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-30 01:25:51.383728583 +0100
@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-30 01:30:43.634289624 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +603,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -803,6 +816,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[cgzones]

On 30 Dec 2016 1:37 am, "Guido Trentalancia via refpolicy" <
refpolicy@oss.tresys.com> wrote:

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location, adds the ability to read udev pid files and
finally adds a few permissions so that xconsole can run smoothly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    2 ++
 policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/
xserver.fc
--- a/policy/modules/services/xserver.fc        2016-12-22
23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc        2016-12-30
01:25:51.383728583 +0100
@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*       --      gen_context(s

 /usr/sbin/lightdm      --      gen_context(system_u:object_r:xdm_exec_t,s0)

+/usr/share/X11/xkb(/.*)?       gen_context(system_u:object_r:
xkb_var_lib_t,s0)
+

I am not familiar with xkb nor xdm, but the /usr directory should from my
point of view be able to be mounted as read-only, so the files laying here
should be static. Why does xkb has library files over here?

 /usr/X11R6/bin/[xgkw]dm        --      gen_context(system_u:object_r:
xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth --      gen_context(system_u:object_r:
iceauth_exec_t,s0)
 /usr/X11R6/bin/X       --      gen_context(system_u:object_r:
xserver_exec_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/
xserver.te
--- a/policy/modules/services/xserver.te        2016-12-22
23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te        2016-12-30
01:30:43.634289624 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)

 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #

 allow xdm_t self:capability { setgid setuid sys_resource kill
sys_tty_config mknod chown dac_override dac_read_search fowner fsetid
ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };

-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;

 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)

+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
 #      allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')

+tunable_policy(`gnome_xdm',`
+       allow xdm_t self:process execmem;
+')
+
 optional_policy(`
        alsa_domtrans(xdm_t)
 ')
@@ -586,10 +603,6 @@ optional_policy(`
 optional_policy(`
        unconfined_domain(xdm_t)
        unconfined_domtrans(xdm_t)
-
-       ifndef(`distro_redhat',`
-               allow xdm_t self:process { execheap execmem };
-       ')
 ')

 optional_policy(`
@@ -803,6 +816,7 @@ optional_policy(`

 optional_policy(`
        udev_read_db(xserver_t)
+       udev_read_pid_files(xserver_t)
 ')

 optional_policy(`
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/eac1adc0/attachment.html 

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Guido Trentalancia]

Hello. 

You should ask Xorg developers... 

I don't know why they install dynamic stuff there. 

It's not tragic though. And there are other existing file contexts (possibly obsolete) similar to that, so Reference Policy is already coexisting with that... 

