From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 21 Dec 2016 20:25:58 +0100 Subject: [refpolicy] [PATCH 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello! Yes, you are right, I'll fix the patch as soon as possible. It is created by Xsession running as user_t. Thanks for spotting this. How about the other patch for xscreensaver? Regards, Guido Il 21 dicembre 2016 20:17:07 CET, Chris PeBenito ha scritto: >On 12/20/16 10:28, Guido Trentalancia via refpolicy wrote: >> The following patch (split in two parts, one for base and >> another one for contrib) introduces a new file context for >> the X session log files and a new interface to manage them >> (instead of allowing to manage the whole user home content >> files). >> >> It is required after the recent confinement of graphical >> desktop components (e.g. wm, xscreensaver). >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/services/xserver.fc | 2 ++ >> policy/modules/services/xserver.if | 23 +++++++++++++++++++++-- >> policy/modules/system/userdomain.if | 4 ++++ >> 3 files changed, 27 insertions(+), 2 deletions(-) >> >> diff -pru a/policy/modules/services/xserver.fc >b/policy/modules/services/xserver.fc >> --- a/policy/modules/services/xserver.fc 2016-12-04 >16:54:51.229586958 +0100 >> +++ b/policy/modules/services/xserver.fc 2016-12-20 >15:57:50.236936839 +0100 >> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex >> HOME_DIR/\.ICEauthority.* >-- gen_context(system_u:object_r:iceauth_home_t,s0) >> >HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> >+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) >> >HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> >> # >> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s >> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) >> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) >> /tmp/\.X11-unix/.* -s <> >> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0) >> >> # >> # /usr >> diff -pru a/policy/modules/services/xserver.if >b/policy/modules/services/xserver.if >> --- a/policy/modules/services/xserver.if 2016-12-07 >13:39:08.670449307 +0100 >> +++ b/policy/modules/services/xserver.if 2016-12-20 >15:52:16.985406349 +0100 >> @@ -308,7 +308,7 @@ interface(`xserver_user_client',` >> >> userdom_search_user_home_dirs($1) >> # for .xsession-errors >> - userdom_dontaudit_write_user_home_content_files($1) >> + xserver_manage_xsession_log($1) >> >> xserver_ro_session($1,$2) >> xserver_use_user_fonts($1) >> @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template >> >> userdom_search_user_home_dirs($2) >> # for .xsession-errors >> - userdom_dontaudit_write_user_home_content_files($2) >> + xserver_manage_xsession_log($2) >> >> xserver_ro_session($2,$3) >> xserver_use_user_fonts($2) > >Is the manage access really necessary? Doesn't it simply write/append? > >I don't think they need to delete the file. And if the file doesn't >exist, who is creating it? > > >> @@ -982,6 +982,25 @@ interface(`xserver_xsession_spec_domtran >> ') >> >> ######################################## >> +## >> +## Manage xsession log files such >> +## as .xsession-errors. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`xserver_manage_xsession_log',` >> + gen_require(` >> + type xsession_log_t; >> + ') >> + >> + allow $1 xsession_log_t:file manage_file_perms; >> +') >> + >> +######################################## >> ## >> ## Get the attributes of X server logs. >> ## >> diff -pru a/policy/modules/system/userdomain.if >b/policy/modules/system/userdomain.if >> --- a/policy/modules/system/userdomain.if 2016-12-17 >17:29:27.030224492 +0100 >> +++ b/policy/modules/system/userdomain.if 2016-12-20 >15:52:17.003406594 +0100 >> @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use >> allow userdomain $1:fd use; >> allow userdomain $1:fifo_file rw_file_perms; >> allow userdomain $1:process sigchld; >> + >> + xserver_manage_xsession_log(userdomain) >> ') >> >> ######################################## >> @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran >> allow unpriv_userdomain $1:fd use; >> allow unpriv_userdomain $1:fifo_file rw_file_perms; >> allow unpriv_userdomain $1:process sigchld; >> + >> + xserver_manage_xsession_log(unpriv_userdomain) >> ') >> >> #######################################