2016-12-20 15:28:43

by guido

Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and a new interface to manage them
(instead of allowing to manage the whole user home content
files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 27 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-20 15:57:50.236936839 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-20 15:52:16.985406349 +0100
@@ -308,7 +308,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_manage_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_manage_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-20 15:52:17.003406594 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')

########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')

#######################################

2016-12-20 15:30:16

by guido

Subject: [refpolicy] [PATCH 2/2] contrib: support the new interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and a new interface to manage them
(instead of allowing to manage the whole user home content
files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

This second part (tackling the contrib policy) requires the
following recently posted xscreensaver patch:

[PATCH 1/2] xscreensaver: update the module so that it can be
effectively used
http://oss.tresys.com/pipermail/refpolicy/2016-December/008789.html

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
4 files changed, 12 insertions(+), 1 deletion(-)

diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-20 15:58:17.132302476 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)

optional_policy(`
+ xserver_manage_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-20 16:00:46.655335209 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)

optional_policy(`
+ xserver_manage_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_manage_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-20 15:53:56.875764348 +0100
@@ -128,4 +128,5 @@ optional_policy(`

optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_manage_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-20 16:03:13.740334792 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-20 16:03:00.817159110 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)

-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_manage_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')

########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)

optional_policy(`
+ xserver_manage_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')

2016-12-21 19:17:07

by Chris PeBenito

Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs

On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and a new interface to manage them
> (instead of allowing to manage the whole user home content
> files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 ++
> policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-20 15:57:50.236936839 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-20 15:52:16.985406349 +0100
> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_manage_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_manage_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)

Is the manage access really necessary? Doesn't it simply write/append?
I don't think they need to delete the file. And if the file doesn't
exist, who is creating it?


> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-20 15:52:17.003406594 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################



--
Chris PeBenito

2016-12-21 19:25:58

by guido

Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs

Hello!

Yes, you are right, I'll fix the patch as soon as possible.

It is created by Xsession running as user_t.

Thanks for spotting this.

How about the other patch for xscreensaver?

Regards,

Guido

Il 21 dicembre 2016 20:17:07 CET, Chris PeBenito <[email protected]> ha scritto:
>On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote:
>> The following patch (split in two parts, one for base and
>> another one for contrib) introduces a new file context for
>> the X session log files and a new interface to manage them
>> (instead of allowing to manage the whole user home content
>> files).
>>
>> It is required after the recent confinement of graphical
>> desktop components (e.g. wm, xscreensaver).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/services/xserver.fc | 2 ++
>> policy/modules/services/xserver.if | 23 +++++++++++++++++++++--
>> policy/modules/system/userdomain.if | 4 ++++
>> 3 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/services/xserver.fc
>b/policy/modules/services/xserver.fc
>> --- a/policy/modules/services/xserver.fc 2016-12-04
>16:54:51.229586958 +0100
>> +++ b/policy/modules/services/xserver.fc 2016-12-20
>15:57:50.236936839 +0100
>> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
>> HOME_DIR/\.ICEauthority.*
>-- gen_context(system_u:object_r:iceauth_home_t,s0)
>>
>HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>> #
>> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
>> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
>> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
>> /tmp/\.X11-unix/.* -s <<none>>
>> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>> #
>> # /usr
>> diff -pru a/policy/modules/services/xserver.if
>b/policy/modules/services/xserver.if
>> --- a/policy/modules/services/xserver.if 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.if 2016-12-20
>15:52:16.985406349 +0100
>> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>>
>> userdom_search_user_home_dirs($1)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($1)
>> + xserver_manage_xsession_log($1)
>>
>> xserver_ro_session($1,$2)
>> xserver_use_user_fonts($1)
>> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>>
>> userdom_search_user_home_dirs($2)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($2)
>> + xserver_manage_xsession_log($2)
>>
>> xserver_ro_session($2,$3)
>> xserver_use_user_fonts($2)
>
>Is the manage access really necessary? Doesn't it simply write/append?
>
>I don't think they need to delete the file. And if the file doesn't
>exist, who is creating it?
>
>
>> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
>> ')
>>
>> ########################################
>> +## <summary>
>> +## Manage xsession log files such
>> +## as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>> ## <summary>
>> ## Get the attributes of X server logs.
>> ## </summary>
>> diff -pru a/policy/modules/system/userdomain.if
>b/policy/modules/system/userdomain.if
>> --- a/policy/modules/system/userdomain.if 2016-12-17
>17:29:27.030224492 +0100
>> +++ b/policy/modules/system/userdomain.if 2016-12-20
>15:52:17.003406594 +0100
>> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
>> allow userdomain $1:fd use;
>> allow userdomain $1:fifo_file rw_file_perms;
>> allow userdomain $1:process sigchld;
>> +
>> + xserver_manage_xsession_log(userdomain)
>> ')
>>
>> ########################################
>> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
>> allow unpriv_userdomain $1:fd use;
>> allow unpriv_userdomain $1:fifo_file rw_file_perms;
>> allow unpriv_userdomain $1:process sigchld;
>> +
>> + xserver_manage_xsession_log(unpriv_userdomain)
>> ')
>>
>> #######################################

