From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 27 Dec 2016 21:01:39 +0100 (CET) Subject: [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> <1482361511.9387.2.camel@trentalancia.net> <6eab2b57-a862-9868-0899-0b737b1be300@ieee.org> <1482443392.20547.16.camel@trentalancia.net> <20161223073419.GA8282@meriadoc.perfinion.com> <1482507864.10020.14.camel@trentalancia.net> <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> Message-ID: <418625772.17634.1482868899593.JavaMail.open-xchange@popper10.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interface to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). The second version of the patch correctly uses file type transitions and uses more tight permissions. The third version simply moves some interface calls. The fourth version introduces the new template for username-dependent file contexts. This fifth version moves other interface calls thanks to further revisions from Christopher PeBenito (the corresponding contrib policy part remains unchanged at version 4). Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.fc | 2 + policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 2 deletions(-) diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc --- a/policy/modules/services/xserver.fc 2016-12-04 16:54:51.229586958 +0100 +++ b/policy/modules/services/xserver.fc 2016-12-27 20:49:18.146188976 +0100 @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 +++ b/policy/modules/services/xserver.if 2016-12-27 20:50:25.904039759 +0100 @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + # for the .xsession-errors log file + xserver_user_home_dir_filetrans_user_xsession_log($2) + xserver_manage_xsession_log($2) + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; @@ -308,7 +312,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_rw_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra ######################################## ## +## Create a .xsession-errors log +## file in the user home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") +') + +######################################## +## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran ') ######################################## +## +## Read and write xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file rw_file_perms; +') + +######################################## +## +## Manage xsession log files such +## as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## ## ## Get the attributes of X server logs. ##