From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 20:44:08 +0100 Subject: [refpolicy] [PATCH v4 2/2] contrib: support the new interface to manage X session logs In-Reply-To: <443b8c08-7dd5-31e1-1474-f1266fb5d548@ieee.org> References: <1482247723.12013.1.camel@trentalancia.net> <1482247816.12013.3.camel@trentalancia.net> <1482361519.9387.3.camel@trentalancia.net> <1482419754.3408.1.camel@trentalancia.net> <443b8c08-7dd5-31e1-1474-f1266fb5d548@ieee.org> Message-ID: <1482954248.2738.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interfaces to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver, openoffice). The second version of the patch correctly uses file type transitions and uses more tight permissions. The third version adds the logging capability to the openoffice module. This fourth version explicitly makes xscreensaver dependent from the xserver module. The corresponding base policy patch is at version 6. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/dbus.te | 1 + policy/modules/contrib/gnome.te | 5 +++++ policy/modules/contrib/openoffice.te | 1 + policy/modules/contrib/wm.te | 1 + policy/modules/contrib/xscreensaver.te | 6 +++--- 5 files changed, 11 insertions(+), 3 deletions(-) diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2016-12-22 23:12:59.377081677 +0100 +++ b/policy/modules/contrib/dbus.te 2016-12-28 20:24:54.385446098 +0100 @@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus term_use_all_terms(session_bus_type) optional_policy(` + xserver_rw_xsession_log(session_bus_type) xserver_use_xdm_fds(session_bus_type) xserver_rw_xdm_pipes(session_bus_type) ') diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te --- a/policy/modules/contrib/gnome.te 2016-12-27 22:41:15.522602035 +0100 +++ b/policy/modules/contrib/gnome.te 2016-12-28 20:24:54.386446112 +0100 @@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain) userdom_use_user_terminals(gnomedomain) optional_policy(` + xserver_rw_xsession_log(gnomedomain) xserver_rw_xdm_pipes(gnomedomain) xserver_use_xdm_fds(gnomedomain) ') @@ -145,3 +146,7 @@ optional_policy(` optional_policy(` telepathy_mission_control_read_state(gkeyringd_domain) ') + +optional_policy(` + xserver_rw_xsession_log(gkeyringd_domain) +') diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te --- a/policy/modules/contrib/openoffice.te 2016-12-27 22:41:15.522602035 +0100 +++ b/policy/modules/contrib/openoffice.te 2016-12-28 20:24:54.386446112 +0100 @@ -131,6 +131,7 @@ optional_policy(` ') optional_policy(` + xserver_rw_xsession_log(ooffice_t) xserver_read_user_iceauth(ooffice_t) xserver_read_user_xauth(ooffice_t) xserver_read_xdm_tmp_files(ooffice_t) diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2016-12-27 22:41:15.543602334 +0100 +++ b/policy/modules/contrib/wm.te 2016-12-28 20:24:54.387446125 +0100 @@ -132,4 +132,5 @@ optional_policy(` optional_policy(` xserver_dbus_chat_xdm(wm_domain) + xserver_rw_xsession_log(wm_domain) ') diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te --- a/policy/modules/contrib/xscreensaver.te 2016-12-22 00:49:56.960049501 +0100 +++ b/policy/modules/contrib/xscreensaver.te 2016-12-28 20:32:01.742240850 +0100 @@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver userdom_use_user_terminals(xscreensaver_t) userdom_read_user_home_content_files(xscreensaver_t) +xserver_rw_xsession_log(xscreensaver_t) xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) ######################################## @@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav miscfiles_read_fonts(xscreensaver_helper_t) miscfiles_read_localization(xscreensaver_helper_t) -optional_policy(` - xserver_stream_connect(xscreensaver_helper_t) -') +xserver_rw_xsession_log(xscreensaver_helper_t) +xserver_stream_connect(xscreensaver_helper_t)