2016-12-21 23:05:11

by guido

Subject: [refpolicy] [PATCH v2 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

This second version of the patch correctly uses file type
transitions and uses more tight permissions.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 61 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
policy/modules/system/userdomain.te | 5 ++
4 files changed, 70 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-21 23:00:47.701952737 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-21 23:38:56.279462999 +0100
@@ -308,7 +308,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +567,25 @@ interface(`xserver_user_home_dir_filetra

########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1001,44 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-21 23:22:29.270461027 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')

########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')

#######################################
diff -pru a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
--- a/policy/modules/system/userdomain.te 2016-12-17 17:29:27.031224504 +0100
+++ b/policy/modules/system/userdomain.te 2016-12-21 23:36:18.826707902 +0100
@@ -128,3 +128,8 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+
+optional_policy(`
+ xserver_user_home_dir_filetrans_user_xsession_log(userdomain)
+ xserver_user_home_dir_filetrans_user_xsession_log(unpriv_userdomain)
+')

2016-12-21 23:05:19

by guido

Subject: [refpolicy] [PATCH v2 2/2] contrib: support the new interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

This second version of the patch correctly uses file type
transitions and uses more tight permissions.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
4 files changed, 12 insertions(+), 1 deletion(-)

diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-21 23:09:40.905896241 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)

optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-21 23:09:48.452980365 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)

optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-21 23:09:43.970930405 +0100
@@ -128,4 +128,5 @@ optional_policy(`

optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-21 23:00:22.415670877 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-21 23:09:51.201010999 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)

-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')

########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)

optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')

2016-12-22 15:15:54

by guido

Subject: [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

This third version adds the logging capability to the
openoffice module.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/openoffice.te | 1 +
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++++-
5 files changed, 13 insertions(+), 1 deletion(-)

diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-22 16:03:21.181221496 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)

optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-22 16:03:21.181221496 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)

optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
--- a/policy/modules/contrib/openoffice.te 2016-12-17 17:29:33.837306897 +0100
+++ b/policy/modules/contrib/openoffice.te 2016-12-22 16:04:01.945714059 +0100
@@ -113,6 +113,7 @@ optional_policy(`
')

optional_policy(`
+ xserver_rw_xsession_log(ooffice_t)
xserver_read_user_iceauth(ooffice_t)
xserver_read_user_xauth(ooffice_t)
xserver_read_xdm_tmp_files(ooffice_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-22 16:03:21.182221508 +0100
@@ -128,4 +128,5 @@ optional_policy(`

optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:10.938097722 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:21.182221508 +0100
@@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)

-xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+')

########################################
#
@@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper
miscfiles_read_localization(xscreensaver_helper_t)

optional_policy(`
+ xserver_rw_xsession_log(xscreensaver_helper_t)
xserver_stream_connect(xscreensaver_helper_t)
')

2016-12-22 21:01:52

by Chris PeBenito

Subject: [refpolicy] [PATCH v2 1/2] xserver: introduce new fc and interface to manage X session logs

On 12/21/16 18:05, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> This second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 61 ++++++++++++++++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++
> policy/modules/system/userdomain.te | 5 ++
> 4 files changed, 70 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-21 23:00:47.701952737 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-21 23:38:56.279462999 +0100
> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +567,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1001,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-21 23:22:29.270461027 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################
> diff -pru a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> --- a/policy/modules/system/userdomain.te 2016-12-17 17:29:27.031224504 +0100
> +++ b/policy/modules/system/userdomain.te 2016-12-21 23:36:18.826707902 +0100
> @@ -128,3 +128,8 @@ files_poly(user_runtime_t)
> files_poly_member(user_runtime_t)
> files_poly_parent(user_runtime_t)
> ubac_constrained(user_runtime_t)
> +
> +optional_policy(`
> + xserver_user_home_dir_filetrans_user_xsession_log(userdomain)
> + xserver_user_home_dir_filetrans_user_xsession_log(unpriv_userdomain)
> +')

I think this belongs in xserver_role(), so only the specific user
domains get the access. If they can't use the X server, they don't need
the file transition either.


--
Chris PeBenito

2016-12-22 21:49:52

by guido

Subject: [refpolicy] [PATCH v3 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

This third version simply moves some interface calls.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
3 files changed, 68 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
@@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)

+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +311,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra

########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')

########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')

#######################################

2016-12-23 07:34:19

by Jason Zaman

Subject: [refpolicy] [PATCH v3 1/2] xserver: introduce new fc and interface to manage X session logs

On Thu, Dec 22, 2016 at 10:49:52PM +0100, Guido Trentalancia via refpolicy wrote:
> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0)

Can this use the new %{USERNAME}, they are less confusing and USER is
deprecated now in favour of those new ones.

-- Jason

2016-12-23 15:44:24

by guido

Subject: [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

This fourth version introduces the new template for
username-dependent file contexts.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 4 ++
3 files changed, 68 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
@@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)

+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +311,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra

########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
+++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
@@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(userdomain)
')

########################################
@@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
+
+ xserver_manage_xsession_log(unpriv_userdomain)
')

#######################################

2016-12-27 15:28:57

by Chris PeBenito

Subject: [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs

On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver, openoffice).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> This fourth version introduces the new template for
> username-dependent file contexts.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 64 ++++++++++++++++++++++++++++++++++--
> policy/modules/system/userdomain.if | 4 ++
> 3 files changed, 68 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
> @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -308,7 +311,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100
> +++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 +0100
> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(userdomain)
> ')
>
> ########################################
> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
> +
> + xserver_manage_xsession_log(unpriv_userdomain)
> ')
>
> #######################################

I think you misunderstood. The rule should be in xserver_role() and
then only apply to $2 so only the specific xserver-using roles have access.

--
Chris PeBenito

2016-12-27 20:00:18

by guido

Subject: [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs

Hello.

Please find my reply at the bottom of quoted text...

> On the 27th of December 2016 at 16.28 Chris PeBenito <[email protected]>
> wrote:
>
>
> On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote:
> > The following patch (split in two parts, one for base and
> > another one for contrib) introduces a new file context for
> > the X session log files and two new interface to manage
> > them (instead of allowing to manage the whole user home
> > content files).
> >
> > It is required after the recent confinement of graphical
> > desktop components (e.g. wm, xscreensaver, openoffice).
> >
> > The second version of the patch correctly uses file type
> > transitions and uses more tight permissions.
> >
> > The third version simply moves some interface calls.
> >
> > This fourth version introduces the new template for
> > username-dependent file contexts.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/services/xserver.fc | 2 +
> > policy/modules/services/xserver.if | 64
> > ++++++++++++++++++++++++++++++++++--
> > policy/modules/system/userdomain.if | 4 ++
> > 3 files changed, 68 insertions(+), 2 deletions(-)
> >
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> > +++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100
> > @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> > HOME_DIR/\.ICEauthority.* --
> > gen_context(system_u:object_r:iceauth_home_t,s0)
> > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors --
> > gen_context(system_u:object_r:xsession_log_t,s0)
> > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> >
> > #
> > @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> > /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> > /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> > /tmp/\.X11-unix/.* -s <<none>>
> > +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
> >
> > #
> > # /usr
> > diff -pru a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if
> > --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> > +++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100
> > @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
> > # Needed for escd, remove if we get escd policy
> > xserver_manage_xdm_tmp_files($2)
> >
> > + # for the .xsession-errors log file
> > + xserver_user_home_dir_filetrans_user_xsession_log($2)
> > +
> > # Client write xserver shm
> > tunable_policy(`allow_write_xshm',`
> > allow $2 xserver_t:shm rw_shm_perms;
> > @@ -308,7 +311,7 @@ interface(`xserver_user_client',`
> >
> > userdom_search_user_home_dirs($1)
> > # for .xsession-errors
> > - userdom_dontaudit_write_user_home_content_files($1)
> > + xserver_rw_xsession_log($1)
> >
> > xserver_ro_session($1,$2)
> > xserver_use_user_fonts($1)
> > @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
> >
> > userdom_search_user_home_dirs($2)
> > # for .xsession-errors
> > - userdom_dontaudit_write_user_home_content_files($2)
> > + xserver_rw_xsession_log($2)
> >
> > xserver_ro_session($2,$3)
> > xserver_use_user_fonts($2)
> > @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
> >
> > ########################################
> > ## <summary>
> > +## Create a .xsession-errors log
> > +## file in the user home directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + userdom_user_home_dir_filetrans($1, xsession_log_t, file,
> > ".xsession-errors")
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Read all users fonts, user font configurations,
> > ## and manage all users font caches.
> > ## </summary>
> > @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
> > ')
> >
> > ########################################
> > +## <summary>
> > +## Read and write xsession log
> > +## files such as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_rw_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + allow $1 xsession_log_t:file rw_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage xsession log files such
> > +## as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_manage_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + allow $1 xsession_log_t:file manage_file_perms;
> > +')
> > +
> > +########################################
> > ## <summary>
> > ## Get the attributes of X server logs.
> > ## </summary>
> > diff -pru a/policy/modules/system/userdomain.if
> > b/policy/modules/system/userdomain.if
> > --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492
> > +0100
> > +++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052
> > +0100
> > @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> > allow userdomain $1:fd use;
> > allow userdomain $1:fifo_file rw_file_perms;
> > allow userdomain $1:process sigchld;
> > +
> > + xserver_manage_xsession_log(userdomain)
> > ')
> >
> > ########################################
> > @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> > allow unpriv_userdomain $1:fd use;
> > allow unpriv_userdomain $1:fifo_file rw_file_perms;
> > allow unpriv_userdomain $1:process sigchld;
> > +
> > + xserver_manage_xsession_log(unpriv_userdomain)
> > ')
> >
> > #######################################
>
> I think you misunderstood. The rule should be in xserver_role() and
> then only apply to $2 so only the specific xserver-using roles have access.

The reason I have moved the file transition to the xserver_role_restricted()
interface
instead of to the xserver_role_template() interface is that the
xserver_role_template()
interface calls xserver_role_restricted(). Restricted X users should also be
able to rw
xsession log files, don't you think so ? I am quite sure you would agree with me
on this...

That said, I can only suspect you meant that I should also move the actual log
file
management permission interface from userdomain to the xserver role template...
I am preparing a patch which also adds this latter change.

Regards,

Guido

2016-12-27 20:01:39

by guido

Subject: [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

This fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
2 files changed, 65 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc
b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-27 20:49:18.146188976 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.if 2016-12-27 20:50:25.904039759 +0100
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)

+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -308,7 +312,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra

########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>

2016-12-28 18:26:00

by Chris PeBenito

Subject: [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs

On 12/22/16 10:15, Guido Trentalancia via refpolicy wrote:
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:10.938097722 +0100
> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-22 16:03:21.182221508 +0100
> @@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
> userdom_use_user_terminals(xscreensaver_t)
> userdom_read_user_home_content_files(xscreensaver_t)
>
> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +optional_policy(`
> + xserver_rw_xsession_log(xscreensaver_t)
> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +')
>
> ########################################
> #

I didn't notice this before, but why would xserver be optional for
xscreensaver?

--
Chris PeBenito

2016-12-28 18:32:13

by Chris PeBenito

Subject: [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs

On 12/27/16 15:01, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> The fourth version introduces the new template for
> username-dependent file contexts.
>
> This fifth version moves other interface calls thanks to
> further revisions from Christopher PeBenito (the corresponding
> contrib policy part remains unchanged at version 4).

I was going to merge this, but missed previously that xsession_log_t
isn't ever declared in this patch.


> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
> 2 files changed, 65 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc
> b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-27 20:49:18.146188976 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if
> b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-27 20:50:25.904039759 +0100
> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> + xserver_manage_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -308,7 +312,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito

2016-12-28 19:02:20

by guido

Subject: [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs

Yes, thanks for telling me.

Eventually the small diff for xserver.te has gone lost, while working on multiple development trees...

I'll forward a revised patch in a few minutes.

Regards,

Guido

On the 28th of December 2016 19:32:13 CET, Chris PeBenito <[email protected]> wrote:
>On 12/27/16 15:01, Guido Trentalancia via refpolicy wrote:
>> The following patch (split in two parts, one for base and
>> another one for contrib) introduces a new file context for
>> the X session log files and two new interface to manage
>> them (instead of allowing to manage the whole user home
>> content files).
>>
>> It is required after the recent confinement of graphical
>> desktop components (e.g. wm, xscreensaver).
>>
>> The second version of the patch correctly uses file type
>> transitions and uses more tight permissions.
>>
>> The third version simply moves some interface calls.
>>
>> The fourth version introduces the new template for
>> username-dependent file contexts.
>>
>> This fifth version moves other interface calls thanks to
>> further revisions from Christopher PeBenito (the corresponding
>> contrib policy part remains unchanged at version 4).
>
>I was going to merge this, but missed previously that xsession_log_t
>isn't ever declared in this patch.
>
>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/services/xserver.fc | 2 +
>> policy/modules/services/xserver.if | 65
>+++++++++++++++++++++++++++++++++++--
>> 2 files changed, 65 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/services/xserver.fc
>> b/policy/modules/services/xserver.fc
>> --- a/policy/modules/services/xserver.fc 2016-12-04
>16:54:51.229586958 +0100
>> +++ b/policy/modules/services/xserver.fc 2016-12-27
>20:49:18.146188976 +0100
>> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
>> HOME_DIR/\.ICEauthority.*
>-- gen_context(system_u:object_r:iceauth_home_t,s0)
>>
>HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>>
>> #
>> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
>> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
>> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
>> /tmp/\.X11-unix/.* -s <<none>>
>>
>+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>>
>> #
>> # /usr
>> diff -pru a/policy/modules/services/xserver.if
>> b/policy/modules/services/xserver.if
>> --- a/policy/modules/services/xserver.if 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.if 2016-12-27
>20:50:25.904039759 +0100
>> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
>> # Needed for escd, remove if we get escd policy
>> xserver_manage_xdm_tmp_files($2)
>>
>> + # for the .xsession-errors log file
>> + xserver_user_home_dir_filetrans_user_xsession_log($2)
>> + xserver_manage_xsession_log($2)
>> +
>> # Client write xserver shm
>> tunable_policy(`allow_write_xshm',`
>> allow $2 xserver_t:shm rw_shm_perms;
>> @@ -308,7 +312,7 @@ interface(`xserver_user_client',`
>>
>> userdom_search_user_home_dirs($1)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($1)
>> + xserver_rw_xsession_log($1)
>>
>> xserver_ro_session($1,$2)
>> xserver_use_user_fonts($1)
>> @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template
>>
>> userdom_search_user_home_dirs($2)
>> # for .xsession-errors
>> - userdom_dontaudit_write_user_home_content_files($2)
>> + xserver_rw_xsession_log($2)
>>
>> xserver_ro_session($2,$3)
>> xserver_use_user_fonts($2)
>> @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra
>>
>> ########################################
>> ## <summary>
>> +## Create a .xsession-errors log
>> +## file in the user home directory.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + userdom_user_home_dir_filetrans($1, xsession_log_t, file,
>".xsession-errors")
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Read all users fonts, user font configurations,
>> ## and manage all users font caches.
>> ## </summary>
>> @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran
>> ')
>>
>> ########################################
>> +## <summary>
>> +## Read and write xsession log
>> +## files such as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_rw_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file rw_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Manage xsession log files such
>> +## as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_xsession_log',`
>> + gen_require(`
>> + type xsession_log_t;
>> + ')
>> +
>> + allow $1 xsession_log_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>> ## <summary>
>> ## Get the attributes of X server logs.
>> ## </summary>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>

