From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 02:42:47 +0100 Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory permissions In-Reply-To: References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> Message-ID: <5E73ADF9-BB01-429C-A1EC-9C33CDEC589C@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. I have double-checked and the difference between /usr/share and /var/lib is between architetture-independent and single-machine data, not between read-only and writable. I hope it helps. Regards, Guido On the 30th of December 2016 02:06:35 CET, cgzones wrote: >On 30 Dec 2016 1:37 am, "Guido Trentalancia via refpolicy" < >refpolicy at oss.tresys.com> wrote: > >The dangerous execheap permission is removed from xdm and the >dangerous execmem permission is only enabled for the Gnome >Display Manager (gnome-shell running in gdm mode) through a >new "gnome_xdm" boolean. > >This patch also updates the XKB libs file context with their >default location, adds the ability to read udev pid files and >finally adds a few permissions so that xconsole can run smoothly. > >Signed-off-by: Guido Trentalancia >--- > policy/modules/services/xserver.fc | 2 ++ > policy/modules/services/xserver.te | 24 +++++++++++++++++++----- > 2 files changed, 21 insertions(+), 5 deletions(-) > >diff -pru a/policy/modules/services/xserver.fc >b/policy/modules/services/ >xserver.fc >--- a/policy/modules/services/xserver.fc 2016-12-22 >23:12:47.782929703 +0100 >+++ b/policy/modules/services/xserver.fc 2016-12-30 >01:25:51.383728583 +0100 >@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > >/usr/sbin/lightdm -- >gen_context(system_u:object_r:xdm_exec_t,s0) > >+/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r: >xkb_var_lib_t,s0) >+ > >I am not familiar with xkb nor xdm, but the /usr directory should from >my >point of view be able to be mounted as read-only, so the files laying >here >should be static. Why does xkb has library files over here? > > /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r: >xdm_exec_t,s0) > /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r: >iceauth_exec_t,s0) > /usr/X11R6/bin/X -- gen_context(system_u:object_r: >xserver_exec_t,s0) >diff -pru a/policy/modules/services/xserver.te >b/policy/modules/services/ >xserver.te >--- a/policy/modules/services/xserver.te 2016-12-22 >23:12:47.782929703 +0100 >+++ b/policy/modules/services/xserver.te 2016-12-30 >01:30:43.634289624 +0100 >@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) > > ## > ##

>+## Use gnome-shell in gdm mode as the >+## X Display Manager (XDM) >+##

>+##
>+gen_tunable(gnome_xdm, false) >+ >+## >+##

> ## Support X userspace object manager > ##

> ##
>@@ -304,6 +312,7 @@ optional_policy(` > # > > allow xdm_t self:capability { setgid setuid sys_resource kill >sys_tty_config mknod chown dac_override dac_read_search fowner fsetid >ipc_owner sys_nice sys_rawio net_bind_service }; >+dontaudit xdm_t self:capability sys_admin; > allow xdm_t self:process { setexec setpgid getsched setsched setrlimit >signal_perms }; > allow xdm_t self:fifo_file rw_fifo_file_perms; > allow xdm_t self:shm create_shm_perms; >@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe > allow xdm_t self:appletalk_socket create_socket_perms; > allow xdm_t self:key { search link write }; > >-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; >+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms; > > # Allow gdm to run gdm-binary > can_exec(xdm_t, xdm_exec_t) >@@ -450,6 +459,10 @@ term_setattr_console(xdm_t) > term_use_unallocated_ttys(xdm_t) > term_setattr_unallocated_ttys(xdm_t) > >+# for xconsole >+term_use_ptmx(xdm_t) >+term_use_generic_ptys(xdm_t) >+ > auth_domtrans_pam_console(xdm_t) > auth_manage_pam_pid(xdm_t) > auth_manage_pam_console_data(xdm_t) >@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',` > # allow xserver_t xdm_tmpfs_t:file rw_file_perms; > ') > >+tunable_policy(`gnome_xdm',` >+ allow xdm_t self:process execmem; >+') >+ > optional_policy(` > alsa_domtrans(xdm_t) > ') >@@ -586,10 +603,6 @@ optional_policy(` > optional_policy(` > unconfined_domain(xdm_t) > unconfined_domtrans(xdm_t) >- >- ifndef(`distro_redhat',` >- allow xdm_t self:process { execheap execmem }; >- ') > ') > > optional_policy(` >@@ -803,6 +816,7 @@ optional_policy(` > > optional_policy(` > udev_read_db(xserver_t) >+ udev_read_pid_files(xserver_t) > ') > > optional_policy(` >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy