From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 21 Dec 2016 14:30:26 -0500 Subject: [refpolicy] [PATCH 1/2] xscreensaver: update the module so that it can be effectively used In-Reply-To: <1482191278.21205.0.camel@trentalancia.net> References: <1482191278.21205.0.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/19/16 18:47, Guido Trentalancia via refpolicy wrote: > This patch updates the xscreensaver module so that it can be > effectively used. > > It should support most "hacks", in particular those that do > not require the execution of external programs. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/xscreensaver.fc | 8 ++++- > policy/modules/contrib/xscreensaver.if | 10 +++++- > policy/modules/contrib/xscreensaver.te | 50 ++++++++++++++++++++++++++++++++- > 3 files changed, 65 insertions(+), 3 deletions(-) > > diff -pru a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc > --- a/policy/modules/contrib/xscreensaver.fc 2016-12-19 23:57:46.532943113 +0100 > +++ b/policy/modules/contrib/xscreensaver.fc 2016-12-20 00:05:58.587459582 +0100 > @@ -1 +1,7 @@ > -/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) > +HOME_DIR/\.xscreensaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0) > + > +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) > +/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) > +/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) > + > +/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0) > diff -pru a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if > --- a/policy/modules/contrib/xscreensaver.if 2016-12-19 23:57:46.532943113 +0100 > +++ b/policy/modules/contrib/xscreensaver.if 2016-12-20 00:06:49.115214837 +0100 > @@ -18,16 +18,24 @@ > interface(`xscreensaver_role',` > gen_require(` > attribute_role xscreensaver_roles; > - type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t; > + attribute_role xscreensaver_helper_roles; > + type xscreensaver_t, xscreensaver_exec_t; > + type xscreensaver_helper_t; > + type xscreensaver_config_t, xscreensaver_tmpfs_t; > ') > > roleattribute $1 xscreensaver_roles; > + roleattribute $1 xscreensaver_helper_roles; > > domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) > > allow $2 xscreensaver_t:process { ptrace signal_perms }; > ps_process_pattern($2, xscreensaver_t) > > + allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms }; > + > allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; > allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; > + > + allow xscreensaver_helper_t $2:fd use; > ') > diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te > --- a/policy/modules/contrib/xscreensaver.te 2016-12-19 23:57:46.533943132 +0100 > +++ b/policy/modules/contrib/xscreensaver.te 2016-12-20 00:22:00.872463504 +0100 > @@ -6,12 +6,21 @@ policy_module(xscreensaver, 1.2.0) > # > > attribute_role xscreensaver_roles; > +attribute_role xscreensaver_helper_roles; > > type xscreensaver_t; > type xscreensaver_exec_t; > userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) > role xscreensaver_roles types xscreensaver_t; > > +type xscreensaver_helper_t; > +type xscreensaver_helper_exec_t; > +userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t) > +role xscreensaver_helper_roles types xscreensaver_helper_t; > + > +type xscreensaver_config_t; > +userdom_user_home_content(xscreensaver_config_t) > + > type xscreensaver_tmpfs_t; > userdom_user_tmpfs_file(xscreensaver_tmpfs_t) > > @@ -20,16 +29,25 @@ userdom_user_tmpfs_file(xscreensaver_tmp > # Local policy > # > > -allow xscreensaver_t self:process signal; > +allow xscreensaver_t self:capability { setgid setuid }; > +allow xscreensaver_t self:process { setsched signal sigstop }; > allow xscreensaver_t self:fifo_file rw_fifo_file_perms; > > +allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop }; > + > +allow xscreensaver_t xscreensaver_config_t:file manage_file_perms; > + > kernel_read_system_state(xscreensaver_t) > > files_read_usr_files(xscreensaver_t) > > +fs_dontaudit_getattr_xattr_fs(xscreensaver_t) > + > auth_use_nsswitch(xscreensaver_t) > auth_domtrans_chk_passwd(xscreensaver_t) > > +domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t) > + > init_read_utmp(xscreensaver_t) > > logging_send_audit_msgs(xscreensaver_t) > @@ -41,3 +59,33 @@ userdom_use_user_terminals(xscreensaver_ > userdom_read_user_home_content_files(xscreensaver_t) > > xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) > + > +######################################## > +# > +# Helper local policy > +# > + > +allow xscreensaver_helper_t self:process { execmem signal }; > +allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms; > + > +allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms; > + > +dev_read_sysfs(xscreensaver_helper_t) > + > +kernel_read_system_state(xscreensaver_helper_t) > + > +files_dontaudit_search_home(xscreensaver_helper_t) > + > +# /etc/drirc > +files_read_etc_files(xscreensaver_helper_t) > + > +files_read_usr_files(xscreensaver_helper_t) > + > +fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t) > + > +miscfiles_read_fonts(xscreensaver_helper_t) > +miscfiles_read_localization(xscreensaver_helper_t) > + > +optional_policy(` > + xserver_stream_connect(xscreensaver_helper_t) > +') Merged. -- Chris PeBenito