From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 21 Dec 2016 14:30:26 -0500
Subject: [refpolicy] [PATCH 1/2] xscreensaver: update the module so that
 it can be effectively used
In-Reply-To: <1482191278.21205.0.camel@trentalancia.net>
References: <1482191278.21205.0.camel@trentalancia.net>
Message-ID: <fad25439-d6eb-58ad-28ea-90d8b9a067a5@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/19/16 18:47, Guido Trentalancia via refpolicy wrote:
> This patch updates the xscreensaver module so that it can be
> effectively used.
>
> It should support most "hacks", in particular those that do
> not require the execution of external programs.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/xscreensaver.fc |    8 ++++-
>  policy/modules/contrib/xscreensaver.if |   10 +++++-
>  policy/modules/contrib/xscreensaver.te |   50 ++++++++++++++++++++++++++++++++-
>  3 files changed, 65 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc
> --- a/policy/modules/contrib/xscreensaver.fc	2016-12-19 23:57:46.532943113 +0100
> +++ b/policy/modules/contrib/xscreensaver.fc	2016-12-20 00:05:58.587459582 +0100
> @@ -1 +1,7 @@
> -/usr/bin/xscreensaver	--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
> +HOME_DIR/\.xscreensaver		--	gen_context(system_u:object_r:xscreensaver_config_t,s0)
> +
> +/usr/bin/xscreensaver		--	gen_context(system_u:object_r:xscreensaver_exec_t,s0)
> +/usr/bin/xscreensaver-getimage.*	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> +/usr/bin/xscreensaver-gl-helper	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> +
> +/usr/libexec/xscreensaver(/.*)?	--	gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> diff -pru a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if
> --- a/policy/modules/contrib/xscreensaver.if	2016-12-19 23:57:46.532943113 +0100
> +++ b/policy/modules/contrib/xscreensaver.if	2016-12-20 00:06:49.115214837 +0100
> @@ -18,16 +18,24 @@
>  interface(`xscreensaver_role',`
>  	gen_require(`
>  		attribute_role xscreensaver_roles;
> -		type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t;
> +		attribute_role xscreensaver_helper_roles;
> +		type xscreensaver_t, xscreensaver_exec_t;
> +		type xscreensaver_helper_t;
> +		type xscreensaver_config_t, xscreensaver_tmpfs_t;
>  	')
>
>  	roleattribute $1 xscreensaver_roles;
> +	roleattribute $1 xscreensaver_helper_roles;
>
>  	domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
>
>  	allow $2 xscreensaver_t:process { ptrace signal_perms };
>  	ps_process_pattern($2, xscreensaver_t)
>
> +	allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms };
> +
>  	allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
>  	allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
> +
> +	allow xscreensaver_helper_t $2:fd use;
>  ')
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te	2016-12-19 23:57:46.533943132 +0100
> +++ b/policy/modules/contrib/xscreensaver.te	2016-12-20 00:22:00.872463504 +0100
> @@ -6,12 +6,21 @@ policy_module(xscreensaver, 1.2.0)
>  #
>
>  attribute_role xscreensaver_roles;
> +attribute_role xscreensaver_helper_roles;
>
>  type xscreensaver_t;
>  type xscreensaver_exec_t;
>  userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
>  role xscreensaver_roles types xscreensaver_t;
>
> +type xscreensaver_helper_t;
> +type xscreensaver_helper_exec_t;
> +userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t)
> +role xscreensaver_helper_roles types xscreensaver_helper_t;
> +
> +type xscreensaver_config_t;
> +userdom_user_home_content(xscreensaver_config_t)
> +
>  type xscreensaver_tmpfs_t;
>  userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
>
> @@ -20,16 +29,25 @@ userdom_user_tmpfs_file(xscreensaver_tmp
>  # Local policy
>  #
>
> -allow xscreensaver_t self:process signal;
> +allow xscreensaver_t self:capability { setgid setuid };
> +allow xscreensaver_t self:process { setsched signal sigstop };
>  allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
>
> +allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
> +
> +allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
> +
>  kernel_read_system_state(xscreensaver_t)
>
>  files_read_usr_files(xscreensaver_t)
>
> +fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
> +
>  auth_use_nsswitch(xscreensaver_t)
>  auth_domtrans_chk_passwd(xscreensaver_t)
>
> +domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)
> +
>  init_read_utmp(xscreensaver_t)
>
>  logging_send_audit_msgs(xscreensaver_t)
> @@ -41,3 +59,33 @@ userdom_use_user_terminals(xscreensaver_
>  userdom_read_user_home_content_files(xscreensaver_t)
>
>  xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +
> +########################################
> +#
> +# Helper local policy
> +#
> +
> +allow xscreensaver_helper_t self:process { execmem signal };
> +allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
> +
> +allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
> +
> +dev_read_sysfs(xscreensaver_helper_t)
> +
> +kernel_read_system_state(xscreensaver_helper_t)
> +
> +files_dontaudit_search_home(xscreensaver_helper_t)
> +
> +# /etc/drirc
> +files_read_etc_files(xscreensaver_helper_t)
> +
> +files_read_usr_files(xscreensaver_helper_t)
> +
> +fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
> +
> +miscfiles_read_fonts(xscreensaver_helper_t)
> +miscfiles_read_localization(xscreensaver_helper_t)
> +
> +optional_policy(`
> +	xserver_stream_connect(xscreensaver_helper_t)
> +')

Merged.

-- 
Chris PeBenito