From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 30 Dec 2016 14:15:32 -0500
Subject: [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and
 interface to manage X session logs
In-Reply-To: <1482954203.2738.5.camel@trentalancia.net>
References: <1482247723.12013.1.camel@trentalancia.net>
	<4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org>
	<1482361511.9387.2.camel@trentalancia.net>
	<6eab2b57-a862-9868-0899-0b737b1be300@ieee.org>
	<1482443392.20547.16.camel@trentalancia.net>
	<20161223073419.GA8282@meriadoc.perfinion.com>
	<1482507864.10020.14.camel@trentalancia.net>
	<2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org>
	<418625772.17634.1482868899593.JavaMail.open-xchange@popper10.register.it>
	<6e6ac8cd-60c0-b803-1a4e-a9e361b5b589@ieee.org>
	<1482954203.2738.5.camel@trentalancia.net>
Message-ID: <0643f1a5-dfb7-9f28-5f3c-30b3bc9bf4b1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/28/16 14:43, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interface to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version simply moves some interface calls.
>
> The fourth version introduces the new template for
> username-dependent file contexts.
>
> The fifth version moves other interface calls thanks to
> further revisions from Christopher PeBenito (the corresponding
> contrib policy part remains unchanged at version 4).
>
> This sixth version, adds the missing diff relative to the
> xserver.te policy file to declare the new xsession_log_t type.
>
> The corresponding base policy patch is at version 4.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    2 +
>  policy/modules/services/xserver.if |   65 +++++++++++++++++++++++++++++++++++--
>  policy/modules/services/xserver.te |    3 +
>  3 files changed, 68 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc	2016-12-28 20:24:50.195390393 +0100
> @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* --	gen_contex
>  HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
>  HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors	--	gen_context(system_u:object_r:xsession_log_t,s0)
>  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>
>  #
> @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
>  /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
>  /tmp/\.X11-unix/.*	-s	<<none>>
> +/tmp/xses-%{USERNAME}	--	gen_context(system_u:object_r:xsession_log_t,s0)
>
>  #
>  # /usr
> diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> --- a/policy/modules/services/xserver.if	2016-12-20 17:14:22.191440529 +0100
> +++ b/policy/modules/services/xserver.if	2016-12-28 20:24:50.196390406 +0100
> @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
>  	# Needed for escd, remove if we get escd policy
>  	xserver_manage_xdm_tmp_files($2)
>
> +	# for the .xsession-errors log file
> +	xserver_user_home_dir_filetrans_user_xsession_log($2)
> +	xserver_manage_xsession_log($2)
> +
>  	# Client write xserver shm
>  	tunable_policy(`allow_write_xshm',`
>  		allow $2 xserver_t:shm rw_shm_perms;
> @@ -307,7 +311,7 @@ interface(`xserver_user_client',`
>
>  	userdom_search_user_home_dirs($1)
>  	# for .xsession-errors
> -	userdom_dontaudit_write_user_home_content_files($1)
> +	xserver_rw_xsession_log($1)
>
>  	xserver_ro_session($1,$2)
>  	xserver_use_user_fonts($1)
> @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template
>
>  	userdom_search_user_home_dirs($2)
>  	# for .xsession-errors
> -	userdom_dontaudit_write_user_home_content_files($2)
> +	xserver_rw_xsession_log($2)
>
>  	xserver_ro_session($2,$3)
>  	xserver_use_user_fonts($2)
> @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra
>
>  ########################################
>  ## <summary>
> +##	Create a .xsession-errors log
> +##	file in the user home directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
> +	gen_require(`
> +		type xsession_log_t;
> +	')
> +
> +	userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
> +')
> +
> +########################################
> +## <summary>
>  ##	Read all users fonts, user font configurations,
>  ##	and manage all users font caches.
>  ## </summary>
> @@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran
>  ')
>
>  ########################################
> +## <summary>
> +##	Read and write xsession log
> +##	files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_rw_xsession_log',`
> +	gen_require(`
> +		type xsession_log_t;
> +	')
> +
> +	allow $1 xsession_log_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Manage xsession log files such
> +##	as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_xsession_log',`
> +	gen_require(`
> +		type xsession_log_t;
> +	')
> +
> +	allow $1 xsession_log_t:file manage_file_perms;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Get the attributes of X server logs.
>  ## </summary>
> diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-28 20:29:17.898062418 +0100
> @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
>  type xsession_exec_t;
>  corecmd_executable_file(xsession_exec_t)
>
> +type xsession_log_t;
> +userdom_user_home_content(xsession_log_t)
> +
>  # Type for the X server log file.
>  type xserver_log_t;
>  logging_log_file(xserver_log_t)

Merged.

-- 
Chris PeBenito