From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 7 Dec 2017 18:54:54 -0500
Subject: [refpolicy] [PATCH 1/1-v3] Create interfaces to write to
 inherited xserver log files.
In-Reply-To: <CO1PR15MB1032A5E97D3288E981106934B9320@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032A5E97D3288E981106934B9320@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <c862ba86-4e3a-971c-afbe-c7e27e039845@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/06/2017 01:28 PM, David Sugar via refpolicy wrote:
> Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
>   policy/support/obj_perm_sets.spt   |  3 ++-
>   2 files changed, 41 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e70046db..b60957fb 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
>   
>   ########################################
>   ## <summary>
> +##	Write to inherited  xsession log
> +##	files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_xsession_log',`
> +	gen_require(`
> +		type xsession_log_t;
> +	')
> +
> +	allow $1 xsession_log_t:file write_inherited_file_perms;
> +')
> +
> +
> +########################################
> +## <summary>
>   ##	Read and write xsession log
>   ##	files such as .xsession-errors.
>   ## </summary>
> @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
>   
>   ########################################
>   ## <summary>
> +##	Write to inherited X server log
> +##  files like /var/log/lightdm/lightdm.log
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_log',`
> +	gen_require(`
> +		type xserver_log_t;
> +	')
> +
> +	allow $1 xserver_log_t:file write_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Get the attributes of X server logs.
>   ## </summary>
>   ## <param name="domain">
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 65576772..39e2edc3 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }')
>   define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
>   define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
>   define(`append_file_perms',`{ getattr open append lock ioctl }')
> -define(`write_file_perms',`{ getattr open write append lock ioctl }')
> +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
> +define(`write_file_perms',`{ open write_inherited_file_perms }')

I'd prefer not to have the nested macro, so one can look at the file and 
easily and clearly see what perms a particular set has.  Otherwise I'm 
fine with the patch.



-- 
Chris PeBenito