From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 20:02:20 +0100 Subject: [refpolicy] [PATCH v5 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <6e6ac8cd-60c0-b803-1a4e-a9e361b5b589@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> <1482361511.9387.2.camel@trentalancia.net> <6eab2b57-a862-9868-0899-0b737b1be300@ieee.org> <1482443392.20547.16.camel@trentalancia.net> <20161223073419.GA8282@meriadoc.perfinion.com> <1482507864.10020.14.camel@trentalancia.net> <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> <418625772.17634.1482868899593.JavaMail.open-xchange@popper10.register.it> <6e6ac8cd-60c0-b803-1a4e-a9e361b5b589@ieee.org> Message-ID: <8A08EA4D-2DBF-4461-9B12-8A666F235413@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, thanks for telling me. Eventually the small diff for xserver.te has gone lost, while working on multiple development trees... I'll forward a revised patch in a few minutes. Regards, Guido On the 28th of December 2016 19:32:13 CET, Chris PeBenito wrote: >On 12/27/16 15:01, Guido Trentalancia via refpolicy wrote: >> The following patch (split in two parts, one for base and >> another one for contrib) introduces a new file context for >> the X session log files and two new interface to manage >> them (instead of allowing to manage the whole user home >> content files). >> >> It is required after the recent confinement of graphical >> desktop components (e.g. wm, xscreensaver). >> >> The second version of the patch correctly uses file type >> transitions and uses more tight permissions. >> >> The third version simply moves some interface calls. >> >> The fourth version introduces the new template for >> username-dependent file contexts. >> >> This fifth version moves other interface calls thanks to >> further revisions from Christopher PeBenito (the corresponding >> contrib policy part remains unchanged at version 4). > >I was going to merge this, but missed previously that xsession_log_t >isn't ever declared in this patch. > > >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/services/xserver.fc | 2 + >> policy/modules/services/xserver.if | 65 >+++++++++++++++++++++++++++++++++++-- >> 2 files changed, 65 insertions(+), 2 deletions(-) >> >> diff -pru a/policy/modules/services/xserver.fc >> b/policy/modules/services/xserver.fc >> --- a/policy/modules/services/xserver.fc 2016-12-04 >16:54:51.229586958 +0100 >> +++ b/policy/modules/services/xserver.fc 2016-12-27 >20:49:18.146188976 +0100 >> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex >> HOME_DIR/\.ICEauthority.* >-- gen_context(system_u:object_r:iceauth_home_t,s0) >> >HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> >+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) >> >HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) >> >> # >> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s >> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) >> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) >> /tmp/\.X11-unix/.* -s <> >> >+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) >> >> # >> # /usr >> diff -pru a/policy/modules/services/xserver.if >> b/policy/modules/services/xserver.if >> --- a/policy/modules/services/xserver.if 2016-12-07 >13:39:08.670449307 +0100 >> +++ b/policy/modules/services/xserver.if 2016-12-27 >20:50:25.904039759 +0100 >> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` >> # Needed for escd, remove if we get escd policy >> xserver_manage_xdm_tmp_files($2) >> >> + # for the .xsession-errors log file >> + xserver_user_home_dir_filetrans_user_xsession_log($2) >> + xserver_manage_xsession_log($2) >> + >> # Client write xserver shm >> tunable_policy(`allow_write_xshm',` >> allow $2 xserver_t:shm rw_shm_perms; >> @@ -308,7 +312,7 @@ interface(`xserver_user_client',` >> >> userdom_search_user_home_dirs($1) >> # for .xsession-errors >> - userdom_dontaudit_write_user_home_content_files($1) >> + xserver_rw_xsession_log($1) >> >> xserver_ro_session($1,$2) >> xserver_use_user_fonts($1) >> @@ -470,7 +474,7 @@ template(`xserver_user_x_domain_template >> >> userdom_search_user_home_dirs($2) >> # for .xsession-errors >> - userdom_dontaudit_write_user_home_content_files($2) >> + xserver_rw_xsession_log($2) >> >> xserver_ro_session($2,$3) >> xserver_use_user_fonts($2) >> @@ -567,6 +571,25 @@ interface(`xserver_user_home_dir_filetra >> >> ######################################## >> ## >> +## Create a .xsession-errors log >> +## file in the user home directory. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` >> + gen_require(` >> + type xsession_log_t; >> + ') >> + >> + userdom_user_home_dir_filetrans($1, xsession_log_t, file, >".xsession-errors") >> +') >> + >> +######################################## >> +## >> ## Read all users fonts, user font configurations, >> ## and manage all users font caches. >> ## >> @@ -982,6 +1005,44 @@ interface(`xserver_xsession_spec_domtran >> ') >> >> ######################################## >> +## >> +## Read and write xsession log >> +## files such as .xsession-errors. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`xserver_rw_xsession_log',` >> + gen_require(` >> + type xsession_log_t; >> + ') >> + >> + allow $1 xsession_log_t:file rw_file_perms; >> +') >> + >> +######################################## >> +## >> +## Manage xsession log files such >> +## as .xsession-errors. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`xserver_manage_xsession_log',` >> + gen_require(` >> + type xsession_log_t; >> + ') >> + >> + allow $1 xsession_log_t:file manage_file_perms; >> +') >> + >> +######################################## >> ## >> ## Get the attributes of X server logs. >> ## >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>