From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 27 Dec 2016 21:00:18 +0100 (CET)
Subject: [refpolicy] [PATCH v4 1/2] xserver: introduce new fc and
 interface to manage X session logs
In-Reply-To: <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org>
References: <1482247723.12013.1.camel@trentalancia.net>
	<4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org>
	<1482361511.9387.2.camel@trentalancia.net>
	<6eab2b57-a862-9868-0899-0b737b1be300@ieee.org>
	<1482443392.20547.16.camel@trentalancia.net>
	<20161223073419.GA8282@meriadoc.perfinion.com>
	<1482507864.10020.14.camel@trentalancia.net>
	<2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org>
Message-ID: <1584276649.17630.1482868818884.JavaMail.open-xchange@popper10.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

Please find my reply at the bottom of quoted text...

> On the 27th of December 2016 at 16.28 Chris PeBenito <pebenito@ieee.org>
> wrote:
> 
> 
> On 12/23/16 10:44, Guido Trentalancia via refpolicy wrote:
> > The following patch (split in two parts, one for base and
> > another one for contrib) introduces a new file context for
> > the X session log files and two new interface to manage
> > them (instead of allowing to manage the whole user home
> > content files).
> >
> > It is required after the recent confinement of graphical
> > desktop components (e.g. wm, xscreensaver, openoffice).
> >
> > The second version of the patch correctly uses file type
> > transitions and uses more tight permissions.
> >
> > The third version simply moves some interface calls.
> >
> > This fourth version introduces the new template for
> > username-dependent file contexts.
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/services/xserver.fc  |    2 +
> >  policy/modules/services/xserver.if  |   64
> > ++++++++++++++++++++++++++++++++++--
> >  policy/modules/system/userdomain.if |    4 ++
> >  3 files changed, 68 insertions(+), 2 deletions(-)
> >
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc	2016-12-04 16:54:51.229586958 +0100
> > +++ b/policy/modules/services/xserver.fc	2016-12-22 22:32:52.810210037 +0100
> > @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* --	gen_contex
> >  HOME_DIR/\.ICEauthority.* --
> > gen_context(system_u:object_r:iceauth_home_t,s0)
> >  HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> >  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors	--
> > gen_context(system_u:object_r:xsession_log_t,s0)
> >  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> >
> >  #
> > @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
> >  /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
> >  /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
> >  /tmp/\.X11-unix/.*	-s	<<none>>
> > +/tmp/xses-%{USERNAME}	--	gen_context(system_u:object_r:xsession_log_t,s0)
> >
> >  #
> >  # /usr
> > diff -pru a/policy/modules/services/xserver.if
> > b/policy/modules/services/xserver.if
> > --- a/policy/modules/services/xserver.if	2016-12-07 13:39:08.670449307 +0100
> > +++ b/policy/modules/services/xserver.if	2016-12-22 22:36:21.456185928 +0100
> > @@ -107,6 +107,9 @@ interface(`xserver_restricted_role',`
> >  	# Needed for escd, remove if we get escd policy
> >  	xserver_manage_xdm_tmp_files($2)
> >
> > +	# for the .xsession-errors log file
> > +	xserver_user_home_dir_filetrans_user_xsession_log($2)
> > +
> >  	# Client write xserver shm
> >  	tunable_policy(`allow_write_xshm',`
> >  		allow $2 xserver_t:shm rw_shm_perms;
> > @@ -308,7 +311,7 @@ interface(`xserver_user_client',`
> >
> >  	userdom_search_user_home_dirs($1)
> >  	# for .xsession-errors
> > -	userdom_dontaudit_write_user_home_content_files($1)
> > +	xserver_rw_xsession_log($1)
> >
> >  	xserver_ro_session($1,$2)
> >  	xserver_use_user_fonts($1)
> > @@ -470,7 +473,7 @@ template(`xserver_user_x_domain_template
> >
> >  	userdom_search_user_home_dirs($2)
> >  	# for .xsession-errors
> > -	userdom_dontaudit_write_user_home_content_files($2)
> > +	xserver_rw_xsession_log($2)
> >
> >  	xserver_ro_session($2,$3)
> >  	xserver_use_user_fonts($2)
> > @@ -567,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
> >
> >  ########################################
> >  ## <summary>
> > +##	Create a .xsession-errors log
> > +##	file in the user home directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> > +	gen_require(`
> > +		type xsession_log_t;
> > +	')
> > +
> > +	userdom_user_home_dir_filetrans($1, xsession_log_t, file,
> > ".xsession-errors")
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Read all users fonts, user font configurations,
> >  ##	and manage all users font caches.
> >  ## </summary>
> > @@ -982,6 +1004,44 @@ interface(`xserver_xsession_spec_domtran
> >  ')
> >
> >  ########################################
> > +## <summary>
> > +##	Read and write xsession log
> > +##	files such as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`xserver_rw_xsession_log',`
> > +	gen_require(`
> > +		type xsession_log_t;
> > +	')
> > +
> > +	allow $1 xsession_log_t:file rw_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Manage xsession log files such
> > +##	as .xsession-errors.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`xserver_manage_xsession_log',`
> > +	gen_require(`
> > +		type xsession_log_t;
> > +	')
> > +
> > +	allow $1 xsession_log_t:file manage_file_perms;
> > +')
> > +
> > +########################################
> >  ## <summary>
> >  ##	Get the attributes of X server logs.
> >  ## </summary>
> > diff -pru a/policy/modules/system/userdomain.if
> > b/policy/modules/system/userdomain.if
> > --- a/policy/modules/system/userdomain.if	2016-12-17 17:29:27.030224492
> > +0100
> > +++ b/policy/modules/system/userdomain.if	2016-12-22 22:32:52.811210052
> > +0100
> > @@ -3302,6 +3302,8 @@ interface(`userdom_spec_domtrans_all_use
> >  	allow userdomain $1:fd use;
> >  	allow userdomain $1:fifo_file rw_file_perms;
> >  	allow userdomain $1:process sigchld;
> > +
> > +	xserver_manage_xsession_log(userdomain)
> >  ')
> >
> >  ########################################
> > @@ -3371,6 +3373,8 @@ interface(`userdom_xsession_spec_domtran
> >  	allow unpriv_userdomain $1:fd use;
> >  	allow unpriv_userdomain $1:fifo_file rw_file_perms;
> >  	allow unpriv_userdomain $1:process sigchld;
> > +
> > +	xserver_manage_xsession_log(unpriv_userdomain)
> >  ')
> >
> >  #######################################
> 
> I think you misunderstood.  The rule should be in xserver_role() and 
> then only apply to $2 so only the specific xserver-using roles have access.

The reason I have moved the file transition to the xserver_role_restricted()
interface
instead of to the xserver_role_template() interface is that the
xserver_role_template()
interface calls xserver_role_restricted(). Restricted X users should also be
able to rw
xsession log files, don't you think so ? I am quite sure you would agree with me
on this...

That said, I can only suspect you meant that I should also move the actual log
file
management permission interface from userdomain to the xserver role template...
I am preparing a patch which also adds this latter change.

Regards,

Guido