Regards, 

Guido 

On the 30th of December 2016 02:06:35 CET, cgzones <cgzones@googlemail.com> wrote:
>On 30 Dec 2016 1:37 am, "Guido Trentalancia via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>The dangerous execheap permission is removed from xdm and the
>dangerous execmem permission is only enabled for the Gnome
>Display Manager (gnome-shell running in gdm mode) through a
>new "gnome_xdm" boolean.
>
>This patch also updates the XKB libs file context with their
>default location, adds the ability to read udev pid files and
>finally adds a few permissions so that xconsole can run smoothly.
>
>Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>---
> policy/modules/services/xserver.fc |    2 ++
> policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
> 2 files changed, 21 insertions(+), 5 deletions(-)
>
>diff -pru a/policy/modules/services/xserver.fc
>b/policy/modules/services/
>xserver.fc
>--- a/policy/modules/services/xserver.fc        2016-12-22
>23:12:47.782929703 +0100
>+++ b/policy/modules/services/xserver.fc        2016-12-30
>01:25:51.383728583 +0100
>@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*       --      gen_context(s
>
>/usr/sbin/lightdm      --     
>gen_context(system_u:object_r:xdm_exec_t,s0)
>
>+/usr/share/X11/xkb(/.*)?       gen_context(system_u:object_r:
>xkb_var_lib_t,s0)
>+
>
>I am not familiar with xkb nor xdm, but the /usr directory should from
>my
>point of view be able to be mounted as read-only, so the files laying
>here
>should be static. Why does xkb has library files over here?
>
> /usr/X11R6/bin/[xgkw]dm        --      gen_context(system_u:object_r:
>xdm_exec_t,s0)
> /usr/X11R6/bin/iceauth --      gen_context(system_u:object_r:
>iceauth_exec_t,s0)
> /usr/X11R6/bin/X       --      gen_context(system_u:object_r:
>xserver_exec_t,s0)
>diff -pru a/policy/modules/services/xserver.te
>b/policy/modules/services/
>xserver.te
>--- a/policy/modules/services/xserver.te        2016-12-22
>23:12:47.782929703 +0100
>+++ b/policy/modules/services/xserver.te        2016-12-30
>01:30:43.634289624 +0100
>@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
> ## <desc>
> ## <p>
>+## Use gnome-shell in gdm mode as the
>+## X Display Manager (XDM)
>+## </p>
>+## </desc>
>+gen_tunable(gnome_xdm, false)
>+
>+## <desc>
>+## <p>
> ## Support X userspace object manager
> ## </p>
> ## </desc>
>@@ -304,6 +312,7 @@ optional_policy(`
> #
>
> allow xdm_t self:capability { setgid setuid sys_resource kill
>sys_tty_config mknod chown dac_override dac_read_search fowner fsetid
>ipc_owner sys_nice sys_rawio net_bind_service };
>+dontaudit xdm_t self:capability sys_admin;
> allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
>signal_perms };
> allow xdm_t self:fifo_file rw_fifo_file_perms;
> allow xdm_t self:shm create_shm_perms;
>@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
> allow xdm_t self:appletalk_socket create_socket_perms;
> allow xdm_t self:key { search link write };
>
>-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
>+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;
>
> # Allow gdm to run gdm-binary
> can_exec(xdm_t, xdm_exec_t)
>@@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
> term_use_unallocated_ttys(xdm_t)
> term_setattr_unallocated_ttys(xdm_t)
>
>+# for xconsole
>+term_use_ptmx(xdm_t)
>+term_use_generic_ptys(xdm_t)
>+
> auth_domtrans_pam_console(xdm_t)
> auth_manage_pam_pid(xdm_t)
> auth_manage_pam_console_data(xdm_t)
>@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
> #      allow xserver_t xdm_tmpfs_t:file rw_file_perms;
> ')
>
>+tunable_policy(`gnome_xdm',`
>+       allow xdm_t self:process execmem;
>+')
>+
> optional_policy(`
>        alsa_domtrans(xdm_t)
> ')
>@@ -586,10 +603,6 @@ optional_policy(`
> optional_policy(`
>        unconfined_domain(xdm_t)
>        unconfined_domtrans(xdm_t)
>-
>-       ifndef(`distro_redhat',`
>-               allow xdm_t self:process { execheap execmem };
>-       ')
> ')
>
> optional_policy(`
>@@ -803,6 +816,7 @@ optional_policy(`
>
> optional_policy(`
>        udev_read_db(xserver_t)
>+       udev_read_pid_files(xserver_t)
> ')
>
> optional_policy(`
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Guido Trentalancia]

Hello again. 

I have double-checked and the difference between /usr/share and /var/lib is between architetture-independent and single-machine data, not between read-only and writable. 

I hope it helps. 

Regards, 

Guido 

On the 30th of December 2016 02:06:35 CET, cgzones <cgzones@googlemail.com> wrote:
>On 30 Dec 2016 1:37 am, "Guido Trentalancia via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>The dangerous execheap permission is removed from xdm and the
>dangerous execmem permission is only enabled for the Gnome
>Display Manager (gnome-shell running in gdm mode) through a
>new "gnome_xdm" boolean.
>
>This patch also updates the XKB libs file context with their
>default location, adds the ability to read udev pid files and
>finally adds a few permissions so that xconsole can run smoothly.
>
>Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>---
> policy/modules/services/xserver.fc |    2 ++
> policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
> 2 files changed, 21 insertions(+), 5 deletions(-)
>
>diff -pru a/policy/modules/services/xserver.fc
>b/policy/modules/services/
>xserver.fc
>--- a/policy/modules/services/xserver.fc        2016-12-22
>23:12:47.782929703 +0100
>+++ b/policy/modules/services/xserver.fc        2016-12-30
>01:25:51.383728583 +0100
>@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*       --      gen_context(s
>
>/usr/sbin/lightdm      --     
>gen_context(system_u:object_r:xdm_exec_t,s0)
>
>+/usr/share/X11/xkb(/.*)?       gen_context(system_u:object_r:
>xkb_var_lib_t,s0)
>+
>
>I am not familiar with xkb nor xdm, but the /usr directory should from
>my
>point of view be able to be mounted as read-only, so the files laying
>here
>should be static. Why does xkb has library files over here?
>
> /usr/X11R6/bin/[xgkw]dm        --      gen_context(system_u:object_r:
>xdm_exec_t,s0)
> /usr/X11R6/bin/iceauth --      gen_context(system_u:object_r:
>iceauth_exec_t,s0)
> /usr/X11R6/bin/X       --      gen_context(system_u:object_r:
>xserver_exec_t,s0)
>diff -pru a/policy/modules/services/xserver.te
>b/policy/modules/services/
>xserver.te
>--- a/policy/modules/services/xserver.te        2016-12-22
>23:12:47.782929703 +0100
>+++ b/policy/modules/services/xserver.te        2016-12-30
>01:30:43.634289624 +0100
>@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
> ## <desc>
> ## <p>
>+## Use gnome-shell in gdm mode as the
>+## X Display Manager (XDM)
>+## </p>
>+## </desc>
>+gen_tunable(gnome_xdm, false)
>+
>+## <desc>
>+## <p>
> ## Support X userspace object manager
> ## </p>
> ## </desc>
>@@ -304,6 +312,7 @@ optional_policy(`
> #
>
> allow xdm_t self:capability { setgid setuid sys_resource kill
>sys_tty_config mknod chown dac_override dac_read_search fowner fsetid
>ipc_owner sys_nice sys_rawio net_bind_service };
>+dontaudit xdm_t self:capability sys_admin;
> allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
>signal_perms };
> allow xdm_t self:fifo_file rw_fifo_file_perms;
> allow xdm_t self:shm create_shm_perms;
>@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
> allow xdm_t self:appletalk_socket create_socket_perms;
> allow xdm_t self:key { search link write };
>
>-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
>+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;
>
> # Allow gdm to run gdm-binary
> can_exec(xdm_t, xdm_exec_t)
>@@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
> term_use_unallocated_ttys(xdm_t)
> term_setattr_unallocated_ttys(xdm_t)
>
>+# for xconsole
>+term_use_ptmx(xdm_t)
>+term_use_generic_ptys(xdm_t)
>+
> auth_domtrans_pam_console(xdm_t)
> auth_manage_pam_pid(xdm_t)
> auth_manage_pam_console_data(xdm_t)
>@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
> #      allow xserver_t xdm_tmpfs_t:file rw_file_perms;
> ')
>
>+tunable_policy(`gnome_xdm',`
>+       allow xdm_t self:process execmem;
>+')
>+
> optional_policy(`
>        alsa_domtrans(xdm_t)
> ')
>@@ -586,10 +603,6 @@ optional_policy(`
> optional_policy(`
>        unconfined_domain(xdm_t)
>        unconfined_domtrans(xdm_t)
>-
>-       ifndef(`distro_redhat',`
>-               allow xdm_t self:process { execheap execmem };
>-       ')
> ')
>
> optional_policy(`
>@@ -803,6 +816,7 @@ optional_policy(`
>
> optional_policy(`
>        udev_read_db(xserver_t)
>+       udev_read_pid_files(xserver_t)
> ')
>
> optional_policy(`
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[cgzones]

Hi,

2016-12-30 2:42 GMT+01:00 Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com>:
> Hello again.
>
> I have double-checked and the difference between /usr/share and /var/lib is between architetture-independent and single-machine data, not between read-only and writable.

Quoting FHS 3.0:

/usr/share
"The /usr/share hierarchy is for all read-only architecture
independent data files."
(http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html)

/var/lib
"This hierarchy holds state information pertaining to an application
or the system. State information is data that programs modify while
they run, and that pertains to one specific host."
(http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html)

> I hope it helps.
>
> Regards,
>
> Guido
>

Btw, I am not against this patch, just wanted to make sure this
specific change was intentional and note that it's a bit unhandsome.

Kindly Regards,
     Christian G?ttsche

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Guido Trentalancia]

On Fri, 30/12/2016 at 17.07 +0100, cgzones wrote:
> Hi,
> 
> 2016-12-30 2:42 GMT+01:00 Guido Trentalancia via refpolicy
> <refpolicy@oss.tresys.com>:
> > 
> > Hello again.
> > 
> > I have double-checked and the difference between /usr/share and
> > /var/lib is between architetture-independent and single-machine
> > data, not between read-only and writable.

I correct myself. The former also implies read-only files.

> Quoting FHS 3.0:
> 
> /usr/share
> "The /usr/share hierarchy is for all read-only architecture
> independent data files."
> (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html)
> 
> /var/lib
> "This hierarchy holds state information pertaining to an application
> or the system. State information is data that programs modify while
> they run, and that pertains to one specific host."
> (http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html)
> 
> > 
> > I hope it helps.
> > 
> > Regards,
> > 
> > Guido
> > 
> 
> Btw, I am not against this patch, just wanted to make sure this
> specific change was intentional and note that it's a bit unhandsome.

I confirm, it is a sort of bug in xserver (the actual package, not the
policy module).

Regards,

Guido

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Chris PeBenito]

On 12/29/16 19:36, Guido Trentalancia via refpolicy wrote:
> The dangerous execheap permission is removed from xdm and the
> dangerous execmem permission is only enabled for the Gnome
> Display Manager (gnome-shell running in gdm mode) through a
> new "gnome_xdm" boolean.
>
> This patch also updates the XKB libs file context with their
> default location, adds the ability to read udev pid files and
> finally adds a few permissions so that xconsole can run smoothly.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    2 ++
>  policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
>  2 files changed, 21 insertions(+), 5 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc	2016-12-30 01:25:51.383728583 +0100
> @@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +
>  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-30 01:30:43.634289624 +0100
> @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
>  ## <desc>
>  ## <p>
> +## Use gnome-shell in gdm mode as the
> +## X Display Manager (XDM)
> +## </p>
> +## </desc>
> +gen_tunable(gnome_xdm, false)

The tunable name should start with xserver.


> +## <desc>
> +## <p>
>  ## Support X userspace object manager
>  ## </p>
>  ## </desc>
> @@ -304,6 +312,7 @@ optional_policy(`
>  #
>
>  allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
> +dontaudit xdm_t self:capability sys_admin;
>  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
>  allow xdm_t self:fifo_file rw_fifo_file_perms;
>  allow xdm_t self:shm create_shm_perms;
> @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
>  allow xdm_t self:appletalk_socket create_socket_perms;
>  allow xdm_t self:key { search link write };
>
> -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> +allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;

The setattr permission is lost.

>  # Allow gdm to run gdm-binary
>  can_exec(xdm_t, xdm_exec_t)
> @@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
>  term_use_unallocated_ttys(xdm_t)
>  term_setattr_unallocated_ttys(xdm_t)
>
> +# for xconsole
> +term_use_ptmx(xdm_t)
> +term_use_generic_ptys(xdm_t)

Looks like a pty needs to be properly labeled.


>  auth_domtrans_pam_console(xdm_t)
>  auth_manage_pam_pid(xdm_t)
>  auth_manage_pam_console_data(xdm_t)
> @@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
>  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
>  ')
>
> +tunable_policy(`gnome_xdm',`
> +	allow xdm_t self:process execmem;
> +')
> +
>  optional_policy(`
>  	alsa_domtrans(xdm_t)
>  ')
> @@ -586,10 +603,6 @@ optional_policy(`
>  optional_policy(`
>  	unconfined_domain(xdm_t)
>  	unconfined_domtrans(xdm_t)
> -
> -	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> -	')
>  ')
>
>  optional_policy(`
> @@ -803,6 +816,7 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(xserver_t)
> +	udev_read_pid_files(xserver_t)
>  ')
>
>  optional_policy(`



-- 
Chris PeBenito

[refpolicy] [PATCH v3] xserver: restrict executable memory permissions

[Guido Trentalancia]

Hello Christopher,

thanks very much for the review.

I am now going to create a new revised version...

Regards,

Guido

> On the 30th of December 2016 at 20.32 Chris PeBenito <pebenito@ieee.org>
> wrote:
> 
> 
> On 12/29/16 19:36, Guido Trentalancia via refpolicy wrote:
> > The dangerous execheap permission is removed from xdm and the
> > dangerous execmem permission is only enabled for the Gnome
> > Display Manager (gnome-shell running in gdm mode) through a
> > new "gnome_xdm" boolean.
> >
> > This patch also updates the XKB libs file context with their
> > default location, adds the ability to read udev pid files and
> > finally adds a few permissions so that xconsole can run smoothly.
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/services/xserver.fc |    2 ++
> >  policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
> >  2 files changed, 21 insertions(+), 5 deletions(-)
> >
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> > +++ b/policy/modules/services/xserver.fc	2016-12-30 01:25:51.383728583 +0100
> > @@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
> >
> >  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> >
> > +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> > +
> >  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> >  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
> >  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> > diff -pru a/policy/modules/services/xserver.te
> > b/policy/modules/services/xserver.te
> > --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> > +++ b/policy/modules/services/xserver.te	2016-12-30 01:30:43.634289624 +0100
> > @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
> >
> >  ## <desc>
> >  ## <p>
> > +## Use gnome-shell in gdm mode as the
> > +## X Display Manager (XDM)
> > +## </p>
> > +## </desc>
> > +gen_tunable(gnome_xdm, false)
> 
> The tunable name should start with xserver.
> 
> 
> > +## <desc>
> > +## <p>
> >  ## Support X userspace object manager
> >  ## </p>
> >  ## </desc>
> > @@ -304,6 +312,7 @@ optional_policy(`
> >  #
> >
> >  allow xdm_t self:capability { setgid setuid sys_resource kill
> > sys_tty_config mknod chown dac_override dac_read_search fowner fsetid
> > ipc_owner sys_nice sys_rawio net_bind_service };
> > +dontaudit xdm_t self:capability sys_admin;
> >  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
> > signal_perms };
> >  allow xdm_t self:fifo_file rw_fifo_file_perms;
> >  allow xdm_t self:shm create_shm_perms;
> > @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
> >  allow xdm_t self:appletalk_socket create_socket_perms;
> >  allow xdm_t self:key { search link write };
> >
> > -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> > +allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;
> 
> The setattr permission is lost.
> 
> >  # Allow gdm to run gdm-binary
> >  can_exec(xdm_t, xdm_exec_t)
> > @@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
> >  term_use_unallocated_ttys(xdm_t)
> >  term_setattr_unallocated_ttys(xdm_t)
> >
> > +# for xconsole
> > +term_use_ptmx(xdm_t)
> > +term_use_generic_ptys(xdm_t)
> 
> Looks like a pty needs to be properly labeled.
> 
> 
> >  auth_domtrans_pam_console(xdm_t)
> >  auth_manage_pam_pid(xdm_t)
> >  auth_manage_pam_console_data(xdm_t)
> > @@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
> >  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
> >  ')
> >
> > +tunable_policy(`gnome_xdm',`
> > +	allow xdm_t self:process execmem;
> > +')
> > +
> >  optional_policy(`
> >  	alsa_domtrans(xdm_t)
> >  ')
> > @@ -586,10 +603,6 @@ optional_policy(`
> >  optional_policy(`
> >  	unconfined_domain(xdm_t)
> >  	unconfined_domtrans(xdm_t)
> > -
> > -	ifndef(`distro_redhat',`
> > -		allow xdm_t self:process { execheap execmem };
> > -	')
> >  ')
> >
> >  optional_policy(`
> > @@ -803,6 +816,7 @@ optional_policy(`
> >
> >  optional_policy(`
> >  	udev_read_db(xserver_t)
> > +	udev_read_pid_files(xserver_t)
> >  ')
> >
> >  optional_policy(`
> 
> 
> 
> -- 
> Chris PeBenito

[refpolicy] [PATCH v4] xserver: restrict executable memory permissions

[Guido Trentalancia]

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements as kindly suggested
in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    6 ++++--
 policy/modules/services/xserver.te |   30 +++++++++++++++++++++---------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff -pru a/policy/modules/services/xserver.fc
b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-30 23:02:21.384800112 +0100
@@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+# xserver default configure bug: not FHS-compliant because not read-only !
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb(/.*)?	--	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
diff -pru a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-30 22:51:16.080848623 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(xserver_gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config
mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice
sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms
setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+term_relabel_all_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`xserver_gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +604,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file
fifo_file })
 
+# Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@@ -803,6 +818,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`
@@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
-# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xserver_t, xkb_var_lib_t)
-
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)

[refpolicy] [PATCH v4] xserver: restrict executable memory permissions

[Chris PeBenito]

On 12/30/16 17:07, Guido Trentalancia via refpolicy wrote:
> The dangerous execheap permission is removed from xdm and the
> dangerous execmem permission is only enabled for the Gnome
> Display Manager (gnome-shell running in gdm mode) through a
> new "xserver_gnome_xdm" boolean.
>
> This patch also updates the XKB libs file context with their
> default location (which at the moment is not compliant with
> FHS3 due to the fact that it allows by default to write the
> output from xkbcomp), adds the ability to read udev pid files
> and finally adds a few permissions so that xconsole can run
> smoothly.
>
> The anomalous permission to execute XKB var library files has
> been removed and the old X11R6 library location has been
> updated so that subdirectories are also labeled as xkb_var_lib.
>
> This patch includes various improvements as kindly suggested
> in reviews made by Christopher PeBenito.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    6 ++++--
>  policy/modules/services/xserver.te |   30 +++++++++++++++++++++---------
>  2 files changed, 25 insertions(+), 11 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc
> b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc	2016-12-30 23:02:21.384800112 +0100
> @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> +# xserver default configure bug: not FHS-compliant because not read-only !
> +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +
>  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> -/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> -/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/usr/X11R6/lib/X11/xkb(/.*)?	--	gen_context(system_u:object_r:xkb_var_lib_t,s0)

I doubt that anyone still uses /usr/X11R6, but this does not have the 
desired effect since you kept the --.  The xkb directory will be mislabeled.


>  ifndef(`distro_debian',`
>  /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> diff -pru a/policy/modules/services/xserver.te
> b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-30 22:51:16.080848623 +0100
> @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
>  ## <desc>
>  ## <p>
> +## Use gnome-shell in gdm mode as the
> +## X Display Manager (XDM)
> +## </p>
> +## </desc>
> +gen_tunable(xserver_gnome_xdm, false)
> +
> +## <desc>
> +## <p>
>  ## Support X userspace object manager
>  ## </p>
>  ## </desc>
> @@ -304,6 +312,7 @@ optional_policy(`
>  #
>
>  allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config
> mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice
> sys_rawio net_bind_service };
> +dontaudit xdm_t self:capability sys_admin;
>  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
> signal_perms };
>  allow xdm_t self:fifo_file rw_fifo_file_perms;
>  allow xdm_t self:shm create_shm_perms;
> @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
>  allow xdm_t self:appletalk_socket create_socket_perms;
>  allow xdm_t self:key { search link write };
>
> -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> +allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms
> setattr_fifo_file_perms };
>
>  # Allow gdm to run gdm-binary
>  can_exec(xdm_t, xdm_exec_t)
> @@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
>  term_use_unallocated_ttys(xdm_t)
>  term_setattr_unallocated_ttys(xdm_t)
>
> +# for xconsole
> +term_use_ptmx(xdm_t)
> +term_use_generic_ptys(xdm_t)
> +term_relabel_all_ptys(xdm_t)

Which domain is creating the pty?  Using generic ptys should be avoided 
if possible.


>  auth_domtrans_pam_console(xdm_t)
>  auth_manage_pam_pid(xdm_t)
>  auth_manage_pam_console_data(xdm_t)
> @@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',`
>  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
>  ')
>
> +tunable_policy(`xserver_gnome_xdm',`
> +	allow xdm_t self:process execmem;
> +')
> +
>  optional_policy(`
>  	alsa_domtrans(xdm_t)
>  ')
> @@ -586,10 +604,6 @@ optional_policy(`
>  optional_policy(`
>  	unconfined_domain(xdm_t)
>  	unconfined_domtrans(xdm_t)
> -
> -	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> -	')
>  ')
>
>  optional_policy(`
> @@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse
>  manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
>  fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file
> fifo_file })
>
> +# Run xkbcomp
>  manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  files_search_var_lib(xserver_t)
> @@ -803,6 +818,7 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(xserver_t)
> +	udev_read_pid_files(xserver_t)
>  ')
>
>  optional_policy(`
> @@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
>  manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>
> -# Run xkbcomp.
> -allow xserver_t xkb_var_lib_t:lnk_file read;
> -can_exec(xserver_t, xkb_var_lib_t)
> -
>  # Run Xorg.wrap
>  can_exec(xserver_t, xserver_exec_t)


-- 
Chris PeBenito

[refpolicy] [PATCH v4] xserver: restrict executable memory permissions

[Guido Trentalancia]

I'll fix that immediately. It's a mistake.

