From: pebenito@ieee.org (Chris PeBenito) Date: Fri, 30 Dec 2016 14:15:32 -0500 Subject: [refpolicy] [PATCH v6 1/2] xserver: introduce new fc and interface to manage X session logs In-Reply-To: <1482954203.2738.5.camel@trentalancia.net> References: <1482247723.12013.1.camel@trentalancia.net> <4a13d81a-a78c-8bb1-b8da-a4f9d7ff48d2@ieee.org> <1482361511.9387.2.camel@trentalancia.net> <6eab2b57-a862-9868-0899-0b737b1be300@ieee.org> <1482443392.20547.16.camel@trentalancia.net> <20161223073419.GA8282@meriadoc.perfinion.com> <1482507864.10020.14.camel@trentalancia.net> <2616b3a9-f55a-0061-6763-6f7448a3331f@ieee.org> <418625772.17634.1482868899593.JavaMail.open-xchange@popper10.register.it> <6e6ac8cd-60c0-b803-1a4e-a9e361b5b589@ieee.org> <1482954203.2738.5.camel@trentalancia.net> Message-ID: <0643f1a5-dfb7-9f28-5f3c-30b3bc9bf4b1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/28/16 14:43, Guido Trentalancia via refpolicy wrote: > The following patch (split in two parts, one for base and > another one for contrib) introduces a new file context for > the X session log files and two new interface to manage > them (instead of allowing to manage the whole user home > content files). > > It is required after the recent confinement of graphical > desktop components (e.g. wm, xscreensaver). > > The second version of the patch correctly uses file type > transitions and uses more tight permissions. > > The third version simply moves some interface calls. > > The fourth version introduces the new template for > username-dependent file contexts. > > The fifth version moves other interface calls thanks to > further revisions from Christopher PeBenito (the corresponding > contrib policy part remains unchanged at version 4). > > This sixth version, adds the missing diff relative to the > xserver.te policy file to declare the new xsession_log_t type. > > The corresponding base policy patch is at version 4. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.fc | 2 + > policy/modules/services/xserver.if | 65 +++++++++++++++++++++++++++++++++++-- > policy/modules/services/xserver.te | 3 + > 3 files changed, 68 insertions(+), 2 deletions(-) > > diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc > --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100 > +++ b/policy/modules/services/xserver.fc 2016-12-28 20:24:50.195390393 +0100 > @@ -9,6 +9,7 @@ HOME_DIR/\.fonts\.cache-.* -- gen_contex > HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) > +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) > > # > @@ -54,6 +55,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) > /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) > /tmp/\.X11-unix/.* -s <> > +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) > > # > # /usr > diff -pru a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > --- a/policy/modules/services/xserver.if 2016-12-20 17:14:22.191440529 +0100 > +++ b/policy/modules/services/xserver.if 2016-12-28 20:24:50.196390406 +0100 > @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` > # Needed for escd, remove if we get escd policy > xserver_manage_xdm_tmp_files($2) > > + # for the .xsession-errors log file > + xserver_user_home_dir_filetrans_user_xsession_log($2) > + xserver_manage_xsession_log($2) > + > # Client write xserver shm > tunable_policy(`allow_write_xshm',` > allow $2 xserver_t:shm rw_shm_perms; > @@ -307,7 +311,7 @@ interface(`xserver_user_client',` > > userdom_search_user_home_dirs($1) > # for .xsession-errors > - userdom_dontaudit_write_user_home_content_files($1) > + xserver_rw_xsession_log($1) > > xserver_ro_session($1,$2) > xserver_use_user_fonts($1) > @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template > > userdom_search_user_home_dirs($2) > # for .xsession-errors > - userdom_dontaudit_write_user_home_content_files($2) > + xserver_rw_xsession_log($2) > > xserver_ro_session($2,$3) > xserver_use_user_fonts($2) > @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetra > > ######################################## > ## > +## Create a .xsession-errors log > +## file in the user home directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` > + gen_require(` > + type xsession_log_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") > +') > + > +######################################## > +## > ## Read all users fonts, user font configurations, > ## and manage all users font caches. > ## > @@ -1000,6 +1023,44 @@ interface(`xserver_xsession_spec_domtran > ') > > ######################################## > +## > +## Read and write xsession log > +## files such as .xsession-errors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_rw_xsession_log',` > + gen_require(` > + type xsession_log_t; > + ') > + > + allow $1 xsession_log_t:file rw_file_perms; > +') > + > +######################################## > +## > +## Manage xsession log files such > +## as .xsession-errors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_manage_xsession_log',` > + gen_require(` > + type xsession_log_t; > + ') > + > + allow $1 xsession_log_t:file manage_file_perms; > +') > + > +######################################## > ## > ## Get the attributes of X server logs. > ## > diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100 > +++ b/policy/modules/services/xserver.te 2016-12-28 20:29:17.898062418 +0100 > @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t) > type xsession_exec_t; > corecmd_executable_file(xsession_exec_t) > > +type xsession_log_t; > +userdom_user_home_content(xsession_log_t) > + > # Type for the X server log file. > type xserver_log_t; > logging_log_file(xserver_log_t) Merged. -- Chris PeBenito