From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 21 Dec 2016 20:25:58 +0100
Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface
	to manage X session logs
In-Reply-To: <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org>
References: <1482247723.12013.1.camel@trentalancia.net>
	<4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org>
Message-ID: <E7E7D87E-3867-41B3-A071-6746EF53FA2D@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello! 

Yes, you are right, I'll fix the patch as soon as possible. 

It is created by Xsession running as user_t.

Thanks for spotting this. 

How about the other patch for xscreensaver? 

Regards, 

Guido 

Il 21 dicembre 2016 20:17:07 CET, Chris PeBenito <pebenito@ieee.org> ha scritto:
>On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote:
>> The following patch (split in two parts, one for base and
>> another one for contrib) introduces a new file context for
>> the X session log files and a new interface to manage them
>> (instead of allowing to manage the whole user home content
>> files).
>>
>> It is required after the recent confinement of graphical
>> desktop components (e.g. wm, xscreensaver).
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/services/xserver.fc  |    2 ++
>>  policy/modules/services/xserver.if  |   23 +++++++++++++++++++++--
>>  policy/modules/system/userdomain.if |    4 ++++
>>  3 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/services/xserver.fc
>b/policy/modules/services/xserver.fc
>> --- a/policy/modules/services/xserver.fc	2016-12-04
>16:54:51.229586958 +0100
>> +++ b/policy/modules/services/xserver.fc	2016-12-20
>15:57:50.236936839 +0100
>> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* --	gen_contex
>>  HOME_DIR/\.ICEauthority.*
>--	gen_context(system_u:object_r:iceauth_home_t,s0)
>> 
>HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>>  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>>
>+HOME_DIR/\.xsession-errors	--	gen_context(system_u:object_r:xsession_log_t,s0)
>> 
>HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>>
>>  #
>> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>  /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
>>  /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
>>  /tmp/\.X11-unix/.*	-s	<<none>>
>> +/tmp/xses-USER		--	gen_context(system_u:object_r:xsession_log_t,s0)
>>
>>  #
>>  # /usr
>> diff -pru a/policy/modules/services/xserver.if
>b/policy/modules/services/xserver.if
>> --- a/policy/modules/services/xserver.if	2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.if	2016-12-20
>15:52:16.985406349 +0100
>> @@ -308,7 +308,7 @@ interface(`xserver_user_client',`
>>
>>  	userdom_search_user_home_dirs($1)
>>  	# for .xsession-errors
>> -	userdom_dontaudit_write_user_home_content_files($1)
>> +	xserver_manage_xsession_log($1)
>>
>>  	xserver_ro_session($1,$2)
>>  	xserver_use_user_fonts($1)
>> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template
>>
>>  	userdom_search_user_home_dirs($2)
>>  	# for .xsession-errors
>> -	userdom_dontaudit_write_user_home_content_files($2)
>> +	xserver_manage_xsession_log($2)
>>
>>  	xserver_ro_session($2,$3)
>>  	xserver_use_user_fonts($2)
>
>Is the manage access really necessary?  Doesn't it simply write/append?
>
>I don't think they need to delete the file.  And if the file doesn't 
>exist, who is creating it?
>
>
>> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran
>>  ')
>>
>>  ########################################
>> +## <summary>
>> +##	Manage xsession log files such
>> +##	as .xsession-errors.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_xsession_log',`
>> +	gen_require(`
>> +		type xsession_log_t;
>> +	')
>> +
>> +	allow $1 xsession_log_t:file manage_file_perms;
>> +')
>> +
>> +########################################
>>  ## <summary>
>>  ##	Get the attributes of X server logs.
>>  ## </summary>
>> diff -pru a/policy/modules/system/userdomain.if
>b/policy/modules/system/userdomain.if
>> --- a/policy/modules/system/userdomain.if	2016-12-17
>17:29:27.030224492 +0100
>> +++ b/policy/modules/system/userdomain.if	2016-12-20
>15:52:17.003406594 +0100
>> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
>>  	allow userdomain $1:fd use;
>>  	allow userdomain $1:fifo_file rw_file_perms;
>>  	allow userdomain $1:process sigchld;
>> +
>> +	xserver_manage_xsession_log(userdomain)
>>  ')
>>
>>  ########################################
>> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
>>  	allow unpriv_userdomain $1:fd use;
>>  	allow unpriv_userdomain $1:fifo_file rw_file_perms;
>>  	allow unpriv_userdomain $1:process sigchld;
>> +
>> +	xserver_manage_xsession_log(unpriv_userdomain)
>>  ')
>>
>>  #######################################