[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Guido Trentalancia]

The xserver module contains two interfaces to handle the xconsole
device (usually /dev/xconsole).

Unfortunately, it seems that the above mentioned interfaces use the
wrong file type: fifo (named pipe) instead of character device.

This patch fixes such issue and also introduces a new interface to
manage the xconsole device (so that it can be created, for example,
by an udev rule).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.if |   29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

--- a/policy/modules/services/xserver.if	2017-01-29 18:47:23.000000000 +0100
+++ b/policy/modules/services/xserver.if	2017-04-20 17:14:45.721199079 +0200
@@ -664,7 +695,8 @@ interface(`xserver_read_user_iceauth',`
 
 ########################################
 ## <summary>
-##	Set the attributes of the X windows console named pipes.
+##	Set the attributes of the X
+##	windows console device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -677,12 +709,13 @@ interface(`xserver_setattr_console_pipes
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the X windows console named pipe.
+##	Read and write the X windows
+##	console device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -695,7 +728,26 @@ interface(`xserver_rw_console',`
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+	allow $1 xconsole_device_t:chr_file rw_chr_file_perms;
+')
+
+#######################################
+## <summary>
+##	Manage the X windows console
+##	device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_console',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:chr_file manage_chr_file_perms;
 ')
 
 ########################################

[refpolicy] [PATCH 2/2] udev: optionally manage xserver console device

[Guido Trentalancia]

Modify the udev module so that the udev daemon can manage the
xserver console (usually /dev/xconsole).
 
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/udev.te |    1 +
 1 file changed, 1 insertion(+)

--- a/policy/modules/system/udev.te	2017-02-04 19:30:18.000000000 +0100
+++ b/policy/modules/system/udev.te	2017-04-18 19:17:15.057610123 +0200
@@ -338,5 +350,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_manage_console(udev_t)
 	xserver_read_xdm_pid(udev_t)
 ')

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Russell Coker]

On Fri, 21 Apr 2017 01:37:20 AM Guido Trentalancia via refpolicy wrote:
> The xserver module contains two interfaces to handle the xconsole
> device (usually /dev/xconsole).
> 
> Unfortunately, it seems that the above mentioned interfaces use the
> wrong file type: fifo (named pipe) instead of character device.

Which distribution has it as a character device?  I've only ever seen it as a 
named pipe.

Here's a snippet from /etc/init.d/rsyslog on Debian/Unstable:

create_xconsole() {
        XCONSOLE=/dev/xconsole
        if [ "$(uname -s)" != "Linux" ]; then
                XCONSOLE=/run/xconsole
                ln -sf $XCONSOLE /dev/xconsole
        fi
        if [ ! -e $XCONSOLE ]; then
                mknod -m 640 $XCONSOLE p
                chown root:adm $XCONSOLE
                [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
        fi
}

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Guido Trentalancia]

Hello Russell.

Yes, I think you might be right...

I was now double-checking it and I think it is probably right as a named pipe as it was.

I think the manage interface can be corrected and kept.

Regards,

Guido

> On the 20th of April 2017 at 18.40 Russell Coker <russell@coker.com.au> wrote
> 
> 
> On Fri, 21 Apr 2017 01:37:20 AM Guido Trentalancia via refpolicy wrote:
> > The xserver module contains two interfaces to handle the xconsole
> > device (usually /dev/xconsole).
> > 
> > Unfortunately, it seems that the above mentioned interfaces use the
> > wrong file type: fifo (named pipe) instead of character device.
> 
> Which distribution has it as a character device?  I've only ever seen it as a 
> named pipe.
> 
> Here's a snippet from /etc/init.d/rsyslog on Debian/Unstable:
> 
> create_xconsole() {
>         XCONSOLE=/dev/xconsole
>         if [ "$(uname -s)" != "Linux" ]; then
>                 XCONSOLE=/run/xconsole
>                 ln -sf $XCONSOLE /dev/xconsole
>         fi
>         if [ ! -e $XCONSOLE ]; then
>                 mknod -m 640 $XCONSOLE p
>                 chown root:adm $XCONSOLE
>                 [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
>         fi
> }
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH v2 1/2] xserver: manage the console device (named pipe) (was: [PATCH 1/2] xserver: console device is chr_file and not fifo_file)

[Guido Trentalancia]

Introduce a new xserver interface to manage the xconsole named
pipe.

Thanks to Russell Coker for pointing out a wrong file type in
the previous version of this patch.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.if |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/policy/modules/services/xserver.if	2017-03-29 17:57:54.554386420 +0200
+++ b/policy/modules/services/xserver.if	2017-04-20 18:51:53.959794517 +0200
@@ -698,6 +698,25 @@ interface(`xserver_rw_console',`
 	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Manage the X windows console
+##	device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_console',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file manage_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      Create the X windows console named pipes.

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Russell Coker]

On Fri, 21 Apr 2017 02:43:26 AM Guido Trentalancia via refpolicy wrote:
> Yes, I think you might be right...
> 
> I was now double-checking it and I think it is probably right as a named
> pipe as it was.
> 
> I think the manage interface can be corrected and kept.

Why?

Does anyone have udev creating that pipe?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Guido Trentalancia]

Hello.

I thought it can be useful. For example, I am creating it through a udev rule, because generally files under /dev are created that way.

I have noticed other people are creating it from rsyslog, but I decided to avoid doing that, because I think it is not a very general solution.

Anyway, if you want to skip the two patches, that's fine, they are not particularly important...

Regards,

Guido

> On the 20th of April 2017 at 19.00 Russell Coker <russell@coker.com.au> wrote:
> 
> 
> On Fri, 21 Apr 2017 02:43:26 AM Guido Trentalancia via refpolicy wrote:
> > Yes, I think you might be right...
> > 
> > I was now double-checking it and I think it is probably right as a named
> > pipe as it was.
> > 
> > I think the manage interface can be corrected and kept.
> 
> Why?
> 
> Does anyone have udev creating that pipe?
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Russell Coker]

On Fri, 21 Apr 2017 03:03:16 AM Guido Trentalancia via refpolicy wrote:
> I thought it can be useful. For example, I am creating it through a udev
> rule, because generally files under /dev are created that way.
> 
> I have noticed other people are creating it from rsyslog, but I decided to
> avoid doing that, because I think it is not a very general solution.

The syslogd (whether rsyslog or another) is going to be the only program 
writing to it, so it doesn't make much sense to have anything else create it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 1/2] xserver: console device is chr_file and not fifo_file

[Guido Trentalancia]

Hello.

The point is that as it is, this patch is still broken.

The new xserver interface is not needed and it should be replaced by three new devices interfaces to be called from the udev module (one for creating a generic "fifo_file" device and two for relabeling from/to).

I have already submitted several patches and they are still pending, also I am not sure if these two patches are really needed for wider, general use. If Christopher says that they might turn useful for wider, general use, then I can fix them. Otherwise we just drop the two patches.

The idea was that the pipe could be created independently of the specific syslog daemon, so that you do not need to patch every syslog daemon you install (in the sense of patching each syslog daemon init script or whatever).

Regards,

Guido

> On the 20th of April 2017 at 19.20 Russell Coker <russell@coker.com.au> wrote:
> 
> 
> On Fri, 21 Apr 2017 03:03:16 AM Guido Trentalancia via refpolicy wrote:
> > I thought it can be useful. For example, I am creating it through a udev
> > rule, because generally files under /dev are created that way.
> > 
> > I have noticed other people are creating it from rsyslog, but I decided to
> > avoid doing that, because I think it is not a very general solution.
> 
> The syslogd (whether rsyslog or another) is going to be the only program 
> writing to it, so it doesn't make much sense to have anything else create it.
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH v2 2/2] udev: manage xserver console device

[Guido Trentalancia]

Modify the udev module so that the udev daemon can manage the
xserver console device (a named pipe, usually /dev/xconsole).

I have posted a new version of this patch for the sake of not
leaving incomplete patches around on the list.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   19 +++++++++++++++++++
 policy/modules/system/udev.te    |    2 ++
 2 files changed, 21 insertions(+)

--- a/policy/modules/kernel/devices.if	2016-12-27 16:37:59.000000000 +0100
+++ b/policy/modules/kernel/devices.if	2017-04-20 21:24:58.110629406 +0200
@@ -406,6 +406,25 @@ interface(`dev_manage_generic_files',`
 	manage_files_pattern($1, device_t, device_t)
 ')
 
+#######################################
+## <summary>
+##	Create a fifo file in the device
+##	directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_fifo_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_fifo_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on generic pipes.
--- a/policy/modules/system/udev.te	2017-02-04 19:30:18.000000000 +0100
+++ b/policy/modules/system/udev.te	2017-04-20 21:24:39.203629483 +0200
@@ -104,6 +104,8 @@ corecmd_exec_all_executables(udev_t)
 
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
+# create /dev/xconsole
+dev_manage_generic_fifo_files(udev_t)
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 dev_search_usbfs(udev_t)