On Sat, 31/12/2016 at 10.56 -0500, Chris PeBenito wrote:
> On 12/30/16 17:07, Guido Trentalancia via refpolicy wrote:
> > 
> > The dangerous execheap permission is removed from xdm and the
> > dangerous execmem permission is only enabled for the Gnome
> > Display Manager (gnome-shell running in gdm mode) through a
> > new "xserver_gnome_xdm" boolean.
> > 
> > This patch also updates the XKB libs file context with their
> > default location (which at the moment is not compliant with
> > FHS3 due to the fact that it allows by default to write the
> > output from xkbcomp), adds the ability to read udev pid files
> > and finally adds a few permissions so that xconsole can run
> > smoothly.
> > 
> > The anomalous permission to execute XKB var library files has
> > been removed and the old X11R6 library location has been
> > updated so that subdirectories are also labeled as xkb_var_lib.
> > 
> > This patch includes various improvements as kindly suggested
> > in reviews made by Christopher PeBenito.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/services/xserver.fc |????6 ++++--
> > ?policy/modules/services/xserver.te |???30 +++++++++++++++++++++---
> > ------
> > ?2 files changed, 25 insertions(+), 11 deletions(-)
> > 
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc	2016-12-22
> > 23:12:47.782929703 +0100
> > +++ b/policy/modules/services/xserver.fc	2016-12-30
> > 23:02:21.384800112 +0100
> > @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_cont
> > ext(s
> > 
> > ?/usr/sbin/lightdm	--	gen_context(system_u:object_r:x
> > dm_exec_t,s0)
> > 
> > +# xserver default configure bug: not FHS-compliant because not
> > read-only !
> > +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_
> > var_lib_t,s0)
> > +
> > ?/usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:obje
> > ct_r:xdm_exec_t,s0)
> > ?/usr/X11R6/bin/iceauth	--	gen_context(system_u:objec
> > t_r:iceauth_exec_t,s0)
> > ?/usr/X11R6/bin/X	--	gen_context(system_u:object_r:xs
> > erver_exec_t,s0)
> > @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_cont
> > ext(s
> > ?/usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_
> > r:xserver_exec_t,s0)
> > ?/usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r
> > :xserver_exec_t,s0)
> > ?/usr/X11R6/bin/Xwrapper	--	gen_context(system_u:obje
> > ct_r:xserver_exec_t,s0)
> > -/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:objec
> > t_r:xkb_var_lib_t,s0)
> > -/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:
> > xkb_var_lib_t,s0)
> > +/usr/X11R6/lib/X11/xkb(/.*)?	--	gen_context(system_u
> > :object_r:xkb_var_lib_t,s0)
> 
> I doubt that anyone still uses /usr/X11R6, but this does not have
> the?
> desired effect since you kept the --.??The xkb directory will be
> mislabeled.

Regards,

Guido

[refpolicy] [PATCH v5] xserver: restrict executable memory permissions

[Guido Trentalancia]

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements as kindly suggested
in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    6 ++++--
 policy/modules/services/xserver.te |   30 +++++++++++++++++++++---------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-30 23:02:21.384800112 +0100
@@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+# xserver default configure bug: not FHS-compliant because not read-only !
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-30 22:51:16.080848623 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(xserver_gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+term_relabel_all_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`xserver_gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +604,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+# Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@@ -803,6 +818,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`
@@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
-# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xserver_t, xkb_var_lib_t)
-
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 

[refpolicy] [PATCH v5] xserver: restrict executable memory permissions

[Chris PeBenito]

On 12/31/16 11:02, Guido Trentalancia via refpolicy wrote:
> @@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
>  term_use_unallocated_ttys(xdm_t)
>  term_setattr_unallocated_ttys(xdm_t)
>
> +# for xconsole
> +term_use_ptmx(xdm_t)
> +term_use_generic_ptys(xdm_t)
> +term_relabel_all_ptys(xdm_t)
> +
>  auth_domtrans_pam_console(xdm_t)
>  auth_manage_pam_pid(xdm_t)
>  auth_manage_pam_console_data(xdm_t)

I've asked a couple times.  What creates this pty?  It should be 
properly labeled.  Generic pty use should be avoided if possible.



-- 
Chris PeBenito

[refpolicy] [PATCH v5] xserver: restrict executable memory permissions

[Guido Trentalancia]

On Sat, 31/12/2016 at 11.27 -0500, Chris PeBenito wrote:
> On 12/31/16 11:02, Guido Trentalancia via refpolicy wrote:
> > 
> > @@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
> > ?term_use_unallocated_ttys(xdm_t)
> > ?term_setattr_unallocated_ttys(xdm_t)
> > 
> > +# for xconsole
> > +term_use_ptmx(xdm_t)
> > +term_use_generic_ptys(xdm_t)
> > +term_relabel_all_ptys(xdm_t)
> > +
> > ?auth_domtrans_pam_console(xdm_t)
> > ?auth_manage_pam_pid(xdm_t)
> > ?auth_manage_pam_console_data(xdm_t)
> 
> I've asked a couple times.??What creates this pty???It should be?
> properly labeled.??Generic pty use should be avoided if possible.

Perhaps, I misunderstood your question, I am sorry about that !

I think it is a bug in the patch. It shouldn't need those term
interfaces.

I am now testing an improved patch, it should be ready shortly...

Regards,

Guido

[refpolicy] [PATCH v6] xserver: restrict executable memory permissions

[Guido Trentalancia]

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    6 ++++--
 policy/modules/services/xserver.te |   25 ++++++++++++++++---------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-31 17:36:01.820113851 +0100
@@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+# xserver default configure bug: not FHS-compliant because not read-only !
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-31 17:40:29.468208088 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(xserver_gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -507,6 +516,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`xserver_gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +599,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -655,6 +664,7 @@ manage_fifo_files_pattern(xserver_t, xse
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+# Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@@ -803,6 +813,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`
@@ -840,10 +851,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
-# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xserver_t, xkb_var_lib_t)
-
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 

[refpolicy] [PATCH v6] xserver: restrict executable memory permissions

[Chris PeBenito]

On 12/31/16 11:43, Guido Trentalancia via refpolicy wrote:
> The dangerous execheap permission is removed from xdm and the
> dangerous execmem permission is only enabled for the Gnome
> Display Manager (gnome-shell running in gdm mode) through a
> new "xserver_gnome_xdm" boolean.
>
> This patch also updates the XKB libs file context with their
> default location (which at the moment is not compliant with
> FHS3 due to the fact that it allows by default to write the
> output from xkbcomp), adds the ability to read udev pid files
> and finally adds a few permissions so that xconsole can run
> smoothly.
>
> The anomalous permission to execute XKB var library files has
> been removed and the old X11R6 library location has been
> updated so that subdirectories are also labeled as xkb_var_lib.
>
> This patch includes various improvements and bug fixes as
> kindly suggested in reviews made by Christopher PeBenito.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    6 ++++--
>  policy/modules/services/xserver.te |   25 ++++++++++++++++---------
>  2 files changed, 20 insertions(+), 11 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc	2016-12-31 17:36:01.820113851 +0100
> @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> +# xserver default configure bug: not FHS-compliant because not read-only !
> +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +
>  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> -/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> -/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/usr/X11R6/lib/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
>
>  ifndef(`distro_debian',`
>  /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-31 17:40:29.468208088 +0100
> @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
>  ## <desc>
>  ## <p>
> +## Use gnome-shell in gdm mode as the
> +## X Display Manager (XDM)
> +## </p>
> +## </desc>
> +gen_tunable(xserver_gnome_xdm, false)
> +
> +## <desc>
> +## <p>
>  ## Support X userspace object manager
>  ## </p>
>  ## </desc>
> @@ -304,6 +312,7 @@ optional_policy(`
>  #
>
>  allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
> +dontaudit xdm_t self:capability sys_admin;
>  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
>  allow xdm_t self:fifo_file rw_fifo_file_perms;
>  allow xdm_t self:shm create_shm_perms;
> @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
>  allow xdm_t self:appletalk_socket create_socket_perms;
>  allow xdm_t self:key { search link write };
>
> -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> +allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
>
>  # Allow gdm to run gdm-binary
>  can_exec(xdm_t, xdm_exec_t)
> @@ -507,6 +516,10 @@ tunable_policy(`xdm_sysadm_login',`
>  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
>  ')
>
> +tunable_policy(`xserver_gnome_xdm',`
> +	allow xdm_t self:process execmem;
> +')
> +
>  optional_policy(`
>  	alsa_domtrans(xdm_t)
>  ')
> @@ -586,10 +599,6 @@ optional_policy(`
>  optional_policy(`
>  	unconfined_domain(xdm_t)
>  	unconfined_domtrans(xdm_t)
> -
> -	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> -	')
>  ')
>
>  optional_policy(`
> @@ -655,6 +664,7 @@ manage_fifo_files_pattern(xserver_t, xse
>  manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
>  fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> +# Run xkbcomp
>  manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  files_search_var_lib(xserver_t)
> @@ -803,6 +813,7 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(xserver_t)
> +	udev_read_pid_files(xserver_t)
>  ')
>
>  optional_policy(`
> @@ -840,10 +851,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
>  manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>
> -# Run xkbcomp.
> -allow xserver_t xkb_var_lib_t:lnk_file read;
> -can_exec(xserver_t, xkb_var_lib_t)
> -
>  # Run Xorg.wrap
>  can_exec(xserver_t, xserver_exec_t)

Merged.


-- 
Chris PeBenito