From: dsugar@tresys.com (David Sugar) Date: Wed, 6 Dec 2017 18:28:36 +0000 Subject: [refpolicy] [PATCH 1/1-v3] Create interfaces to write to inherited xserver log files. Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files. Signed-off-by: Dave Sugar --- policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++ policy/support/obj_perm_sets.spt | 3 ++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index e70046db..b60957fb 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',` ######################################## ## +## Write to inherited xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_inherited_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file write_inherited_file_perms; +') + + +######################################## +## ## Read and write xsession log ## files such as .xsession-errors. ## @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',` ######################################## ## +## Write to inherited X server log +## files like /var/log/lightdm/lightdm.log +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_inherited_log',` + gen_require(` + type xserver_log_t; + ') + + allow $1 xserver_log_t:file write_inherited_file_perms; +') + +######################################## +## ## Get the attributes of X server logs. ## ## diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 65576772..39e2edc3 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }') define(`mmap_file_perms',`{ getattr open map read execute ioctl }') define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') -define(`write_file_perms',`{ getattr open write append lock ioctl }') +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') +define(`write_file_perms',`{ open write_inherited_file_perms }') define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') define(`rw_file_perms',`{ open rw_inherited_file_perms }') define(`create_file_perms',`{ getattr create open }') -- 2.13.6