From: dsugar@tresys.com (David Sugar) Date: Wed, 6 Dec 2017 18:19:43 +0000 Subject: [refpolicy] [PATCH 1/1-v2] Create interfaces to write xserver log files. In-Reply-To: <20171206150608.GA3055@julius.enp8s0.d30> References: <20171206150608.GA3055@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > Sent: Wednesday, December 06, 2017 10:06 AM > To: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] [PATCH 1/1-v2] Create interfaces to write > xserver log files. > > On Wed, Dec 06, 2017 at 02:38:49PM +0000, David Sugar via refpolicy > wrote: > > Add interfaces to grant write only access to inherited xserver_log_t > and xsession_log_t files. > > > > Signed-off-by: Dave Sugar > > These are just suggestions, I will leave it up to others to make any > final judgement but: > > i would probably introduce a "write_inherited_file_perms" object > permission set to "policy/support/obj_perm_sets.spt": > > define(`write_inherited_file_perms',`{ getattr write append lock ioctl > }') > > then use that to create: > > ######################################## > ##

> ## Write inherited xserver xsession log files. > ##

> ## > ##

> ## Domain allowed access. > ##

> ## > # > interface(`xserver_write_inherited_xsession_log_files',` > gen_require(` > type xsession_log_t; > ') > > allow $1 xsession_log_t:file write_inherited_file_perms; > ') > > and: > > ######################################## > ##

> ## Write inherited xserver log files. > ##

> ## > ##

> ## Domain allowed access. > ##

> ## > # > interface(`xserver_write_inherited_log_files',` > gen_require(` > type xserver_log_t; > ') > > allow $1 xserver_log_t:file write_inherited_file_perms; > ') Yes, this seems reasonable. I will resubmit this patch with that recommendation taken into account. Thanks for the feedback. > > --- > > policy/modules/services/xserver.if | 39 > > ++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 39 insertions(+) > > > > diff --git a/policy/modules/services/xserver.if > > b/policy/modules/services/xserver.if > > index e70046db..3a435abf 100644 > > --- a/policy/modules/services/xserver.if > > +++ b/policy/modules/services/xserver.if > > @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',` > > > > ######################################## > > ##

> > +## Write to inherited xsession log > > +## files such as .xsession-errors. > > +##

> > +## > > +##

> > +## Domain allowed access. > > +##

> > +## > > +# > > +interface(`xserver_write_inherited_xsession_log',` > > + gen_require(` > > + type xsession_log_t; > > + ') > > + > > + allow $1 xsession_log_t:file { append write }; > > +') > > + > > + > > +######################################## > > +##

> > ## Read and write xsession log > > ## files such as .xsession-errors. > > ##

> > @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',` > > > > ######################################## > > ##

> > +## Write to inherited X server log > > +## files like /var/log/lightdm/lightdm.log ##

## > +name="domain"> > > +##

> > +## Domain allowed access. > > +##

> > +## > > +# > > +interface(`xserver_write_inherited_log',` > > + gen_require(` > > + type xserver_log_t; > > + ') > > + > > + allow $1 xserver_log_t:file { append write }; > > +') > > + > > +######################################## > > +##

> > ## Get the attributes of X server logs. > > ##

> > ## > > -- > > 2.13.6 > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift