From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 20 Dec 2016 16:28:43 +0100 Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs Message-ID: <1482247723.12013.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and a new interface to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.fc | 2 ++ policy/modules/services/xserver.if | 23 +++++++++++++++++++++-- policy/modules/system/userdomain.if | 4 ++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100 +++ b/policy/modules/services/xserver.fc 2016-12-20 15:57:50.236936839 +0100 @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 +++ b/policy/modules/services/xserver.if 2016-12-20 15:52:16.985406349 +0100 @@ -308,7 +308,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_manage_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_manage_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran ') ######################################## +## +## Manage xsession log files such +## as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## ## ## Get the attributes of X server logs. ## diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100 +++ b/policy/modules/system/userdomain.if 2016-12-20 15:52:17.003406594 +0100 @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; + + xserver_manage_xsession_log(userdomain) ') ######################################## @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; + + xserver_manage_xsession_log(unpriv_userdomain) ') #######################################