From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 15 Sep 2009 09:23:25 -0400 Subject: [refpolicy] SELinux xscreensaver policy support In-Reply-To: <4AAA40E7.3000505@geomatys.fr> References: <4AAA40E7.3000505@geomatys.fr> Message-ID: <1253021005.7425.129.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-09-11 at 14:21 +0200, corentin.labbe wrote: > This a patch for adding xscreensaver policy. > > I think it need a specific policy because of the > auth_domtrans_chk_passwd. Merged. > > > > > > differences > between files > attachment > (0001-xscreensaver.patch) > > >From 26d2dab058753557ea6c61f4f837c8df1a07ea5e Mon Sep 17 00:00:00 2001 > From: LABBE Corentin > Date: Fri, 11 Sep 2009 14:08:47 +0200 > Subject: [PATCH] xscreensaver > > > Signed-off-by: LABBE Corentin > --- > policy/modules/apps/xscreensaver.fc | 1 + > policy/modules/apps/xscreensaver.if | 34 +++++++++++++++++++++++ > policy/modules/apps/xscreensaver.te | 52 +++++++++++++++++++++++++++++++++++ > 3 files changed, 87 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/apps/xscreensaver.fc > create mode 100644 policy/modules/apps/xscreensaver.if > create mode 100644 policy/modules/apps/xscreensaver.te > > diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc > new file mode 100644 > index 0000000..64cd5fc > --- /dev/null > +++ b/policy/modules/apps/xscreensaver.fc > @@ -0,0 +1 @@ > +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) > diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if > new file mode 100644 > index 0000000..5a1c63c > --- /dev/null > +++ b/policy/modules/apps/xscreensaver.if > @@ -0,0 +1,34 @@ > +## xscreensaver policy interface > + > +######################################## > +## > +## Role access for xscreensaver > +## > +## > +## > +## Role allowed access > +## > +## > +## > +## > +## User domain for the role > +## > +## > +# > +interface(`xscreensaver_role',` > + gen_require(` > + type xscreensaver_t, xscreensaver_exec_t; > + ') > + > + role $1 types xscreensaver_t; > + > + domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) > + > + allow xscreensaver_t $2:fd use; > + > + # Allow the user domain to signal/ps. > + ps_process_pattern($2, xscreensaver_t) > + allow $2 xscreensaver_t:process signal_perms; > + allow xscreensaver_t $2:process sigchld; > + > +') > diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te > new file mode 100644 > index 0000000..f4f8b00 > --- /dev/null > +++ b/policy/modules/apps/xscreensaver.te > @@ -0,0 +1,52 @@ > +policy_module(xscreensaver, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type xscreensaver_t; > +type xscreensaver_exec_t; > +application_domain(xscreensaver_t, xscreensaver_exec_t) > + > +type xscreensaver_tmpfs_t; > +files_tmpfs_file(xscreensaver_tmpfs_t) > +ubac_constrained(xscreensaver_tmpfs_t) > + > +######################################## > +# > +# Local policy > +# > +auth_use_nsswitch(xscreensaver_t) > + > +logging_send_audit_msgs(xscreensaver_t) > +logging_send_syslog_msg(xscreensaver_t) > +miscfiles_read_localization(xscreensaver_t) > + > +allow xscreensaver_t self:fifo_file rw_fifo_file_perms; > +allow xscreensaver_t self:process signal; > + > +#access to .icons and ~/.xscreensaver > +userdom_read_user_home_content_files(xscreensaver_t) > + > +userdom_use_user_ptys(xscreensaver_t) > + > +files_read_usr_files(xscreensaver_t) > + > +auth_domtrans_chk_passwd(xscreensaver_t) > + > +#/var/run/utmp > +init_read_utmp(xscreensaver_t) > + > +######################################## > +# > +# X Serveur and co > +# > +xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) > + > +######################################## > +# > +# process, kernel and /proc /dev /sys > +# > + > +kernel_read_system_state(xscreensaver_t) > -- > 1.6.3.3 -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150