From: dominick.grift@gmail.com (grift) Date: Thu, 29 Nov 2012 15:48:55 +0100 Subject: [refpolicy] [PATCH 3/3] Implement X Desktop Group In-Reply-To: <1354198592.20999.5.camel@localhost> References: <1352116515-21046-1-git-send-email-dominick.grift@gmail.com> <1352116515-21046-4-git-send-email-dominick.grift@gmail.com> <1354194543.20999.3.camel@localhost> <50B76876.3010305@tresys.com> <1354198592.20999.5.camel@localhost> Message-ID: <1354200535.20999.7.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2012-11-29 at 15:16 +0100, grift wrote: > On Thu, 2012-11-29 at 08:51 -0500, Christopher J. PeBenito wrote: > > On 11/29/12 08:09, grift wrote: > > > Are we ready to make a decision yet with regard to the two outstanding > > > issues? > > > > > > - best type names? (my preference user_data_home_t, user_config_home_t, > > > user_cache_home_t) > > > > replace user with xdg, e.g. xdg_config_home_t. > > > > > - should be label ~/.local/share with the xdg data home type or ~/.local > > > ( my preference ~/.local/share) > > > > > > But i will go with whatever in the end > > > > Here's another option to consider: > > > > $HOME/.local -d gen_context(system_u:object_r:xdg_local_home_t,s0) > > $HOME/.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) > > > > and then treat xdg_local_home_t similar to user_home_dir_t and filetrans everything under it. Then the named filetrans for ~/.local/share will work right on top of any of the other random dirs that pop up under there. > > I understand your reasoning but i am not confident about the type name > "xdg_local_home_t" and i am also not confident that this type should be > declared in the xserver policy module > > how about we use local_home_t and declare it in the userdomain module? Anyways i am fine with your solution. its not such a big deal I will rewrite this patch with the improvements > > > On Mon, 2012-11-05 at 12:55 +0100, Dominick Grift wrote: > > >> Creates 3 type attributes for xdg cache (~/.cache), config (~/.config) > > >> and data (~/.local/share user home content and assigns to > > >> xserver_user_cache_home_content(), xserver_user_config_home_content() > > >> and xserver_user_data_home_content() respectively > > >> > > >> Creates 3 types for generic xdg user cache, config and data home > > >> content, assigns to them their respective type attributes and > > >> classifieds them user_home_content_type by calling xserver_user_cache, > > >> config, data_home_content > > >> > > >> Create the various basic interfaces that will be needed: > > >> > > >> 1. xserver_create_generic_user_cache, config, data, home_dirs: > > >> This will be used together with > > >> xserver_user_home_(content|dir)_filetrans_cache, config, > > >> data_home_content and allows the caller to create ~/.cache, ~/.config > > >> and ~/.local/share directories. Each XDG aware program needs to be > > >> able to create these. > > >> > > >> 2. xserver_read|manage_generic_user_cache, config, data_home_content: > > >> By default content is created with a generic type and these broad > > >> interfaces allow the caller to read of manage content with these > > >> generic types > > >> > > >> 3. xserver_user_cache, config, data_home_content_filetrans: > > >> Allows callers to create specified objects in these location with a > > >> private type > > >> > > >> Add file context specifications for ~/.cache(/.*)? (user_cache_home_t), > > >> ~/.config(/.*)? (user_config_home_t) and ~/.local/share(/.*)? > > >> (user_data_home_t) > > >> > > >> There is a little issue with user_data_home, this is content for > > >> ~/.local/share and as per xdg specification "share" is the user data > > >> root dir instead of ~/.local, that means that the type transition > > >> happens on user home content instead of user home dir. this makes it a > > >> bit more prone to error since all directories named share created by > > >> xserver_restricted_role callers in generic user home content > > >> directories will be created with user_data_home_t. We could consider > > >> using ~/.local instead > > >> > > >> Signed-off-by: Dominick Grift > > >> --- > > >> policy/modules/services/xserver.fc | 4 + > > >> policy/modules/services/xserver.if | 533 +++++++++++++++++++++++++++++++++++++ > > >> policy/modules/services/xserver.te | 14 + > > >> 3 files changed, 551 insertions(+) > > >> > > >> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc > > >> index 9393f65..e64ecb2 100644 > > >> --- a/policy/modules/services/xserver.fc > > >> +++ b/policy/modules/services/xserver.fc > > >> @@ -1,6 +1,10 @@ > > >> # > > >> # HOME_DIR > > >> # > > >> + > > >> +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:user_cache_home_t,s0) > > >> +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:user_config_home_t,s0) > > >> +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:user_data_home_t,s0) > > >> HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) > > >> HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) > > >> HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) > > >> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > > >> index 6bf0ecc..c4f7cb4 100644 > > >> --- a/policy/modules/services/xserver.if > > >> +++ b/policy/modules/services/xserver.if > > >> @@ -22,6 +22,7 @@ interface(`xserver_restricted_role',` > > >> type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > > >> type iceauth_t, iceauth_exec_t, iceauth_home_t; > > >> type xauth_t, xauth_exec_t, xauth_home_t; > > >> + type user_cache_home_t, user_config_home_t, user_data_home_t; > > >> ') > > >> > > >> role $1 types { xserver_t xauth_t iceauth_t }; > > >> @@ -34,6 +35,16 @@ interface(`xserver_restricted_role',` > > >> > > >> allow xserver_t $2:shm rw_shm_perms; > > >> > > >> + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; > > >> + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; > > >> + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:file { manage_file_perms relabel_file_perms }; > > >> + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; > > >> + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; > > >> + > > >> + userdom_user_home_dir_filetrans($2, user_cache_home_t, dir, ".cache") > > >> + userdom_user_home_dir_filetrans($2, user_config_home_t, dir, ".config") > > >> + userdom_user_home_content_filetrans($2, user_data_home_t, dir, "share") > > >> + > > >> allow $2 user_fonts_t:dir list_dir_perms; > > >> allow $2 user_fonts_t:file read_file_perms; > > >> > > >> @@ -531,6 +542,72 @@ interface(`xserver_use_user_fonts',` > > >> > > >> ######################################## > > >> ## > > >> +## Make the specified type usable in a > > >> +## user cache home directory. > > >> +## > > >> +## > > >> +## > > >> +## Type to be used as a file in the > > >> +## user cache home directory. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_cache_home_content',` > > >> + gen_require(` > > >> + attribute xserver_user_cache_home_content_type; > > >> + ') > > >> + > > >> + typeattribute $1 xserver_user_cache_home_content_type; > > >> + > > >> + userdom_user_home_content($1) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Make the specified type usable in a > > >> +## user config home directory. > > >> +## > > >> +## > > >> +## > > >> +## Type to be used as a file in the > > >> +## user config home directory. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_config_home_content',` > > >> + gen_require(` > > >> + attribute xserver_user_config_home_content_type; > > >> + ') > > >> + > > >> + typeattribute $1 xserver_user_config_home_content_type; > > >> + > > >> + userdom_user_home_content($1) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Make the specified type usable in a > > >> +## user data home directory. > > >> +## > > >> +## > > >> +## > > >> +## Type to be used as a file in the > > >> +## user data home directory. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_data_home_content',` > > >> + gen_require(` > > >> + attribute xserver_user_data_home_content_type; > > >> + ') > > >> + > > >> + typeattribute $1 xserver_user_data_home_content_type; > > >> + > > >> + userdom_user_home_content($1) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> ## Transition to the Xauthority domain. > > >> ## > > >> ## > > >> @@ -1272,6 +1349,462 @@ interface(`xserver_manage_core_devices',` > > >> > > >> ######################################## > > >> ## > > >> +## Create generic user cache home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_create_generic_user_cache_home_content_dirs',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + allow $1 user_cache_home_t:dir create_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Read generic user cache home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_read_generic_user_cache_home_content',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_cache_home_t:dir list_dir_perms; > > >> + allow $1 user_cache_home_t:file read_file_perms; > > >> + allow $1 user_cache_home_t:fifo_file read_fifo_file_perms; > > >> + allow $1 user_cache_home_t:lnk_file read_lnk_file_perms; > > >> + allow $1 user_cache_home_t:sock_file read_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create, read, write, and delete > > >> +## generic user cache home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_manage_generic_user_cache_home_content',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_cache_home_t:dir manage_dir_perms; > > >> + allow $1 user_cache_home_t:file manage_file_perms; > > >> + allow $1 user_cache_home_t:fifo_file manage_fifo_file_perms; > > >> + allow $1 user_cache_home_t:lnk_file manage_lnk_file_perms; > > >> + allow $1 user_cache_home_t:sock_file manage_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Search generic user cache home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_search_generic_user_cache_home_content',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_cache_home_t:dir search_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in generic > > >> +## user cache home content directories > > >> +## with a private type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Private file type. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_cache_home_content_filetrans',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + filetrans_pattern($1, user_cache_home_t, $2, $3, $4) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in user home > > >> +## directories with the generic user > > >> +## cache home content type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_home_dir_filetrans_user_cache_home_content',` > > >> + gen_require(` > > >> + type user_cache_home_t; > > >> + ') > > >> + > > >> + userdom_user_home_dir_filetrans($1, user_cache_home_t, $2, $3) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create generic user config home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_create_generic_user_config_home_content_dirs',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + allow $1 user_config_home_t:dir create_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Read generic user config home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_read_generic_user_config_home_content',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_config_home_t:dir list_dir_perms; > > >> + allow $1 user_config_home_t:file read_file_perms; > > >> + allow $1 user_config_home_t:fifo_file read_fifo_file_perms; > > >> + allow $1 user_config_home_t:lnk_file read_lnk_file_perms; > > >> + allow $1 user_config_home_t:sock_file read_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create, read, write, and delete > > >> +## generic user config home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_manage_generic_user_config_home_content',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_config_home_t:dir manage_dir_perms; > > >> + allow $1 user_config_home_t:file manage_file_perms; > > >> + allow $1 user_config_home_t:fifo_file manage_fifo_file_perms; > > >> + allow $1 user_config_home_t:lnk_file manage_lnk_file_perms; > > >> + allow $1 user_config_home_t:sock_file manage_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Search generic user config home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_search_generic_user_config_home_content',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + allow $1 user_config_home_t:dir search_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in generic > > >> +## user config home content directories > > >> +## with a private type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Private file type. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_config_home_content_filetrans',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_dirs($1) > > >> + filetrans_pattern($1, user_config_home_t, $2, $3, $4) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in user home > > >> +## directories with the generic user > > >> +## config home content type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_home_dir_filetrans_user_config_home_content',` > > >> + gen_require(` > > >> + type user_config_home_t; > > >> + ') > > >> + > > >> + userdom_user_home_dir_filetrans($1, user_config_home_t, $2, $3) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create generic user data home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_create_generic_user_data_home_content_dirs',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + allow $1 user_data_home_t:dir create_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Read generic user data home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_read_generic_user_data_home_content',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_content($1) > > >> + allow $1 user_data_home_t:dir list_dir_perms; > > >> + allow $1 user_data_home_t:file read_file_perms; > > >> + allow $1 user_data_home_t:fifo_file read_fifo_file_perms; > > >> + allow $1 user_data_home_t:lnk_file read_lnk_file_perms; > > >> + allow $1 user_data_home_t:sock_file read_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create, read, write, and delete > > >> +## generic user data home content. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_manage_generic_user_data_home_content',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_content($1) > > >> + allow $1 user_data_home_t:dir manage_dir_perms; > > >> + allow $1 user_data_home_t:file manage_file_perms; > > >> + allow $1 user_data_home_t:fifo_file manage_fifo_file_perms; > > >> + allow $1 user_data_home_t:lnk_file manage_lnk_file_perms; > > >> + allow $1 user_data_home_t:sock_file manage_sock_file_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Search generic user data home > > >> +## content directories. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_search_generic_user_data_home_content',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_content($1) > > >> + allow $1 user_data_home_t:dir search_dir_perms; > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in generic > > >> +## user data home content directories > > >> +## with a private type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Private file type. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_data_home_content_filetrans',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + userdom_search_user_home_content($1) > > >> + filetrans_pattern($1, user_data_home_t, $2, $3, $4) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> +## Create specified objects in user home > > >> +## content directories with the generic > > >> +## user data home content type. > > >> +## > > >> +## > > >> +## > > >> +## Domain allowed access. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## Class of the object being created. > > >> +## > > >> +## > > >> +## > > >> +## > > >> +## The name of the object being created. > > >> +## > > >> +## > > >> +# > > >> +interface(`xserver_user_home_content_filetrans_user_data_home_content',` > > >> + gen_require(` > > >> + type user_data_home_t; > > >> + ') > > >> + > > >> + userdom_user_home_content_filetrans($1, user_data_home_t, $2, $3) > > >> +') > > >> + > > >> +######################################## > > >> +## > > >> ## Interface to provide X object permissions on a given X server to > > >> ## an X client domain. Gives the domain complete control over the > > >> ## display. > > >> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > > >> index 9bc86a0..a42f9bc 100644 > > >> --- a/policy/modules/services/xserver.te > > >> +++ b/policy/modules/services/xserver.te > > >> @@ -49,6 +49,11 @@ gen_tunable(xserver_object_manager, false) > > >> > > >> attribute x_domain; > > >> > > >> +# X Desktop Group > > >> +attribute xserver_user_cache_home_content_type; > > >> +attribute xserver_user_config_home_content_type; > > >> +attribute xserver_user_data_home_content_type; > > >> + > > >> # X Events > > >> attribute xevent_type; > > >> attribute input_xevent_type; > > >> @@ -106,6 +111,15 @@ type remote_t; > > >> xserver_object_types_template(remote) > > >> xserver_common_x_domain_template(remote, remote_t) > > >> > > >> +type user_cache_home_t; > > >> +xserver_user_cache_home_content(user_cache_home_t) > > >> + > > >> +type user_config_home_t; > > >> +xserver_user_config_home_content(user_config_home_t) > > >> + > > >> +type user_data_home_t; > > >> +xserver_user_data_home_content(user_data_home_t) > > >> + > > >> type user_fonts_t; > > >> typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; > > >> typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; > > > > > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > > > >