From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 31 Dec 2016 17:00:44 +0100 Subject: [refpolicy] [PATCH v4] xserver: restrict executable memory permissions In-Reply-To: <6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org> References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> <2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it> <6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org> Message-ID: <1483200044.3041.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I'll fix that immediately. It's a mistake. On Sat, 31/12/2016 at 10.56 -0500, Chris PeBenito wrote: > On 12/30/16 17:07, Guido Trentalancia via refpolicy wrote: > > > > The dangerous execheap permission is removed from xdm and the > > dangerous execmem permission is only enabled for the Gnome > > Display Manager (gnome-shell running in gdm mode) through a > > new "xserver_gnome_xdm" boolean. > > > > This patch also updates the XKB libs file context with their > > default location (which at the moment is not compliant with > > FHS3 due to the fact that it allows by default to write the > > output from xkbcomp), adds the ability to read udev pid files > > and finally adds a few permissions so that xconsole can run > > smoothly. > > > > The anomalous permission to execute XKB var library files has > > been removed and the old X11R6 library location has been > > updated so that subdirectories are also labeled as xkb_var_lib. > > > > This patch includes various improvements as kindly suggested > > in reviews made by Christopher PeBenito. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/services/xserver.fc |????6 ++++-- > > ?policy/modules/services/xserver.te |???30 +++++++++++++++++++++--- > > ------ > > ?2 files changed, 25 insertions(+), 11 deletions(-) > > > > diff -pru a/policy/modules/services/xserver.fc > > b/policy/modules/services/xserver.fc > > --- a/policy/modules/services/xserver.fc 2016-12-22 > > 23:12:47.782929703 +0100 > > +++ b/policy/modules/services/xserver.fc 2016-12-30 > > 23:02:21.384800112 +0100 > > @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.* -- gen_cont > > ext(s > > > > ?/usr/sbin/lightdm -- gen_context(system_u:object_r:x > > dm_exec_t,s0) > > > > +# xserver default configure bug: not FHS-compliant because not > > read-only ! > > +/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_ > > var_lib_t,s0) > > + > > ?/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:obje > > ct_r:xdm_exec_t,s0) > > ?/usr/X11R6/bin/iceauth -- gen_context(system_u:objec > > t_r:iceauth_exec_t,s0) > > ?/usr/X11R6/bin/X -- gen_context(system_u:object_r:xs > > erver_exec_t,s0) > > @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.* -- gen_cont > > ext(s > > ?/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_ > > r:xserver_exec_t,s0) > > ?/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r > > :xserver_exec_t,s0) > > ?/usr/X11R6/bin/Xwrapper -- gen_context(system_u:obje > > ct_r:xserver_exec_t,s0) > > -/usr/X11R6/lib/X11/xkb -d gen_context(system_u:objec > > t_r:xkb_var_lib_t,s0) > > -/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r: > > xkb_var_lib_t,s0) > > +/usr/X11R6/lib/X11/xkb(/.*)? -- gen_context(system_u > > :object_r:xkb_var_lib_t,s0) > > I doubt that anyone still uses /usr/X11R6, but this does not have > the? > desired effect since you kept the --.??The xkb directory will be > mislabeled. Regards, Guido