2016-12-28 19:05:59

by guido

Subject: [refpolicy] [PATCH v3 2/2] contrib: support the new interface to manage X session logs

Hello.

There isn't a specific reason for not explicitly creating the dependance of xscreensaver from xserver, so it can surely be improved that way.

Regards,

Guido

Il 28 dicembre 2016 19:26:00 CET, Chris PeBenito <[email protected]> ha scritto:
>On 12/22/16 10:15, Guido Trentalancia via refpolicy wrote:
>> diff -pru a/policy/modules/contrib/xscreensaver.te
>b/policy/modules/contrib/xscreensaver.te
>> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22
>16:03:10.938097722 +0100
>> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-22
>16:03:21.182221508 +0100
>> @@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver
>> userdom_use_user_terminals(xscreensaver_t)
>> userdom_read_user_home_content_files(xscreensaver_t)
>>
>> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t,
>xscreensaver_tmpfs_t)
>> +optional_policy(`
>> + xserver_rw_xsession_log(xscreensaver_t)
>> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t,
>xscreensaver_tmpfs_t)
>> +')
>>
>> ########################################
>> #
>
>I didn't notice this before, but why would xserver be optional for
>xscreensaver?

2016-12-28 19:43:23

by guido

Subject: [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 2 +
policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
policy/modules/services/xserver.te | 3 +
3 files changed, 68 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
--- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc 2016-12-28 20:24:50.195390393 +0100
@@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
@@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)

#
# /usr
diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
--- a/policy/modules/services/xserver.if 2016-12-20 17:14:22.191440529 +0100
+++ b/policy/modules/services/xserver.if 2016-12-28 20:24:50.196390406 +0100
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)

+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`

userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)

xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template

userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)

xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra

########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran
')

########################################
+## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
## <summary>
## Get the attributes of X server logs.
## </summary>
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te 2016-12-28 20:29:17.898062418 +0100
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)

+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)

2016-12-28 19:44:08

by guido

Subject: [refpolicy] [PATCH v4 2/2] contrib: support the new interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interfaces to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver, openoffice).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version adds the logging capability to the
openoffice module.

This fourth version explicitly makes xscreensaver dependent
from the xserver module.

The corresponding base policy patch is at version 6.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/gnome.te | 5 +++++
policy/modules/contrib/openoffice.te | 1 +
policy/modules/contrib/wm.te | 1 +
policy/modules/contrib/xscreensaver.te | 6 +++---
5 files changed, 11 insertions(+), 3 deletions(-)

diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-12-22 23:12:59.377081677 +0100
+++ b/policy/modules/contrib/dbus.te 2016-12-28 20:24:54.385446098 +0100
@@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)

optional_policy(`
+ xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
')
diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
--- a/policy/modules/contrib/gnome.te 2016-12-27 22:41:15.522602035 +0100
+++ b/policy/modules/contrib/gnome.te 2016-12-28 20:24:54.386446112 +0100
@@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
userdom_use_user_terminals(gnomedomain)

optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
xserver_rw_xdm_pipes(gnomedomain)
xserver_use_xdm_fds(gnomedomain)
')
@@ -145,3 +146,7 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
--- a/policy/modules/contrib/openoffice.te 2016-12-27 22:41:15.522602035 +0100
+++ b/policy/modules/contrib/openoffice.te 2016-12-28 20:24:54.386446112 +0100
@@ -131,6 +131,7 @@ optional_policy(`
')

optional_policy(`
+ xserver_rw_xsession_log(ooffice_t)
xserver_read_user_iceauth(ooffice_t)
xserver_read_user_xauth(ooffice_t)
xserver_read_xdm_tmp_files(ooffice_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-27 22:41:15.543602334 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-28 20:24:54.387446125 +0100
@@ -132,4 +132,5 @@ optional_policy(`

optional_policy(`
xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-22 00:49:56.960049501 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-28 20:32:01.742240850 +0100
@@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver
userdom_use_user_terminals(xscreensaver_t)
userdom_read_user_home_content_files(xscreensaver_t)

+xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)

########################################
@@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav
miscfiles_read_fonts(xscreensaver_helper_t)
miscfiles_read_localization(xscreensaver_helper_t)

-optional_policy(`
- xserver_stream_connect(xscreensaver_helper_t)
-')
+xserver_rw_xsession_log(xscreensaver_helper_t)
+xserver_stream_connect(xscreensaver_helper_t)

2016-12-30 19:15:32

by Chris PeBenito

Subject: [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and interface to manage X session logs

On 12/28/16 14:43, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> The fourth version introduces the new template for
> username-dependent file contexts.
>
> The fifth version moves other interface calls thanks to
> further revisions from Christopher PeBenito (the corresponding
> contrib policy part remains unchanged at version 4).
>
> This sixth version, adds the missing diff relative to the
> xserver.te policy file to declare the new xsession_log_t type.
>
> The corresponding base policy patch is at version 4.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 +
> policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++--
> policy/modules/services/xserver.te | 3 +
> 3 files changed, 68 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc 2016-12-28 20:24:50.195390393 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex
> HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
> /tmp/\.X11-unix/.* -s <<none>>
> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
>
> #
> # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if 2016-12-20 17:14:22.191440529 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-28 20:24:50.196390406 +0100
> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
> # Needed for escd, remove if we get escd policy
> xserver_manage_xdm_tmp_files($2)
>
> + # for the .xsession-errors log file
> + xserver_user_home_dir_filetrans_user_xsession_log($2)
> + xserver_manage_xsession_log($2)
> +
> # Client write xserver shm
> tunable_policy(`allow_write_xshm',`
> allow $2 xserver_t:shm rw_shm_perms;
> @@ -307,7 +311,7 @@ interface(`xserver_user_client',`
>
> userdom_search_user_home_dirs($1)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($1)
> + xserver_rw_xsession_log($1)
>
> xserver_ro_session($1,$2)
> xserver_use_user_fonts($1)
> @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template
>
> userdom_search_user_home_dirs($2)
> # for .xsession-errors
> - userdom_dontaudit_write_user_home_content_files($2)
> + xserver_rw_xsession_log($2)
>
> xserver_ro_session($2,$3)
> xserver_use_user_fonts($2)
> @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
>
> ########################################
> ## <summary>
> +## Create a .xsession-errors log
> +## file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
> ## Read all users fonts, user font configurations,
> ## and manage all users font caches.
> ## </summary>
> @@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran
> ')
>
> ########################################
> +## <summary>
> +## Read and write xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage xsession log files such
> +## as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te 2016-12-28 20:29:17.898062418 +0100
> @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
> type xsession_exec_t;
> corecmd_executable_file(xsession_exec_t)
>
> +type xsession_log_t;
> +userdom_user_home_content(xsession_log_t)
> +
> # Type for the X server log file.
> type xserver_log_t;
> logging_log_file(xserver_log_t)

Merged.

--
Chris PeBenito

2016-12-30 19:15:44

by Chris PeBenito

Subject: [refpolicy] [PATCH v4 2/2] contrib: support the new interface to manage X session logs

On 12/28/16 14:44, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interfaces to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver, openoffice).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version adds the logging capability to the
> openoffice module.
>
> This fourth version explicitly makes xscreensaver dependent
> from the xserver module.
>
> The corresponding base policy patch is at version 6.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.te | 1 +
> policy/modules/contrib/gnome.te | 5 +++++
> policy/modules/contrib/openoffice.te | 1 +
> policy/modules/contrib/wm.te | 1 +
> policy/modules/contrib/xscreensaver.te | 6 +++---
> 5 files changed, 11 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
> --- a/policy/modules/contrib/dbus.te 2016-12-22 23:12:59.377081677 +0100
> +++ b/policy/modules/contrib/dbus.te 2016-12-28 20:24:54.385446098 +0100
> @@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
> term_use_all_terms(session_bus_type)
>
> optional_policy(`
> + xserver_rw_xsession_log(session_bus_type)
> xserver_use_xdm_fds(session_bus_type)
> xserver_rw_xdm_pipes(session_bus_type)
> ')
> diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
> --- a/policy/modules/contrib/gnome.te 2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/gnome.te 2016-12-28 20:24:54.386446112 +0100
> @@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
> userdom_use_user_terminals(gnomedomain)
>
> optional_policy(`
> + xserver_rw_xsession_log(gnomedomain)
> xserver_rw_xdm_pipes(gnomedomain)
> xserver_use_xdm_fds(gnomedomain)
> ')
> @@ -145,3 +146,7 @@ optional_policy(`
> optional_policy(`
> telepathy_mission_control_read_state(gkeyringd_domain)
> ')
> +
> +optional_policy(`
> + xserver_rw_xsession_log(gkeyringd_domain)
> +')
> diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
> --- a/policy/modules/contrib/openoffice.te 2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/openoffice.te 2016-12-28 20:24:54.386446112 +0100
> @@ -131,6 +131,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xserver_rw_xsession_log(ooffice_t)
> xserver_read_user_iceauth(ooffice_t)
> xserver_read_user_xauth(ooffice_t)
> xserver_read_xdm_tmp_files(ooffice_t)
> diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
> --- a/policy/modules/contrib/wm.te 2016-12-27 22:41:15.543602334 +0100
> +++ b/policy/modules/contrib/wm.te 2016-12-28 20:24:54.387446125 +0100
> @@ -132,4 +132,5 @@ optional_policy(`
>
> optional_policy(`
> xserver_dbus_chat_xdm(wm_domain)
> + xserver_rw_xsession_log(wm_domain)
> ')
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te 2016-12-22 00:49:56.960049501 +0100
> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-28 20:32:01.742240850 +0100
> @@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver
> userdom_use_user_terminals(xscreensaver_t)
> userdom_read_user_home_content_files(xscreensaver_t)
>
> +xserver_rw_xsession_log(xscreensaver_t)
> xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
>
> ########################################
> @@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav
> miscfiles_read_fonts(xscreensaver_helper_t)
> miscfiles_read_localization(xscreensaver_helper_t)
>
> -optional_policy(`
> - xserver_stream_connect(xscreensaver_helper_t)
> -')
> +xserver_rw_xsession_log(xscreensaver_helper_t)
> +xserver_stream_connect(xscreensaver_helper_t)

Merged.

--
Chris PeBenito