* [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs
@ 2016-12-20 15:28 Guido Trentalancia
2016-12-20 15:30 ` [refpolicy] [PATCH 2/2] contrib: support the new " Guido Trentalancia
2016-12-21 19:17 ` [refpolicy] [PATCH 1/2] xserver: introduce new fc and " Chris PeBenito
0 siblings, 2 replies; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-20 15:28 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and a new interface to manage them
(instead of allowing to manage the whole user home content
files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 27 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-20 15:57:50.236936839 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-20 15:52:16.985406349 +0100
@@ -308,7 +308,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_manage_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_manage_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-20 15:52:17.003406594 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')
########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')
#######################################
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/2] contrib: support the new interface to manage X session logs
2016-12-20 15:28 [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs Guido Trentalancia
@ 2016-12-20 15:30 ` Guido Trentalancia
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
2016-12-21 19:17 ` [refpolicy] [PATCH 1/2] xserver: introduce new fc and " Chris PeBenito
1 sibling, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-20 15:30 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and a new interface to manage them
(instead of allowing to manage the whole user home content
files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
This second part (tackling the contrib policy) requires the
following recently posted xscreensaver patch:
[PATCH 1/2] xscreensaver: update the module so that it can be
effectively used
http://oss.tresys.com/pipermail/refpolicy/2016-December/008789.html
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
4 files changed, 12 insertions(+), 1 deletion(-)
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-20 15:58:17.132302476 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)
optional_policy(`
+ xserver_manage_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-20 16:00:46.655335209 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)
optional_policy(`
+ xserver_manage_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_manage_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-20 15:53:56.875764348 +0100
@@ -128,4 +128,5 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_manage_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-20 16:03:13.740334792 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-20 16:03:00.817159110 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_manage_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)
optional_policy(`
+ xserver_manage_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-20 15:28 [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs Guido Trentalancia
2016-12-20 15:30 ` [refpolicy] [PATCH 2/2] contrib: support the new " Guido Trentalancia
@ 2016-12-21 19:17 ` Chris PeBenito
2016-12-21 19:25 ` Guido Trentalancia
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
1 sibling, 2 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-21 19:17 UTC (permalink / raw)
To: refpolicy
On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and a new interface to manage them
> (instead of allowing to manage the whole user home content
> files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.fc | 2 ++
> policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-20 15:57:50.236936839 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-20 15:52:16.985406349 +0100
> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_manage_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_manage_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
Is the manage access really necessary? Doesn't it simply write/append?
I don't think they need to delete the file. And if the file doesn't
exist, who is creating it?
> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-20 15:52:17.003406594 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-21 19:17 ` [refpolicy] [PATCH 1/2] xserver: introduce new fc and " Chris PeBenito
@ 2016-12-21 19:25 ` Guido Trentalancia
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
1 sibling, 0 replies; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-21 19:25 UTC (permalink / raw)
To: refpolicy
Hello!
Yes, you are right, I'll fix the patch as soon as possible.
It is created by Xsession running as user_t.
Thanks for spotting this.
How about the other patch for xscreensaver?
Regards,
Guido
Il 21 dicembre 2016 20:17:07 CET, Chris PeBenito <pebenito@ieee.org> ha scritto:
>On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote:
>> The following patch (split in two parts, one for base and
>> another one for contrib) introduces a new file context for
>> the X session log files and a new interface to manage them
>> (instead of allowing to manage the whole user home content
>> files).
>>
>> It is required after the recent confinement of graphical
>> desktop components (e.g. wm, xscreensaver).
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>> policy/modules/services/xserver.fc | 2 ++
>> policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
>> policy/modules/system/userdomain.if | 4 ++++
>> 3 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/services/xserver.fc
>b/policy/modules/services/xserver.fc
>> --- a/policy/modules/services/xserver.fc 2016-12-04
>16:54:51.229586958 +0100
>> +++ b/policy/modules/services/xserver.fc 2016-12-20
>15:57:50.236936839 +0100
>> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
>> HOME_DIR/\.ICEauthority.*
>-- gen_context(system_u:object_r:iceauth_home_t,s0)
>>
>HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>> #
>> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
>> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
>> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
>> /tmp/\.X11-unix/.* -s <<none>>
>> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>> #
>> # /usr
>> diff -pru a/policy/modules/services/xserver.if
>b/policy/modules/services/xserver.if
>> --- a/policy/modules/services/xserver.if 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.if 2016-12-20
>15:52:16.985406349 +0100
>> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>>
>> userdom_search_user_home_dirs($1)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($1)
>> + xserver_manage_xsession_log($1)
>>
>> xserver_ro_session($1,$2)
>> xserver_use_user_fonts($1)
>> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>>
>> userdom_search_user_home_dirs($2)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($2)
>> + xserver_manage_xsession_log($2)
>>
>> xserver_ro_session($2,$3)
>> xserver_use_user_fonts($2)
>
>Is the manage access really necessary? Doesn't it simply write/append?
>
>I don't think they need to delete the file. And if the file doesn't
>exist, who is creating it?
>
>
>> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
>> ')
>>
>> ########################################
>> +## <summary>
>> +## Manage xsession log files such
>> +## as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>> ## <summary>
>> ## Get the attributes of X server logs.
>> ## </summary>
>> diff -pru a/policy/modules/system/userdomain.if
>b/policy/modules/system/userdomain.if
>> --- a/policy/modules/system/userdomain.if 2016-12-17
>17:29:27.030224492 +0100
>> +++ b/policy/modules/system/userdomain.if 2016-12-20
>15:52:17.003406594 +0100
>> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
>> allow userdomain $1:fd use;
>> allow userdomain $1:fifo_file rw_file_perms;
>> allow userdomain $1:process sigchld;
>> +
>> + xserver_manage_xsession_log(userdomain)
>> ')
>>
>> ########################################
>> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
>> allow unpriv_userdomain $1:fd use;
>> allow unpriv_userdomain $1:fifo_file rw_file_perms;
>> allow unpriv_userdomain $1:process sigchld;
>> +
>> + xserver_manage_xsession_log(unpriv_userdomain)
>> ')
>>
>> #######################################
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v2 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-21 19:17 ` [refpolicy] [PATCH 1/2] xserver: introduce new fc and " Chris PeBenito
2016-12-21 19:25 ` Guido Trentalancia
@ 2016-12-21 23:05 ` Guido Trentalancia
2016-12-22 21:01 ` Chris PeBenito
1 sibling, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-21 23:05 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
This second version of the patch correctly uses file type
transitions and uses more tight permissions.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 61 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
policy/modules/system/userdomain.te | 5 ++
4 files changed, 70 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-21 23:00:47.701952737 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-21 23:38:56.279462999 +0100
@@ -308,7 +308,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +567,25 @@ interface(`xserver_user_home_dir_filetra
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1001,44 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-21 23:22:29.270461027 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')
########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')
#######################################
diff -pru a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
--- a/policy/modules/system/userdomain.te 2016-12-17 17:29:27.031224504 +0100
+++ b/policy/modules/system/userdomain.te 2016-12-21 23:36:18.826707902 +0100
@@ -128,3 +128,8 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+
+optional_policy(`
+ xserver_user_home_dir_filetrans_user_xsession_log(userdomain)
+ xserver_user_home_dir_filetrans_user_xsession_log(unpriv_userdomain)
+')
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v2 2/2] contrib: support the new interface to manage X session logs
2016-12-20 15:30 ` [refpolicy] [PATCH 2/2] contrib: support the new " Guido Trentalancia
@ 2016-12-21 23:05 ` Guido Trentalancia
2016-12-22 15:15 ` [refpolicy] [PATCH v3 " Guido Trentalancia
0 siblings, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-21 23:05 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
This second version of the patch correctly uses file type
transitions and uses more tight permissions.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
4 files changed, 12 insertions(+), 1 deletion(-)
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-21 23:09:40.905896241 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)
optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-21 23:09:48.452980365 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)
optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-21 23:09:43.970930405 +0100
@@ -128,4 +128,5 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-21 23:00:22.415670877 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-21 23:09:51.201010999 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)
optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
@ 2016-12-22 15:15 ` Guido Trentalancia
2016-12-28 18:26 ` Chris PeBenito
0 siblings, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-22 15:15 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
This third version adds the logging capability to the
openoffice module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/openoffice.te | 1 +
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
5 files changed, 13 insertions(+), 1 deletion(-)
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-22 16:03:21.181221496 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)
optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-22 16:03:21.181221496 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)
optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
--- a/policy/modules/contrib/openoffice.te 2016-12-17 17:29:33.837306897 +0100
+++ b/policy/modules/contrib/openoffice.te 2016-12-22 16:04:01.945714059 +0100
@@ -113,6 +113,7 @@ optional_policy(`
')
optional_policy(`
+ xserver_rw_xsession_log(ooffice_t)
xserver_read_user_iceauth(ooffice_t)
xserver_read_user_xauth(ooffice_t)
xserver_read_xdm_tmp_files(ooffice_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-22 16:03:21.182221508 +0100
@@ -128,4 +128,5 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:10.938097722 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:21.182221508 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)
-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')
########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)
optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v2 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
@ 2016-12-22 21:01 ` Chris PeBenito
2016-12-22 21:49 ` [refpolicy] [PATCH v3 " Guido Trentalancia
0 siblings, 1 reply; 22+ messages in thread
From: Chris PeBenito @ 2016-12-22 21:01 UTC (permalink / raw)
To: refpolicy
On 12/21/16 18:05, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> This second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 61 ++++++++++++++++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++
> policy/modules/system/userdomain.te | 5 ++
> 4 files changed, 70 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-21 23:00:47.701952737 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-21 23:38:56.279462999 +0100
> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +567,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1001,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-21 23:22:29.270461027 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################
> diff -pru a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> --- a/policy/modules/system/userdomain.te 2016-12-17 17:29:27.031224504 +0100
> +++ b/policy/modules/system/userdomain.te 2016-12-21 23:36:18.826707902 +0100
> @@ -128,3 +128,8 @@ files_poly(user_runtime_t)
> files_poly_member(user_runtime_t)
> files_poly_parent(user_runtime_t)
> ubac_constrained(user_runtime_t)
> +
> +optional_policy(`
> + xserver_user_home_dir_filetrans_user_xsession_log(userdomain)
> + xserver_user_home_dir_filetrans_user_xsession_log(unpriv_userdomain)
> +')
I think this belongs in xserver_role(), so only the specific user
domains get the access. If they can't use the X server, they don't need
the file transition either.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v3 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-22 21:01 ` Chris PeBenito
@ 2016-12-22 21:49 ` Guido Trentalancia
2016-12-23 7:34 ` Jason Zaman
0 siblings, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-22 21:49 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
This third version simply moves some interface calls.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
3 files changed, 68 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
@@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +311,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')
########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')
#######################################
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v3 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-22 21:49 ` [refpolicy] [PATCH v3 " Guido Trentalancia
@ 2016-12-23 7:34 ` Jason Zaman
2016-12-23 15:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
0 siblings, 1 reply; 22+ messages in thread
From: Jason Zaman @ 2016-12-23 7:34 UTC (permalink / raw)
To: refpolicy
On Thu, Dec 22, 2016 at 10:49:52PM +0100, Guido Trentalancia via refpolicy wrote:
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
Can this use the new %{USERNAME}, they are less confusing and USER is
deprecated now in favour of those new ones.
-- Jason
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-23 7:34 ` Jason Zaman
@ 2016-12-23 15:44 ` Guido Trentalancia
2016-12-27 15:28 ` Chris PeBenito
0 siblings, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-23 15:44 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
This fourth version introduces the new template for
username-dependent file contexts.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
3 files changed, 68 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
@@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +311,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')
########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')
#######################################
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-23 15:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
@ 2016-12-27 15:28 ` Chris PeBenito
2016-12-27 20:00 ` Guido Trentalancia
2016-12-27 20:01 ` [refpolicy] [PATCH v5 " Guido Trentalancia
0 siblings, 2 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-27 15:28 UTC (permalink / raw)
To: refpolicy
On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver, openoffice).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> This fourth version introduces the new template for
> username-dependent file contexts.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++
> 3 files changed, 68 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
> @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -308,7 +311,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################
I think you misunderstood. The rule should be in xserver_role() and
then only apply to $2 so only the specific xserver-using roles have access.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-27 15:28 ` Chris PeBenito
@ 2016-12-27 20:00 ` Guido Trentalancia
2016-12-27 20:01 ` [refpolicy] [PATCH v5 " Guido Trentalancia
1 sibling, 0 replies; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-27 20:00 UTC (permalink / raw)
To: refpolicy
Hello.
Please find my reply at the bottom of quoted text...
> On the 27th of December 2016 at 16.28 Chris PeBenito <pebenito@ieee.org>
> wrote:
>
>
> On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote:
> > The following patch (split in two parts, one for base and
> > another one for contrib) introduces a new file context for
> > the X session log files and two new interface to manage
> > them (instead of allowing to manage the whole user home
> > content files).
> >
> > It is required after the recent confinement of graphical
> > desktop components (e.g. wm, xscreensaver, openoffice).
> >
> > The second version of the patch correctly uses file type
> > transitions and uses more tight permissions.
> >
> > The third version simply moves some interface calls.
> >
> > This fourth version introduces the new template for
> > username-dependent file contexts.
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > policy/modules/services/xserver.fc | 2 +
> > policy/modules/services/xserver.if | 64
> > ++++++++++++++++++++++++++++++++++--
> > policy/modules/system/userdomain.if | 4 ++
> > 3 files changed, 68 insertions(+), 2 deletions(-)
> >
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> > +++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
> > @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> > HOME_DIR/\.ICEauthority.* --
> > gen_context(system_u:object_r:iceauth_home_t,s0)
> > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors --
> > gen_context(system_u:object_r:xsession_log_t,s0)
> > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> >
> > #
> > @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> > /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> > /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> > /tmp/\.X11-unix/.* -s <<none>>
> > +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
> >
> > #
> > # /usr
> > diff -pru a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if
> > --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> > +++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
> > @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
> > # Needed for escd, remove if we get escd policy
> > xserver_manage_xdm_tmp_files($2)
> >
> > + # for the .xsession-errors log file
> > + xserver_user_home_dir_filetrans_user_xsession_log($2)
> > +
> > # Client write xserver shm
> > tunable_policy(`allow_write_xshm',`
> > allow $2 xserver_t:shm rw_shm_perms;
> > @@ -308,7 +311,7 @@ interface(`xserver_user_client',`
> >
> > userdom_search_user_home_dirs($1)
> > # for .xsession-errors
> > - userdom_dontaudit_write_user_home_content_files($1)
> > + xserver_rw_xsession_log($1)
> >
> > xserver_ro_session($1,$2)
> > xserver_use_user_fonts($1)
> > @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
> >
> > userdom_search_user_home_dirs($2)
> > # for .xsession-errors
> > - userdom_dontaudit_write_user_home_content_files($2)
> > + xserver_rw_xsession_log($2)
> >
> > xserver_ro_session($2,$3)
> > xserver_use_user_fonts($2)
> > @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
> >
> > ########################################
> > ## <summary>
> > +## Create a .xsession-errors log
> > +## file in the user home directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + userdom_user_home_dir_filetrans($1, xsession_log_t, file,
> > ".xsession-errors")
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Read all users fonts, user font configurations,
> > ## and manage all users font caches.
> > ## </summary>
> > @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
> > ')
> >
> > ########################################
> > +## <summary>
> > +## Read and write xsession log
> > +## files such as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_rw_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + allow $1 xsession_log_t:file rw_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage xsession log files such
> > +## as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_manage_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + allow $1 xsession_log_t:file manage_file_perms;
> > +')
> > +
> > +########################################
> > ## <summary>
> > ## Get the attributes of X server logs.
> > ## </summary>
> > diff -pru a/policy/modules/system/userdomain.if
> > b/policy/modules/system/userdomain.if
> > --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492
> > +0100
> > +++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052
> > +0100
> > @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> > allow userdomain $1:fd use;
> > allow userdomain $1:fifo_file rw_file_perms;
> > allow userdomain $1:process sigchld;
> > +
> > + xserver_manage_xsession_log(userdomain)
> > ')
> >
> > ########################################
> > @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> > allow unpriv_userdomain $1:fd use;
> > allow unpriv_userdomain $1:fifo_file rw_file_perms;
> > allow unpriv_userdomain $1:process sigchld;
> > +
> > + xserver_manage_xsession_log(unpriv_userdomain)
> > ')
> >
> > #######################################
>
> I think you misunderstood. The rule should be in xserver_role() and
> then only apply to $2 so only the specific xserver-using roles have access.
