The xserver module contains two interfaces to handle the xconsole
device (usually /dev/xconsole).
Unfortunately, it seems that the above mentioned interfaces use the
wrong file type: fifo (named pipe) instead of character device.
This patch fixes such issue and also introduces a new interface to
manage the xconsole device (so that it can be created, for example,
by an udev rule).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.if | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
--- a/policy/modules/services/xserver.if 2017-01-29 18:47:23.000000000 +0100
+++ b/policy/modules/services/xserver.if 2017-04-20 17:14:45.721199079 +0200
@@ -664,7 +695,8 @@ interface(`xserver_read_user_iceauth',`
########################################
## <summary>
-## Set the attributes of the X windows console named pipes.
+## Set the attributes of the X
+## windows console device.
## </summary>
## <param name="domain">
## <summary>
@@ -677,12 +709,13 @@ interface(`xserver_setattr_console_pipes
type xconsole_device_t;
')
- allow $1 xconsole_device_t:fifo_file setattr;
+ allow $1 xconsole_device_t:chr_file setattr;
')
########################################
## <summary>
-## Read and write the X windows console named pipe.
+## Read and write the X windows
+## console device.
## </summary>
## <param name="domain">
## <summary>
@@ -695,7 +728,26 @@ interface(`xserver_rw_console',`
type xconsole_device_t;
')
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+ allow $1 xconsole_device_t:chr_file rw_chr_file_perms;
+')
+
+#######################################
+## <summary>
+## Manage the X windows console
+## device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_console',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:chr_file manage_chr_file_perms;
')
########################################
Modify the udev module so that the udev daemon can manage the
xserver console (usually /dev/xconsole).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
--- a/policy/modules/system/udev.te 2017-02-04 19:30:18.000000000 +0100
+++ b/policy/modules/system/udev.te 2017-04-18 19:17:15.057610123 +0200
@@ -338,5 +350,6 @@ optional_policy(`
')
optional_policy(`
+ xserver_manage_console(udev_t)
xserver_read_xdm_pid(udev_t)
')
On Fri, 21 Apr 2017 01:37:20 AM Guido Trentalancia via refpolicy wrote:
> The xserver module contains two interfaces to handle the xconsole
> device (usually /dev/xconsole).
>
> Unfortunately, it seems that the above mentioned interfaces use the
> wrong file type: fifo (named pipe) instead of character device.
Which distribution has it as a character device? I've only ever seen it as a
named pipe.
Here's a snippet from /etc/init.d/rsyslog on Debian/Unstable:
create_xconsole() {
XCONSOLE=/dev/xconsole
if [ "$(uname -s)" != "Linux" ]; then
XCONSOLE=/run/xconsole
ln -sf $XCONSOLE /dev/xconsole
fi
if [ ! -e $XCONSOLE ]; then
mknod -m 640 $XCONSOLE p
chown root:adm $XCONSOLE
[ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
fi
}
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Hello Russell.
Yes, I think you might be right...
I was now double-checking it and I think it is probably right as a named pipe as it was.
I think the manage interface can be corrected and kept.
Regards,
Guido
> On the 20th of April 2017 at 18.40 Russell Coker <[email protected]> wrote
>
>
> On Fri, 21 Apr 2017 01:37:20 AM Guido Trentalancia via refpolicy wrote:
> > The xserver module contains two interfaces to handle the xconsole
> > device (usually /dev/xconsole).
> >
> > Unfortunately, it seems that the above mentioned interfaces use the
> > wrong file type: fifo (named pipe) instead of character device.
>
> Which distribution has it as a character device? I've only ever seen it as a
> named pipe.
>
> Here's a snippet from /etc/init.d/rsyslog on Debian/Unstable:
>
> create_xconsole() {
> XCONSOLE=/dev/xconsole
> if [ "$(uname -s)" != "Linux" ]; then
> XCONSOLE=/run/xconsole
> ln -sf $XCONSOLE /dev/xconsole
> fi
> if [ ! -e $XCONSOLE ]; then
> mknod -m 640 $XCONSOLE p
> chown root:adm $XCONSOLE
> [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
> fi
> }
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
On Fri, 21 Apr 2017 02:43:26 AM Guido Trentalancia via refpolicy wrote:
> Yes, I think you might be right...
>
> I was now double-checking it and I think it is probably right as a named
> pipe as it was.
