From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 7 Dec 2017 18:54:54 -0500 Subject: [refpolicy] [PATCH 1/1-v3] Create interfaces to write to inherited xserver log files. In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/06/2017 01:28 PM, David Sugar via refpolicy wrote: > Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files. > > Signed-off-by: Dave Sugar > --- > policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++ > policy/support/obj_perm_sets.spt | 3 ++- > 2 files changed, 41 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index e70046db..b60957fb 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',` > > ######################################## > ## > +## Write to inherited xsession log > +## files such as .xsession-errors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_write_inherited_xsession_log',` > + gen_require(` > + type xsession_log_t; > + ') > + > + allow $1 xsession_log_t:file write_inherited_file_perms; > +') > + > + > +######################################## > +## > ## Read and write xsession log > ## files such as .xsession-errors. > ## > @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',` > > ######################################## > ## > +## Write to inherited X server log > +## files like /var/log/lightdm/lightdm.log > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_write_inherited_log',` > + gen_require(` > + type xserver_log_t; > + ') > + > + allow $1 xserver_log_t:file write_inherited_file_perms; > +') > + > +######################################## > +## > ## Get the attributes of X server logs. > ## > ## > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 65576772..39e2edc3 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }') > define(`mmap_file_perms',`{ getattr open map read execute ioctl }') > define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') > define(`append_file_perms',`{ getattr open append lock ioctl }') > -define(`write_file_perms',`{ getattr open write append lock ioctl }') > +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') > +define(`write_file_perms',`{ open write_inherited_file_perms }') I'd prefer not to have the nested macro, so one can look at the file and easily and clearly see what perms a particular set has. Otherwise I'm fine with the patch. -- Chris PeBenito