The reason I have moved the file transition to the xserver_role_restricted()
interface
instead of to the xserver_role_template() interface is that the
xserver_role_template()
interface calls xserver_role_restricted(). Restricted X users should also be
able to rw
xsession log files, don't you think so ? I am quite sure you would agree with me
on this...
That said, I can only suspect you meant that I should also move the actual log
file
management permission interface from userdomain to the xserver role template...
I am preparing a patch which also adds this latter change.
Regards,
Guido
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-27 15:28 ` Chris PeBenito
2016-12-27 20:00 ` Guido Trentalancia
@ 2016-12-27 20:01 ` Guido Trentalancia
2016-12-28 18:32 ` Chris PeBenito
1 sibling, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-27 20:01 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
This fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
2 files changed, 65 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc
b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-27 20:49:18.146188976 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-27 20:50:25.904039759 +0100
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +312,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs
2016-12-22 15:15 ` [refpolicy] [PATCH v3 " Guido Trentalancia
@ 2016-12-28 18:26 ` Chris PeBenito
2016-12-28 19:05 ` Guido Trentalancia
2016-12-28 19:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
0 siblings, 2 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-28 18:26 UTC (permalink / raw)
To: refpolicy
On 12/22/16 10:15, Guido Trentalancia via refpolicy wrote:
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:10.938097722 +0100
> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:21.182221508 +0100
> @@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
> userdom_use_user_terminals(xscreensaver_t)
> userdom_read_user_home_content_files(xscreensaver_t)
>
> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +optional_policy(`
> + xserver_rw_xsession_log(xscreensaver_t)
> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +')
>
> ########################################
> #
I didn't notice this before, but why would xserver be optional for
xscreensaver?
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-27 20:01 ` [refpolicy] [PATCH v5 " Guido Trentalancia
@ 2016-12-28 18:32 ` Chris PeBenito
2016-12-28 19:02 ` Guido Trentalancia
2016-12-28 19:43 ` [refpolicy] [PATCH v6 " Guido Trentalancia
0 siblings, 2 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-28 18:32 UTC (permalink / raw)
To: refpolicy
On 12/27/16 15:01, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> The fourth version introduces the new template for
> username-dependent file contexts.
>
> This fifth version moves other interface calls thanks to
> further revisions from Christopher PeBenito (the corresponding
> contrib policy part remains unchanged at version 4).
I was going to merge this, but missed previously that xsession_log_t
isn't ever declared in this patch.
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
> 2 files changed, 65 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc
> b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-27 20:49:18.146188976 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if
> b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-27 20:50:25.904039759 +0100
> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> + xserver_manage_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -308,7 +312,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-28 18:32 ` Chris PeBenito
@ 2016-12-28 19:02 ` Guido Trentalancia
2016-12-28 19:43 ` [refpolicy] [PATCH v6 " Guido Trentalancia
1 sibling, 0 replies; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-28 19:02 UTC (permalink / raw)
To: refpolicy
Yes, thanks for telling me.
Eventually the small diff for xserver.te has gone lost, while working on multiple development trees...
I'll forward a revised patch in a few minutes.
Regards,
Guido
On the 28th of December 2016 19:32:13 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 12/27/16 15:01, Guido Trentalancia via refpolicy wrote:
>> The following patch (split in two parts, one for base and
>> another one for contrib) introduces a new file context for
>> the X session log files and two new interface to manage
>> them (instead of allowing to manage the whole user home
>> content files).
>>
>> It is required after the recent confinement of graphical
>> desktop components (e.g. wm, xscreensaver).
>>
>> The second version of the patch correctly uses file type
>> transitions and uses more tight permissions.
>>
>> The third version simply moves some interface calls.
>>
>> The fourth version introduces the new template for
>> username-dependent file contexts.
>>
>> This fifth version moves other interface calls thanks to
>> further revisions from Christopher PeBenito (the corresponding
>> contrib policy part remains unchanged at version 4).
>
>I was going to merge this, but missed previously that xsession_log_t
>isn't ever declared in this patch.
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>> policy/modules/services/xserver.fc | 2 +
>> policy/modules/services/xserver.if | 65
>+++++++++++++++++++++++++++++++++++--
>> 2 files changed, 65 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/services/xserver.fc
>> b/policy/modules/services/xserver.fc
>> --- a/policy/modules/services/xserver.fc 2016-12-04
>16:54:51.229586958 +0100
>> +++ b/policy/modules/services/xserver.fc 2016-12-27
>20:49:18.146188976 +0100
>> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
>> HOME_DIR/\.ICEauthority.*
>-- gen_context(system_u:object_r:iceauth_home_t,s0)
>>
>HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>> #
>> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
>> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
>> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
>> /tmp/\.X11-unix/.* -s <<none>>
>>
>+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>> #
>> # /usr
>> diff -pru a/policy/modules/services/xserver.if
>> b/policy/modules/services/xserver.if
>> --- a/policy/modules/services/xserver.if 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.if 2016-12-27
>20:50:25.904039759 +0100
>> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
>> # Needed for escd, remove if we get escd policy
>> xserver_manage_xdm_tmp_files($2)
>>
>> + # for the .xsession-errors log file
>> + xserver_user_home_dir_filetrans_user_xsession_log($2)
>> + xserver_manage_xsession_log($2)
>> +
>> # Client write xserver shm
>> tunable_policy(`allow_write_xshm',`
>> allow $2 xserver_t:shm rw_shm_perms;
>> @@ -308,7 +312,7 @@ interface(`xserver_user_client',`
>>
>> userdom_search_user_home_dirs($1)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($1)
>> + xserver_rw_xsession_log($1)
>>
>> xserver_ro_session($1,$2)
>> xserver_use_user_fonts($1)
>> @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template
>>
>> userdom_search_user_home_dirs($2)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($2)
>> + xserver_rw_xsession_log($2)
>>
>> xserver_ro_session($2,$3)
>> xserver_use_user_fonts($2)
>> @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra
>>
>> ########################################
>> ## <summary>
>> +## Create a .xsession-errors log
>> +## file in the user home directory.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + userdom_user_home_dir_filetrans($1, xsession_log_t, file,
>".xsession-errors")
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Read all users fonts, user font configurations,
>> ## and manage all users font caches.
>> ## </summary>
>> @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
>> ')
>>
>> ########################################
>> +## <summary>
>> +## Read and write xsession log
>> +## files such as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_rw_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file rw_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Manage xsession log files such
>> +## as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>> ## <summary>
>> ## Get the attributes of X server logs.
>> ## </summary>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs
2016-12-28 18:26 ` Chris PeBenito
@ 2016-12-28 19:05 ` Guido Trentalancia
2016-12-28 19:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
1 sibling, 0 replies; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-28 19:05 UTC (permalink / raw)
To: refpolicy
Hello.
There isn't a specific reason for not explicitly creating the dependance of xscreensaver from xserver, so it can surely be improved that way.
Regards,
Guido
Il 28 dicembre 2016 19:26:00 CET, Chris PeBenito <pebenito@ieee.org> ha scritto:
>On 12/22/16 10:15, Guido Trentalancia via refpolicy wrote:
>> diff -pru a/policy/modules/contrib/xscreensaver.te
>b/policy/modules/contrib/xscreensaver.te
>> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22
>16:03:10.938097722 +0100
>> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-22
>16:03:21.182221508 +0100
>> @@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
>> userdom_use_user_terminals(xscreensaver_t)
>> userdom_read_user_home_content_files(xscreensaver_t)
>>
>> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t,
>xscreensaver_tmpfs_t)
>> +optional_policy(`
>> + xserver_rw_xsession_log(xscreensaver_t)
>> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t,
>xscreensaver_tmpfs_t)
>> +')
>>
>> ########################################
>> #
>
>I didn't notice this before, but why would xserver be optional for
>xscreensaver?
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-28 18:32 ` Chris PeBenito
2016-12-28 19:02 ` Guido Trentalancia
@ 2016-12-28 19:43 ` Guido Trentalancia
2016-12-30 19:15 ` Chris PeBenito
1 sibling, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-28 19:43 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
policy/modules/services/xserver.te | 3 +
3 files changed, 68 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-28 20:24:50.195390393 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-20 17:14:22.191440529 +0100
+++ b/policy/modules/services/xserver.if 2016-12-28 20:24:50.196390406 +0100
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran
')
########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te 2016-12-28 20:29:17.898062418 +0100
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v4 2/2] contrib: support the new interface to manage X session logs
2016-12-28 18:26 ` Chris PeBenito
2016-12-28 19:05 ` Guido Trentalancia
@ 2016-12-28 19:44 ` Guido Trentalancia
2016-12-30 19:15 ` Chris PeBenito
1 sibling, 1 reply; 22+ messages in thread
From: Guido Trentalancia @ 2016-12-28 19:44 UTC (permalink / raw)
To: refpolicy
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version adds the logging capability to the
openoffice module.
This fourth version explicitly makes xscreensaver dependent
from the xserver module.
The corresponding base policy patch is at version 6.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/openoffice.te | 1 +
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++---
5 files changed, 11 insertions(+), 3 deletions(-)
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-22 23:12:59.377081677 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-28 20:24:54.385446098 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)
optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-27 22:41:15.522602035 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-28 20:24:54.386446112 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)
optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
--- a/policy/modules/contrib/openoffice.te 2016-12-27 22:41:15.522602035 +0100
+++ b/policy/modules/contrib/openoffice.te 2016-12-28 20:24:54.386446112 +0100
@@ -131,6 +131,7 @@ optional_policy(`
')
optional_policy(`
+ xserver_rw_xsession_log(ooffice_t)
xserver_read_user_iceauth(ooffice_t)
xserver_read_user_xauth(ooffice_t)
xserver_read_xdm_tmp_files(ooffice_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-27 22:41:15.543602334 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-28 20:24:54.387446125 +0100
@@ -132,4 +132,5 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-22 00:49:56.960049501 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-28 20:32:01.742240850 +0100
@@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)
+xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
########################################
@@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav
miscfiles_read_fonts(xscreensaver_helper_t)
miscfiles_read_localization(xscreensaver_helper_t)
-optional_policy(`
- xserver_stream_connect(xscreensaver_helper_t)
-')
+xserver_rw_xsession_log(xscreensaver_helper_t)
+xserver_stream_connect(xscreensaver_helper_t)
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and interface to manage X session logs
2016-12-28 19:43 ` [refpolicy] [PATCH v6 " Guido Trentalancia
@ 2016-12-30 19:15 ` Chris PeBenito
0 siblings, 0 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-30 19:15 UTC (permalink / raw)
To: refpolicy
On 12/28/16 14:43, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> The fourth version introduces the new template for
> username-dependent file contexts.
>
> The fifth version moves other interface calls thanks to
> further revisions from Christopher PeBenito (the corresponding
> contrib policy part remains unchanged at version 4).
>
> This sixth version, adds the missing diff relative to the
> xserver.te policy file to declare the new xsession_log_t type.
>
> The corresponding base policy patch is at version 4.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
> policy/modules/services/xserver.te | 3 +
> 3 files changed, 68 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-28 20:24:50.195390393 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-20 17:14:22.191440529 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-28 20:24:50.196390406 +0100
> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> + xserver_manage_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -307,7 +311,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te 2016-12-28 20:29:17.898062418 +0100
> @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
> type xsession_exec_t;
> corecmd_executable_file(xsession_exec_t)
>
> +type xsession_log_t;
> +userdom_user_home_content(xsession_log_t)
> +
> # Type for the X server log file.
> type xserver_log_t;
> logging_log_file(xserver_log_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v4 2/2] contrib: support the new interface to manage X session logs
2016-12-28 19:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
@ 2016-12-30 19:15 ` Chris PeBenito
0 siblings, 0 replies; 22+ messages in thread
From: Chris PeBenito @ 2016-12-30 19:15 UTC (permalink / raw)
To: refpolicy
On 12/28/16 14:44, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interfaces to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver, openoffice).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version adds the logging capability to the
> openoffice module.
>
> This fourth version explicitly makes xscreensaver dependent
> from the xserver module.
