From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 20:56:16 +0100 Subject: [refpolicy] [PATCH v2] xserver: restrict executable memory permissions (was "only run in confined mode and restrict execmem permissions") In-Reply-To: <1482945627.7302.8.camel@trentalancia.net> References: <1482945627.7302.8.camel@trentalancia.net> Message-ID: <1482954976.2738.9.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The dangerous execheap permission is removed from xdm and the dangerous execmem permission is only enabled for the Gnome Display Manager (gnome-shell running in gdm mode) through a new "gnome_xdm" boolean. This patch also updates the XKB libs file context with their default location, adds the ability to read udev pid files and finally adds a couple of permissions so that xconsole can use the terminals it needs to use. Signed-off-by: Guido Trentalancia --- policy/modules/services/xserver.fc | 2 ++ policy/modules/services/xserver.te | 21 +++++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100 +++ b/policy/modules/services/xserver.fc 2016-12-28 20:47:28.677416395 +0100 @@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100 +++ b/policy/modules/services/xserver.te 2016-12-28 20:50:53.138823311 +0100 @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) ## ##

+## Use gnome-shell in gdm mode as the +## X Display Manager (XDM) +##

+##
+gen_tunable(gnome_xdm, false) + +## +##

## Support X userspace object manager ##

##
@@ -450,6 +458,10 @@ term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +# for xconsole +term_use_ptmx(xdm_t) +term_use_generic_ptys(xdm_t) + auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -507,6 +519,10 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') +tunable_policy(`gnome_xdm',` + allow xdm_t self:process execmem; +') + optional_policy(` alsa_domtrans(xdm_t) ') @@ -586,10 +602,6 @@ optional_policy(` optional_policy(` unconfined_domain(xdm_t) unconfined_domtrans(xdm_t) - - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') ') optional_policy(` @@ -803,6 +815,7 @@ optional_policy(` optional_policy(` udev_read_db(xserver_t) + udev_read_pid_files(xserver_t) ') optional_policy(`