>
> I think the manage interface can be corrected and kept.
Why?
Does anyone have udev creating that pipe?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Introduce a new xserver interface to manage the xconsole named
pipe.
Thanks to Russell Coker for pointing out a wrong file type in
the previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/policy/modules/services/xserver.if 2017-03-29 17:57:54.554386420 +0200
+++ b/policy/modules/services/xserver.if 2017-04-20 18:51:53.959794517 +0200
@@ -698,6 +698,25 @@ interface(`xserver_rw_console',`
allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
')
+#######################################
+## <summary>
+## Manage the X windows console
+## device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_console',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file manage_fifo_file_perms;
+')
+
########################################
## <summary>
## Create the X windows console named pipes.
Hello.
I thought it can be useful. For example, I am creating it through a udev rule, because generally files under /dev are created that way.
I have noticed other people are creating it from rsyslog, but I decided to avoid doing that, because I think it is not a very general solution.
Anyway, if you want to skip the two patches, that's fine, they are not particularly important...
Regards,
Guido
> On the 20th of April 2017 at 19.00 Russell Coker <[email protected]> wrote:
>
>
> On Fri, 21 Apr 2017 02:43:26 AM Guido Trentalancia via refpolicy wrote:
> > Yes, I think you might be right...
> >
> > I was now double-checking it and I think it is probably right as a named
> > pipe as it was.
> >
> > I think the manage interface can be corrected and kept.
>
> Why?
>
> Does anyone have udev creating that pipe?
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
On Fri, 21 Apr 2017 03:03:16 AM Guido Trentalancia via refpolicy wrote:
> I thought it can be useful. For example, I am creating it through a udev
> rule, because generally files under /dev are created that way.
>
> I have noticed other people are creating it from rsyslog, but I decided to
> avoid doing that, because I think it is not a very general solution.
The syslogd (whether rsyslog or another) is going to be the only program
writing to it, so it doesn't make much sense to have anything else create it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Hello.
The point is that as it is, this patch is still broken.
The new xserver interface is not needed and it should be replaced by three new devices interfaces to be called from the udev module (one for creating a generic "fifo_file" device and two for relabeling from/to).
I have already submitted several patches and they are still pending, also I am not sure if these two patches are really needed for wider, general use. If Christopher says that they might turn useful for wider, general use, then I can fix them. Otherwise we just drop the two patches.
The idea was that the pipe could be created independently of the specific syslog daemon, so that you do not need to patch every syslog daemon you install (in the sense of patching each syslog daemon init script or whatever).
Regards,
Guido
> On the 20th of April 2017 at 19.20 Russell Coker <[email protected]> wrote:
>
>
> On Fri, 21 Apr 2017 03:03:16 AM Guido Trentalancia via refpolicy wrote:
> > I thought it can be useful. For example, I am creating it through a udev
> > rule, because generally files under /dev are created that way.
> >
> > I have noticed other people are creating it from rsyslog, but I decided to
> > avoid doing that, because I think it is not a very general solution.
>
> The syslogd (whether rsyslog or another) is going to be the only program
> writing to it, so it doesn't make much sense to have anything else create it.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
Modify the udev module so that the udev daemon can manage the
xserver console device (a named pipe, usually /dev/xconsole).
I have posted a new version of this patch for the sake of not
leaving incomplete patches around on the list.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
policy/modules/system/udev.te | 2 ++
2 files changed, 21 insertions(+)
--- a/policy/modules/kernel/devices.if 2016-12-27 16:37:59.000000000 +0100
+++ b/policy/modules/kernel/devices.if 2017-04-20 21:24:58.110629406 +0200
@@ -406,6 +406,25 @@ interface(`dev_manage_generic_files',`
manage_files_pattern($1, device_t, device_t)
')
+#######################################
+## <summary>
+## Create a fifo file in the device
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_fifo_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_fifo_files_pattern($1, device_t, device_t)
+')
+
########################################
## <summary>
## Dontaudit getattr on generic pipes.
--- a/policy/modules/system/udev.te 2017-02-04 19:30:18.000000000 +0100
+++ b/policy/modules/system/udev.te 2017-04-20 21:24:39.203629483 +0200
@@ -104,6 +104,8 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
+# create /dev/xconsole
+dev_manage_generic_fifo_files(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)