From: dac.override@gmail.com (Dominick Grift) Date: Wed, 6 Dec 2017 16:06:08 +0100 Subject: [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files. In-Reply-To: References: Message-ID: <20171206150608.GA3055@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy wrote: > Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files. > > Signed-off-by: Dave Sugar These are just suggestions, I will leave it up to others to make any final judgement but: i would probably introduce a "write_inherited_file_perms" object permission set to "policy/support/obj_perm_sets.spt": define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') then use that to create: ######################################## ## ## Write inherited xserver xsession log files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_inherited_xsession_log_files',` gen_require(` type xsession_log_t; ') allow $1 xsession_log_t:file write_inherited_file_perms; ') and: ######################################## ## ## Write inherited xserver log files. ## ## ## ## Domain allowed access. ## ## # interface(`xserver_write_inherited_log_files',` gen_require(` type xserver_log_t; ') allow $1 xserver_log_t:file write_inherited_file_perms; ') > --- > policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index e70046db..3a435abf 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',` > > ######################################## > ## > +## Write to inherited xsession log > +## files such as .xsession-errors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_write_inherited_xsession_log',` > + gen_require(` > + type xsession_log_t; > + ') > + > + allow $1 xsession_log_t:file { append write }; > +') > + > + > +######################################## > +## > ## Read and write xsession log > ## files such as .xsession-errors. > ## > @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',` > > ######################################## > ## > +## Write to inherited X server log > +## files like /var/log/lightdm/lightdm.log > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_write_inherited_log',` > + gen_require(` > + type xserver_log_t; > + ') > + > + allow $1 xserver_log_t:file { append write }; > +') > + > +######################################## > +## > ## Get the attributes of X server logs. > ## > ## > -- > 2.13.6 > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171206/8c8335de/attachment.bin