>
> The corresponding base policy patch is at version 6.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/contrib/dbus.te | 1 +
> policy/modules/contrib/gnome.te | 5 +++++
> policy/modules/contrib/openoffice.te | 1 +
> policy/modules/contrib/wm.te | 1 +
> policy/modules/contrib/xscreensaver.te | 6 +++---
> 5 files changed, 11 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
> --- a/policy/modules/contrib/dbus.te 2016-12-22 23:12:59.377081677 +0100
> +++ b/policy/modules/contrib/dbus.te 2016-12-28 20:24:54.385446098 +0100
> @@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
> term_use_all_terms(session_bus_type)
>
> optional_policy(`
> + xserver_rw_xsession_log(session_bus_type)
> xserver_use_xdm_fds(session_bus_type)
> xserver_rw_xdm_pipes(session_bus_type)
> ')
> diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
> --- a/policy/modules/contrib/gnome.te 2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/gnome.te 2016-12-28 20:24:54.386446112 +0100
> @@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
> userdom_use_user_terminals(gnomedomain)
>
> optional_policy(`
> + xserver_rw_xsession_log(gnomedomain)
> xserver_rw_xdm_pipes(gnomedomain)
> xserver_use_xdm_fds(gnomedomain)
> ')
> @@ -145,3 +146,7 @@ optional_policy(`
> optional_policy(`
> telepathy_mission_control_read_state(gkeyringd_domain)
> ')
> +
> +optional_policy(`
> + xserver_rw_xsession_log(gkeyringd_domain)
> +')
> diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
> --- a/policy/modules/contrib/openoffice.te 2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/openoffice.te 2016-12-28 20:24:54.386446112 +0100
> @@ -131,6 +131,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xserver_rw_xsession_log(ooffice_t)
> xserver_read_user_iceauth(ooffice_t)
> xserver_read_user_xauth(ooffice_t)
> xserver_read_xdm_tmp_files(ooffice_t)
> diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
> --- a/policy/modules/contrib/wm.te 2016-12-27 22:41:15.543602334 +0100
> +++ b/policy/modules/contrib/wm.te 2016-12-28 20:24:54.387446125 +0100
> @@ -132,4 +132,5 @@ optional_policy(`
>
> optional_policy(`
> xserver_dbus_chat_xdm(wm_domain)
> + xserver_rw_xsession_log(wm_domain)
> ')
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22 00:49:56.960049501 +0100
> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-28 20:32:01.742240850 +0100
> @@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver
> userdom_use_user_terminals(xscreensaver_t)
> userdom_read_user_home_content_files(xscreensaver_t)
>
> +xserver_rw_xsession_log(xscreensaver_t)
> xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
>
> ########################################
> @@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav
> miscfiles_read_fonts(xscreensaver_helper_t)
> miscfiles_read_localization(xscreensaver_helper_t)
>
> -optional_policy(`
> - xserver_stream_connect(xscreensaver_helper_t)
> -')
> +xserver_rw_xsession_log(xscreensaver_helper_t)
> +xserver_stream_connect(xscreensaver_helper_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2016-12-30 19:15 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-20 15:28 [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs Guido Trentalancia
2016-12-20 15:30 ` [refpolicy] [PATCH 2/2] contrib: support the new " Guido Trentalancia
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
2016-12-22 15:15 ` [refpolicy] [PATCH v3 " Guido Trentalancia
2016-12-28 18:26 ` Chris PeBenito
2016-12-28 19:05 ` Guido Trentalancia
2016-12-28 19:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
2016-12-30 19:15 ` Chris PeBenito
2016-12-21 19:17 ` [refpolicy] [PATCH 1/2] xserver: introduce new fc and " Chris PeBenito
2016-12-21 19:25 ` Guido Trentalancia
2016-12-21 23:05 ` [refpolicy] [PATCH v2 " Guido Trentalancia
2016-12-22 21:01 ` Chris PeBenito
2016-12-22 21:49 ` [refpolicy] [PATCH v3 " Guido Trentalancia
2016-12-23 7:34 ` Jason Zaman
2016-12-23 15:44 ` [refpolicy] [PATCH v4 " Guido Trentalancia
2016-12-27 15:28 ` Chris PeBenito
2016-12-27 20:00 ` Guido Trentalancia
2016-12-27 20:01 ` [refpolicy] [PATCH v5 " Guido Trentalancia
2016-12-28 18:32 ` Chris PeBenito
2016-12-28 19:02 ` Guido Trentalancia
2016-12-28 19:43 ` [refpolicy] [PATCH v6 " Guido Trentalancia
2016-12-30 19:15 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.