From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 30 Dec 2016 14:15:44 -0500
Subject: [refpolicy] [PATCH v4 2/2] contrib: support the new interface
 to manage X session logs
In-Reply-To: <1482954248.2738.7.camel@trentalancia.net>
References: <1482247723.12013.1.camel@trentalancia.net>
	<1482247816.12013.3.camel@trentalancia.net>
	<1482361519.9387.3.camel@trentalancia.net>
	<1482419754.3408.1.camel@trentalancia.net>
	<443b8c08-7dd5-31e1-1474-f1266fb5d548@ieee.org>
	<1482954248.2738.7.camel@trentalancia.net>
Message-ID: <a576f106-6a43-659b-4e52-2a1d31732f2b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/28/16 14:44, Guido Trentalancia via refpolicy wrote:
> The following patch (split in two parts, one for base and
> another one for contrib) introduces a new file context for
> the X session log files and two new interfaces to manage
> them (instead of allowing to manage the whole user home
> content files).
>
> It is required after the recent confinement of graphical
> desktop components (e.g. wm, xscreensaver, openoffice).
>
> The second version of the patch correctly uses file type
> transitions and uses more tight permissions.
>
> The third version adds the logging capability to the
> openoffice module.
>
> This fourth version explicitly makes xscreensaver dependent
> from the xserver module.
>
> The corresponding base policy patch is at version 6.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/dbus.te         |    1 +
>  policy/modules/contrib/gnome.te        |    5 +++++
>  policy/modules/contrib/openoffice.te   |    1 +
>  policy/modules/contrib/wm.te           |    1 +
>  policy/modules/contrib/xscreensaver.te |    6 +++---
>  5 files changed, 11 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
> --- a/policy/modules/contrib/dbus.te	2016-12-22 23:12:59.377081677 +0100
> +++ b/policy/modules/contrib/dbus.te	2016-12-28 20:24:54.385446098 +0100
> @@ -244,6 +244,7 @@ seutil_read_default_contexts(session_bus
>  term_use_all_terms(session_bus_type)
>
>  optional_policy(`
> +	xserver_rw_xsession_log(session_bus_type)
>  	xserver_use_xdm_fds(session_bus_type)
>  	xserver_rw_xdm_pipes(session_bus_type)
>  ')
> diff -pru a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
> --- a/policy/modules/contrib/gnome.te	2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/gnome.te	2016-12-28 20:24:54.386446112 +0100
> @@ -70,6 +70,7 @@ logging_send_syslog_msg(gnomedomain)
>  userdom_use_user_terminals(gnomedomain)
>
>  optional_policy(`
> +	xserver_rw_xsession_log(gnomedomain)
>  	xserver_rw_xdm_pipes(gnomedomain)
>  	xserver_use_xdm_fds(gnomedomain)
>  ')
> @@ -145,3 +146,7 @@ optional_policy(`
>  optional_policy(`
>  	telepathy_mission_control_read_state(gkeyringd_domain)
>  ')
> +
> +optional_policy(`
> +	xserver_rw_xsession_log(gkeyringd_domain)
> +')
> diff -pru a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
> --- a/policy/modules/contrib/openoffice.te	2016-12-27 22:41:15.522602035 +0100
> +++ b/policy/modules/contrib/openoffice.te	2016-12-28 20:24:54.386446112 +0100
> @@ -131,6 +131,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	xserver_rw_xsession_log(ooffice_t)
>  	xserver_read_user_iceauth(ooffice_t)
>  	xserver_read_user_xauth(ooffice_t)
>  	xserver_read_xdm_tmp_files(ooffice_t)
> diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
> --- a/policy/modules/contrib/wm.te	2016-12-27 22:41:15.543602334 +0100
> +++ b/policy/modules/contrib/wm.te	2016-12-28 20:24:54.387446125 +0100
> @@ -132,4 +132,5 @@ optional_policy(`
>
>  optional_policy(`
>  	xserver_dbus_chat_xdm(wm_domain)
> +	xserver_rw_xsession_log(wm_domain)
>  ')
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te	2016-12-22 00:49:56.960049501 +0100
> +++ b/policy/modules/contrib/xscreensaver.te	2016-12-28 20:32:01.742240850 +0100
> @@ -58,6 +58,7 @@ miscfiles_read_localization(xscreensaver
>  userdom_use_user_terminals(xscreensaver_t)
>  userdom_read_user_home_content_files(xscreensaver_t)
>
> +xserver_rw_xsession_log(xscreensaver_t)
>  xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
>
>  ########################################
> @@ -86,6 +87,5 @@ fs_dontaudit_getattr_xattr_fs(xscreensav
>  miscfiles_read_fonts(xscreensaver_helper_t)
>  miscfiles_read_localization(xscreensaver_helper_t)
>
> -optional_policy(`
> -	xserver_stream_connect(xscreensaver_helper_t)
> -')
> +xserver_rw_xsession_log(xscreensaver_helper_t)
> +xserver_stream_connect(xscreensaver_helper_t)

Merged.

-- 
Chris PeBenito