From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 22 Dec 2016 00:05:11 +0100 Subject: [refpolicy] [PATCH v2 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> Message-ID: <1482361511.9387.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interface to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). This second version of the patch correctly uses file type transitions and uses more tight permissions. Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.fc | 2 + policy/modules/services/xserver.if | 61 ++++++++++++++++++++++++++++++++++-- policy/modules/system/userdomain.if | 4 ++ policy/modules/system/userdomain.te | 5 ++ 4 files changed, 70 insertions(+), 2 deletions(-) diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100 +++ b/policy/modules/services/xserver.fc 2016-12-21 23:00:47.701952737 +0100 @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +/tmp/xses-USER -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 +++ b/policy/modules/services/xserver.if 2016-12-21 23:38:56.279462999 +0100 @@ -308,7 +308,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_rw_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -470,7 +470,7 @@ template(`xserver_user_x_domain_template userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -567,6 +567,25 @@ interface(`xserver_user_home_dir_filetra ######################################## ## +## Create a .xsession-errors log +## file in the user home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") +') + +######################################## +## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## @@ -982,6 +1001,44 @@ interface(`xserver_xsession_spec_domtran ') ######################################## +## +## Read and write xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file rw_file_perms; +') + +######################################## +## +## Manage xsession log files such +## as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## ## ## Get the attributes of X server logs. ## diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 +0100 +++ b/policy/modules/system/userdomain.if 2016-12-21 23:22:29.270461027 +0100 @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; + + xserver_manage_xsession_log(userdomain) ') ######################################## @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; + + xserver_manage_xsession_log(unpriv_userdomain) ') ####################################### diff -pru a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te --- a/policy/modules/system/userdomain.te 2016-12-17 17:29:27.031224504 +0100 +++ b/policy/modules/system/userdomain.te 2016-12-21 23:36:18.826707902 +0100 @@ -128,3 +128,8 @@ files_poly(user_runtime_t) files_poly_member(user_runtime_t) files_poly_parent(user_runtime_t) ubac_constrained(user_runtime_t) + +optional_policy(` + xserver_user_home_dir_filetrans_user_xsession_log(userdomain) + xserver_user_home_dir_filetrans_user_xsession_log(unpriv_userdomain) +')