LinuxLists.cc - [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.

2017-12-06 14:38:49

Subject: [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.

Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e70046db..3a435abf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`

########################################
## <summary>
+## Write to inherited xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_inherited_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file { append write };
+')
+
+
+########################################
+## <summary>
## Read and write xsession log
## files such as .xsession-errors.
## </summary>
@@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`

########################################
## <summary>
+## Write to inherited X server log
+## files like /var/log/lightdm/lightdm.log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_inherited_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ allow $1 xserver_log_t:file { append write };
+')
+
+########################################
+## <summary>
## Get the attributes of X server logs.
## </summary>
## <param name="domain">
--
2.13.6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20171206/370dca14/attachment.html

2017-12-06 15:06:08

by Dac Override

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.

On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy wrote:
> Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.
>
> Signed-off-by: Dave Sugar <[email protected]>

These are just suggestions, I will leave it up to others to make any final judgement but:

i would probably introduce a "write_inherited_file_perms" object permission set to "policy/support/obj_perm_sets.spt":

define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')

then use that to create:

########################################
## <summary>
## Write inherited xserver xsession log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_write_inherited_xsession_log_files',`
gen_require(`
type xsession_log_t;
')

allow $1 xsession_log_t:file write_inherited_file_perms;
')

and:

########################################
## <summary>
## Write inherited xserver log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_write_inherited_log_files',`
gen_require(`
type xserver_log_t;
')

allow $1 xserver_log_t:file write_inherited_file_perms;
')

> ---
> policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 39 insertions(+)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e70046db..3a435abf 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
>
> ########################################
> ## <summary>
> +## Write to inherited xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file { append write };
> +')
> +
> +
> +########################################
> +## <summary>
> ## Read and write xsession log
> ## files such as .xsession-errors.
> ## </summary>
> @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
>
> ########################################
> ## <summary>
> +## Write to inherited X server log
> +## files like /var/log/lightdm/lightdm.log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_log',`
> + gen_require(`
> + type xserver_log_t;
> + ')
> +
> + allow $1 xserver_log_t:file { append write };
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> ## <param name="domain">
> --
> 2.13.6

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171206/8c8335de/attachment.bin

2017-12-06 18:19:43

by Sugar, David

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files.

> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Wednesday, December 06, 2017 10:06 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1-v2] Create interfaces to write
> xserver log files.
>
> On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy
> wrote:
> > Add interfaces to grant write only access to inherited xserver_log_t
> and xsession_log_t files.
> >
> > Signed-off-by: Dave Sugar <[email protected]>
>
> These are just suggestions, I will leave it up to others to make any
> final judgement but:
>
> i would probably introduce a "write_inherited_file_perms" object
> permission set to "policy/support/obj_perm_sets.spt":
>
> define(`write_inherited_file_perms',`{ getattr write append lock ioctl
> }')
>
> then use that to create:
>
> ########################################
> ## <summary>
> ## Write inherited xserver xsession log files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`xserver_write_inherited_xsession_log_files',`
> gen_require(`
> type xsession_log_t;
> ')
>
> allow $1 xsession_log_t:file write_inherited_file_perms;
> ')
>
> and:
>
> ########################################
> ## <summary>
> ## Write inherited xserver log files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`xserver_write_inherited_log_files',`
> gen_require(`
> type xserver_log_t;
> ')
>
> allow $1 xserver_log_t:file write_inherited_file_perms;
> ')

Yes, this seems reasonable. I will resubmit this patch with that recommendation taken into account.

Thanks for the feedback.

> > ---
> > policy/modules/services/xserver.if | 39
> > ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 39 insertions(+)
> >
> > diff --git a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if
> > index e70046db..3a435abf 100644
> > --- a/policy/modules/services/xserver.if
> > +++ b/policy/modules/services/xserver.if
> > @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
> >
> > ########################################
> > ## <summary>
> > +## Write to inherited xsession log
> > +## files such as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_write_inherited_xsession_log',`
> > + gen_require(`
> > + type xsession_log_t;
> > + ')
> > +
> > + allow $1 xsession_log_t:file { append write };
> > +')
> > +
> > +
> > +########################################
> > +## <summary>
> > ## Read and write xsession log
> > ## files such as .xsession-errors.
> > ## </summary>
> > @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
> >
> > ########################################
> > ## <summary>
> > +## Write to inherited X server log
> > +## files like /var/log/lightdm/lightdm.log ## </summary> ## <param
> > +name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`xserver_write_inherited_log',`
> > + gen_require(`
> > + type xserver_log_t;
> > + ')
> > +
> > + allow $1 xserver_log_t:file { append write };
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Get the attributes of X server logs.
> > ## </summary>
> > ## <param name="domain">
> > --
> > 2.13.6
>
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift