From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 18:20:27 +0100 Subject: [refpolicy] [PATCH] xserver: only run in confined mode and restrict execmem permissions Message-ID: <1482945627.7302.8.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the xserver module so that both the xserver_t and xdm_t domains always run in confined mode and never run in unconfined mode. The dangerous execheap permission is removed from xdm and the dangerous execmem permission is only enabled for the Gnome Display Manager (gnome-shell running in gdm mode) through a new "gnome_xdm" boolean. This patch also updates the XKB libs file context with their default location, adds the ability to read udev pid files and finally adds a couple of permissions so that xconsole can use the terminals it needs to use. Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.fc | 2 ++ policy/modules/services/xserver.te | 32 ++++++++++++++++++-------------- 2 files changed, 20 insertions(+), 14 deletions(-) diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc --- a/policy/modules/services/xserver.fc 2016-12-28 18:06:07.926688845 +0100 +++ b/policy/modules/services/xserver.fc 2016-12-28 17:55:56.182177747 +0100 @@ -81,6 +81,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100 +++ b/policy/modules/services/xserver.te 2016-12-28 17:43:34.097311192 +0100 @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) ## ##

+## Use gnome-shell in gdm mode as the +## X Display Manager (XDM) +##

+##
+gen_tunable(gnome_xdm, false) + +## +##

## Support X userspace object manager ##

##
@@ -450,6 +458,10 @@ term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +# for xconsole +term_use_ptmx(xdm_t) +term_use_generic_ptys(xdm_t) + auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -507,6 +519,10 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') +tunable_policy(`gnome_xdm',` + allow xdm_t self:process execmem; +') + optional_policy(` alsa_domtrans(xdm_t) ') @@ -584,15 +600,6 @@ optional_policy(` ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) - - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') -') - -optional_policy(` userhelper_dontaudit_search_config(xdm_t) ') @@ -754,6 +761,8 @@ modutils_domtrans_insmod(xserver_t) # read x_contexts seutil_read_default_contexts(xserver_t) +udev_read_pid_files(xserver_t) + userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) userdom_setattr_user_ttys(xserver_t) @@ -806,11 +815,6 @@ optional_policy(` ') optional_policy(` - unconfined_domain_noaudit(xserver_t) - unconfined_domtrans(xserver_t) -') - -optional_policy(` userhelper_search_config(xserver_t) ')