From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 4 Dec 2016 10:52:22 -0500 Subject: [refpolicy] [PATCH v2] xserver: remove unneeded user content permissions In-Reply-To: <1480686247.12925.1.camel@trentalancia.net> References: <1480604438.3101.0.camel@trentalancia.net> <1480686247.12925.1.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote: > Remove unneeded permissions to read user content from the > xserver module (xserver and xdm domains). Merged, though I had to mangle the patch a little, as v1 of this patch was already merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.fc | 1 + > policy/modules/services/xserver.if | 19 +++++++++++++++++++ > policy/modules/services/xserver.te | 15 +++++++-------- > 3 files changed, 27 insertions(+), 8 deletions(-) > > diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.fc refpolicy-git-25112016/policy/modules/services/xserver.fc > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.fc 2016-08-14 22:10:42.751848845 +0200 > +++ refpolicy-git-25112016/policy/modules/services/xserver.fc 2016-12-02 13:51:29.831384654 +0100 > @@ -1,6 +1,7 @@ > # > # HOME_DIR > # > +HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0) > HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) > HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) > HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) > diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-02 14:16:59.538175791 +0100 > +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-02 13:52:42.491965282 +0100 > @@ -621,6 +621,25 @@ interface(`xserver_read_user_iceauth',` > > ######################################## > ## > +## Read all users .dmrc. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_read_user_dmrc',` > + gen_require(` > + type dmrc_home_t; > + ') > + > + allow $1 dmrc_home_t:file read_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > ## Set the attributes of the X windows console named pipes. > ## > ## > diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200 > +++ refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 14:38:12.002579001 +0100 > @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t) > type xserver_log_t; > logging_log_file(xserver_log_t) > > +type dmrc_home_t; > +userdom_user_home_content(dmrc_home_t) > + > ifdef(`enable_mcs',` > init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t) > > userdom_dontaudit_use_unpriv_user_fds(xdm_t) > userdom_create_all_users_keys(xdm_t) > -# for .dmrc > -userdom_read_user_home_content_files(xdm_t) > # Search /proc for any user domain processes. > userdom_read_all_users_state(xdm_t) > userdom_signal_all_users(xdm_t) > > +# for .dmrc: this was used by the Gnome Display Manager (gdm) > +# and it is now obsolete in Gnome3 > +xserver_read_user_dmrc(xdm_t) > + > xserver_rw_session(xdm_t, xdm_tmpfs_t) > xserver_unconfined(xdm_t) > > @@ -843,12 +848,6 @@ corenet_tcp_bind_vnc_port(xserver_t) > > init_use_fds(xserver_t) > > -# FIXME: After per user fonts are properly working > -# xserver_t may no longer have any reason > -# to read ROLE_home_t - examine this in more detail > -# (xauth?) > -userdom_read_user_home_content_files(xserver_t) > - > tunable_policy(`use_nfs_home_dirs',` > fs_manage_nfs_dirs(xserver_t) > fs_manage_nfs_files(xserver_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito