From: dsugar@tresys.com (David Sugar)
Date: Wed, 6 Dec 2017 18:28:36 +0000
Subject: [refpolicy] [PATCH 1/1-v3] Create interfaces to write to inherited
 xserver log files.
Message-ID: <CO1PR15MB1032A5E97D3288E981106934B9320@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
 policy/support/obj_perm_sets.spt   |  3 ++-
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e70046db..b60957fb 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
 
 ########################################
 ## <summary>
+##	Write to inherited  xsession log
+##	files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_inherited_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file write_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Read and write xsession log
 ##	files such as .xsession-errors.
 ## </summary>
@@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
 
 ########################################
 ## <summary>
+##	Write to inherited X server log
+##  files like /var/log/lightdm/lightdm.log
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_inherited_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	allow $1 xserver_log_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 65576772..39e2edc3 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }')
 define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
 define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
+define(`write_file_perms',`{ open write_inherited_file_perms }')
 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_file_perms',`{ open rw_inherited_file_perms }')
 define(`create_file_perms',`{ getattr create open }')
-- 
2.13.6