From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 20 Dec 2016 00:47:58 +0100
Subject: [refpolicy] [PATCH 1/2] xscreensaver: update the module so that it
 can be effectively used
Message-ID: <1482191278.21205.0.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch updates the xscreensaver module so that it can be
effectively used.

It should support most "hacks", in particular those that do
not require the execution of external programs.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/xscreensaver.fc |    8 ++++-
 policy/modules/contrib/xscreensaver.if |   10 +++++-
 policy/modules/contrib/xscreensaver.te |   50 ++++++++++++++++++++++++++++++++-
 3 files changed, 65 insertions(+), 3 deletions(-)

diff -pru a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc
--- a/policy/modules/contrib/xscreensaver.fc	2016-12-19 23:57:46.532943113 +0100
+++ b/policy/modules/contrib/xscreensaver.fc	2016-12-20 00:05:58.587459582 +0100
@@ -1 +1,7 @@
-/usr/bin/xscreensaver	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+HOME_DIR/\.xscreensaver		--	gen_context(system_u:object_r:xscreensaver_config_t,s0)
+
+/usr/bin/xscreensaver		--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/bin/xscreensaver-getimage.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+/usr/bin/xscreensaver-gl-helper	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+
+/usr/libexec/xscreensaver(/.*)?	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
diff -pru a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if
--- a/policy/modules/contrib/xscreensaver.if	2016-12-19 23:57:46.532943113 +0100
+++ b/policy/modules/contrib/xscreensaver.if	2016-12-20 00:06:49.115214837 +0100
@@ -18,16 +18,24 @@
 interface(`xscreensaver_role',`
 	gen_require(`
 		attribute_role xscreensaver_roles;
-		type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t;
+		attribute_role xscreensaver_helper_roles;
+		type xscreensaver_t, xscreensaver_exec_t;
+		type xscreensaver_helper_t;
+		type xscreensaver_config_t, xscreensaver_tmpfs_t;
 	')
 
 	roleattribute $1 xscreensaver_roles;
+	roleattribute $1 xscreensaver_helper_roles;
 
 	domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
 
 	allow $2 xscreensaver_t:process { ptrace signal_perms };
 	ps_process_pattern($2, xscreensaver_t)
 
+	allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms };
+
 	allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
+
+	allow xscreensaver_helper_t $2:fd use;
 ')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te	2016-12-19 23:57:46.533943132 +0100
+++ b/policy/modules/contrib/xscreensaver.te	2016-12-20 00:22:00.872463504 +0100
@@ -6,12 +6,21 @@ policy_module(xscreensaver, 1.2.0)
 #
 
 attribute_role xscreensaver_roles;
+attribute_role xscreensaver_helper_roles;
 
 type xscreensaver_t;
 type xscreensaver_exec_t;
 userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
 role xscreensaver_roles types xscreensaver_t;
 
+type xscreensaver_helper_t;
+type xscreensaver_helper_exec_t;
+userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t)
+role xscreensaver_helper_roles types xscreensaver_helper_t;
+
+type xscreensaver_config_t;
+userdom_user_home_content(xscreensaver_config_t)
+
 type xscreensaver_tmpfs_t;
 userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
 
@@ -20,16 +29,25 @@ userdom_user_tmpfs_file(xscreensaver_tmp
 # Local policy
 #
 
-allow xscreensaver_t self:process signal;
+allow xscreensaver_t self:capability { setgid setuid };
+allow xscreensaver_t self:process { setsched signal sigstop };
 allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
 
+allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
+
+allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
+
 kernel_read_system_state(xscreensaver_t)
 
 files_read_usr_files(xscreensaver_t)
 
+fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
+
 auth_use_nsswitch(xscreensaver_t)
 auth_domtrans_chk_passwd(xscreensaver_t)
 
+domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)
+
 init_read_utmp(xscreensaver_t)
 
 logging_send_audit_msgs(xscreensaver_t)
@@ -41,3 +59,33 @@ userdom_use_user_terminals(xscreensaver_
 userdom_read_user_home_content_files(xscreensaver_t)
 
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+
+########################################
+#
+# Helper local policy
+#
+
+allow xscreensaver_helper_t self:process { execmem signal };
+allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
+
+allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
+
+dev_read_sysfs(xscreensaver_helper_t)
+
+kernel_read_system_state(xscreensaver_helper_t)
+
+files_dontaudit_search_home(xscreensaver_helper_t)
+
+# /etc/drirc
+files_read_etc_files(xscreensaver_helper_t)
+
+files_read_usr_files(xscreensaver_helper_t)
+
+fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
+
+miscfiles_read_fonts(xscreensaver_helper_t)
+miscfiles_read_localization(xscreensaver_helper_t)
+
+optional_policy(`
+	xserver_stream_connect(xscreensaver_helper_t)
+')