All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.
@ 2017-12-06 14:38 David Sugar
  2017-12-06 15:06 ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: David Sugar @ 2017-12-06 14:38 UTC (permalink / raw)
  To: refpolicy

Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e70046db..3a435abf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`

 ########################################
 ## <summary>
+##     Write to inherited  xsession log
+##     files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_write_inherited_xsession_log',`
+       gen_require(`
+               type xsession_log_t;
+       ')
+
+       allow $1 xsession_log_t:file { append write };
+')
+
+
+########################################
+## <summary>
 ##      Read and write xsession log
 ##      files such as .xsession-errors.
 ## </summary>
@@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`

 ########################################
 ## <summary>
+##     Write to inherited X server log
+##  files like /var/log/lightdm/lightdm.log
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_write_inherited_log',`
+       gen_require(`
+               type xserver_log_t;
+       ')
+
+       allow $1 xserver_log_t:file { append write };
+')
+
+########################################
+## <summary>
 ##      Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">
--
2.13.6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20171206/370dca14/attachment.html 

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.
  2017-12-06 14:38 [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files David Sugar
@ 2017-12-06 15:06 ` Dominick Grift
  2017-12-06 18:19   ` David Sugar
  0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2017-12-06 15:06 UTC (permalink / raw)
  To: refpolicy

On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy wrote:
> Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>

These are just suggestions, I will leave it up to others to make any final judgement but:

i would probably introduce a "write_inherited_file_perms" object permission set to "policy/support/obj_perm_sets.spt":

define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')

then use that to create:

########################################
## <summary>
##  Write inherited xserver xsession log files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`xserver_write_inherited_xsession_log_files',`
    gen_require(`
        type xsession_log_t;
    ')

    allow $1 xsession_log_t:file write_inherited_file_perms;
')

and:

########################################
## <summary>
##  Write inherited xserver log files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`xserver_write_inherited_log_files',`
    gen_require(`
        type xserver_log_t;
    ')

    allow $1 xserver_log_t:file write_inherited_file_perms;
')

> ---
>  policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e70046db..3a435abf 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
> 
>  ########################################
>  ## <summary>
> +##     Write to inherited  xsession log
> +##     files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_xsession_log',`
> +       gen_require(`
> +               type xsession_log_t;
> +       ')
> +
> +       allow $1 xsession_log_t:file { append write };
> +')
> +
> +
> +########################################
> +## <summary>
>  ##      Read and write xsession log
>  ##      files such as .xsession-errors.
>  ## </summary>
> @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
> 
>  ########################################
>  ## <summary>
> +##     Write to inherited X server log
> +##  files like /var/log/lightdm/lightdm.log
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_log',`
> +       gen_require(`
> +               type xserver_log_t;
> +       ')
> +
> +       allow $1 xserver_log_t:file { append write };
> +')
> +
> +########################################
> +## <summary>
>  ##      Get the attributes of X server logs.
>  ## </summary>
>  ## <param name="domain">
> --
> 2.13.6

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171206/8c8335de/attachment.bin 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.
  2017-12-06 15:06 ` Dominick Grift
@ 2017-12-06 18:19   ` David Sugar
  0 siblings, 0 replies; 3+ messages in thread
From: David Sugar @ 2017-12-06 18:19 UTC (permalink / raw)
  To: refpolicy



> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Wednesday, December 06, 2017 10:06 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1-v2] Create interfaces to write
> xserver log files.
> 
> On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy
> wrote:
> > Add interfaces to grant write only access to inherited xserver_log_t
> and xsession_log_t files.
> >
> > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> 
> These are just suggestions, I will leave it up to others to make any
> final judgement but:
> 
> i would probably introduce a "write_inherited_file_perms" object
> permission set to "policy/support/obj_perm_sets.spt":
> 
> define(`write_inherited_file_perms',`{ getattr write append lock ioctl
> }')
> 
> then use that to create:
> 
> ########################################
> ## <summary>
> ##  Write inherited xserver xsession log files.
> ## </summary>
> ## <param name="domain">
> ##  <summary>
> ##  Domain allowed access.
> ##  </summary>
> ## </param>
> #
> interface(`xserver_write_inherited_xsession_log_files',`
>     gen_require(`
>         type xsession_log_t;
>     ')
> 
>     allow $1 xsession_log_t:file write_inherited_file_perms;
> ')
> 
> and:
> 
> ########################################
> ## <summary>
> ##  Write inherited xserver log files.
> ## </summary>
> ## <param name="domain">
> ##  <summary>
> ##  Domain allowed access.
> ##  </summary>
> ## </param>
> #
> interface(`xserver_write_inherited_log_files',`
>     gen_require(`
>         type xserver_log_t;
>     ')
> 
>     allow $1 xserver_log_t:file write_inherited_file_perms;
> ')

Yes, this seems reasonable.  I will resubmit this patch with that recommendation taken into account.

Thanks for the feedback.

> > ---
> >  policy/modules/services/xserver.if | 39
> > ++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 39 insertions(+)
> >
> > diff --git a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if
> > index e70046db..3a435abf 100644
> > --- a/policy/modules/services/xserver.if
> > +++ b/policy/modules/services/xserver.if
> > @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
> >
> >  ########################################
> >  ## <summary>
> > +##     Write to inherited  xsession log
> > +##     files such as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`xserver_write_inherited_xsession_log',`
> > +       gen_require(`
> > +               type xsession_log_t;
> > +       ')
> > +
> > +       allow $1 xsession_log_t:file { append write };
> > +')
> > +
> > +
> > +########################################
> > +## <summary>
> >  ##      Read and write xsession log
> >  ##      files such as .xsession-errors.
> >  ## </summary>
> > @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
> >
> >  ########################################
> >  ## <summary>
> > +##     Write to inherited X server log
> > +##  files like /var/log/lightdm/lightdm.log ## </summary> ## <param
> > +name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`xserver_write_inherited_log',`
> > +       gen_require(`
> > +               type xserver_log_t;
> > +       ')
> > +
> > +       allow $1 xserver_log_t:file { append write };
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##      Get the attributes of X server logs.
> >  ## </summary>
> >  ## <param name="domain">
> > --
> > 2.13.6
> 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-12-06 18:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-06 14:38 [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files David Sugar
2017-12-06 15:06 ` Dominick Grift
2017-12-06 18:19   ` David Sugar

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.