From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 27 Dec 2016 21:00:18 +0100 (CET) Subject: [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> <1482361511.9387.2.camel@trentalancia.net> <6eab2b57-a862-9868-0899-0b737b1be300@ieee.org> <1482443392.20547.16.camel@trentalancia.net> <20161223073419.GA8282@meriadoc.perfinion.com> <1482507864.10020.14.camel@trentalancia.net> <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> Message-ID: <1584276649.17630.1482868818884.JavaMail.open-xchange@popper10.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. Please find my reply at the bottom of quoted text... > On the 27th of December 2016 at 16.28 Chris PeBenito > wrote: > > > On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote: > > The following patch (split in two parts, one for base and > > another one for contrib) introduces a new file context for > > the X session log files and two new interface to manage > > them (instead of allowing to manage the whole user home > > content files). > > > > It is required after the recent confinement of graphical > > desktop components (e.g. wm, xscreensaver, openoffice). > > > > The second version of the patch correctly uses file type > > transitions and uses more tight permissions. > > > > The third version simply moves some interface calls. > > > > This fourth version introduces the new template for > > username-dependent file contexts. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/services/xserver.fc | 2 + > > policy/modules/services/xserver.if | 64 > > ++++++++++++++++++++++++++++++++++-- > > policy/modules/system/userdomain.if | 4 ++ > > 3 files changed, 68 insertions(+), 2 deletions(-) > > > > diff -pru a/policy/modules/services/xserver.fc > > b/policy/modules/services/xserver.fc > > --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100 > > +++ b/policy/modules/services/xserver.fc 2016-12-22 22:32:52.810210037 +0100 > > @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex > > HOME_DIR/\.ICEauthority.* -- > > gen_context(system_u:object_r:iceauth_home_t,s0) > > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) > > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) > > +HOME_DIR/\.xsession-errors -- > > gen_context(system_u:object_r:xsession_log_t,s0) > > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) > > > > # > > @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > > /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) > > /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) > > /tmp/\.X11-unix/.* -s <> > > +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) > > > > # > > # /usr > > diff -pru a/policy/modules/services/xserver.if > > b/policy/modules/services/xserver.if > > --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 > > +++ b/policy/modules/services/xserver.if 2016-12-22 22:36:21.456185928 +0100 > > @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',` > > # Needed for escd, remove if we get escd policy > > xserver_manage_xdm_tmp_files($2) > > > > + # for the .xsession-errors log file > > + xserver_user_home_dir_filetrans_user_xsession_log($2) > > + > > # Client write xserver shm > > tunable_policy(`allow_write_xshm',` > > allow $2 xserver_t:shm rw_shm_perms; > > @@ -308,7 +311,7 @@ interface(`xserver_user_client',` > > > > userdom_search_user_home_dirs($1) > > # for .xsession-errors > > - userdom_dontaudit_write_user_home_content_files($1) > > + xserver_rw_xsession_log($1) > > > > xserver_ro_session($1,$2) > > xserver_use_user_fonts($1) > > @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template > > > > userdom_search_user_home_dirs($2) > > # for .xsession-errors > > - userdom_dontaudit_write_user_home_content_files($2) > > + xserver_rw_xsession_log($2) > > > > xserver_ro_session($2,$3) > > xserver_use_user_fonts($2) > > @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra > > > > ######################################## > > ## > > +## Create a .xsession-errors log > > +## file in the user home directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` > > + gen_require(` > > + type xsession_log_t; > > + ') > > + > > + userdom_user_home_dir_filetrans($1, xsession_log_t, file, > > ".xsession-errors") > > +') > > + > > +######################################## > > +## > > ## Read all users fonts, user font configurations, > > ## and manage all users font caches. > > ## > > @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran > > ') > > > > ######################################## > > +## > > +## Read and write xsession log > > +## files such as .xsession-errors. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`xserver_rw_xsession_log',` > > + gen_require(` > > + type xsession_log_t; > > + ') > > + > > + allow $1 xsession_log_t:file rw_file_perms; > > +') > > + > > +######################################## > > +## > > +## Manage xsession log files such > > +## as .xsession-errors. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`xserver_manage_xsession_log',` > > + gen_require(` > > + type xsession_log_t; > > + ') > > + > > + allow $1 xsession_log_t:file manage_file_perms; > > +') > > + > > +######################################## > > ## > > ## Get the attributes of X server logs. > > ## > > diff -pru a/policy/modules/system/userdomain.if > > b/policy/modules/system/userdomain.if > > --- a/policy/modules/system/userdomain.if 2016-12-17 17:29:27.030224492 > > +0100 > > +++ b/policy/modules/system/userdomain.if 2016-12-22 22:32:52.811210052 > > +0100 > > @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use > > allow userdomain $1:fd use; > > allow userdomain $1:fifo_file rw_file_perms; > > allow userdomain $1:process sigchld; > > + > > + xserver_manage_xsession_log(userdomain) > > ') > > > > ######################################## > > @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran > > allow unpriv_userdomain $1:fd use; > > allow unpriv_userdomain $1:fifo_file rw_file_perms; > > allow unpriv_userdomain $1:process sigchld; > > + > > + xserver_manage_xsession_log(unpriv_userdomain) > > ') > > > > ####################################### > > I think you misunderstood. The rule should be in xserver_role() and > then only apply to $2 so only the specific xserver-using roles have access. The reason I have moved the file transition to the xserver_role_restricted() interface instead of to the xserver_role_template() interface is that the xserver_role_template() interface calls xserver_role_restricted(). Restricted X users should also be able to rw xsession log files, don't you think so ? I am quite sure you would agree with me on this... That said, I can only suspect you meant that I should also move the actual log file management permission interface from userdomain to the xserver role template... I am preparing a patch which also adds this latter change. Regards, Guido