From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 22 Dec 2016 00:05:19 +0100 Subject: [refpolicy] [PATCH v2 2/2] contrib: support the new interface to manage X session logs In-Reply-To: <1482247816.12013.3.camel@trentalancia.net> References: <1482247723.12013.1.camel@trentalancia.net> <1482247816.12013.3.camel@trentalancia.net> Message-ID: <1482361519.9387.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interfaces to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). This second version of the patch correctly uses file type transitions and uses more tight permissions. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/dbus.te | 1 + policy/modules/contrib/gnome.te | 5 +++++ policy/modules/contrib/wm.te | 1 + policy/modules/contrib/xscreensaver.te | 6 +++++- 4 files changed, 12 insertions(+), 1 deletion(-) diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2016-12-17 17:29:33.783306242 +0100 +++ b/policy/modules/contrib/dbus.te 2016-12-21 23:09:40.905896241 +0100 @@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus term_use_all_terms(session_bus_type) optional_policy(` + xserver_rw_xsession_log(session_bus_type) xserver_use_xdm_fds(session_bus_type) xserver_rw_xdm_pipes(session_bus_type) ') diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te --- a/policy/modules/contrib/gnome.te 2016-12-07 13:39:50.014910721 +0100 +++ b/policy/modules/contrib/gnome.te 2016-12-21 23:09:48.452980365 +0100 @@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain) userdom_use_user_terminals(gnomedomain) optional_policy(` + xserver_rw_xsession_log(gnomedomain) xserver_rw_xdm_pipes(gnomedomain) xserver_use_xdm_fds(gnomedomain) ') @@ -145,3 +146,7 @@ optional_policy(` optional_policy(` telepathy_mission_control_read_state(gkeyringd_domain) ') + +optional_policy(` + xserver_rw_xsession_log(gkeyringd_domain) +') diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2016-12-17 17:29:33.856307127 +0100 +++ b/policy/modules/contrib/wm.te 2016-12-21 23:09:43.970930405 +0100 @@ -128,4 +128,5 @@ optional_policy(` optional_policy(` xserver_dbus_chat_xdm(wm_domain) + xserver_rw_xsession_log(wm_domain) ') diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te --- a/policy/modules/contrib/xscreensaver.te 2016-12-21 23:00:22.415670877 +0100 +++ b/policy/modules/contrib/xscreensaver.te 2016-12-21 23:09:51.201010999 +0100 @@ -58,7 +58,10 @@ miscfiles_read_localization(xscreensaver userdom_use_user_terminals(xscreensaver_t) userdom_read_user_home_content_files(xscreensaver_t) -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) +optional_policy(` + xserver_rw_xsession_log(xscreensaver_t) + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) +') ######################################## # @@ -87,5 +90,6 @@ miscfiles_read_fonts(xscreensaver_helper miscfiles_read_localization(xscreensaver_helper_t) optional_policy(` + xserver_rw_xsession_log(xscreensaver_helper_t) xserver_stream_connect(xscreensaver_helper_t) ')