Remove unneeded permissions to read user content from the
xserver module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.te | 6 ------
1 file changed, 6 deletions(-)
--- refpolicy-git/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.te 2016-12-01 15:08:39.793367796 +0100
@@ -843,12 +842,6 @@ corenet_tcp_bind_vnc_port(xserver_t)
init_use_fds(xserver_t)
-# FIXME: After per user fonts are properly working
-# xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-userdom_read_user_home_content_files(xserver_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.if | 19 +++++++++++++++++++
policy/modules/services/xserver.te | 15 +++++++--------
3 files changed, 27 insertions(+), 8 deletions(-)
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.fc refpolicy-git-25112016/policy/modules/services/xserver.fc
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.fc 2016-08-14 22:10:42.751848845 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.fc 2016-12-02 13:51:29.831384654 +0100
@@ -1,6 +1,7 @@
#
# HOME_DIR
#
+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0)
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-02 14:16:59.538175791 +0100
+++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-02 13:52:42.491965282 +0100
@@ -621,6 +621,25 @@ interface(`xserver_read_user_iceauth',`
########################################
## <summary>
+## Read all users .dmrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_dmrc',`
+ gen_require(`
+ type dmrc_home_t;
+ ')
+
+ allow $1 dmrc_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Set the attributes of the X windows console named pipes.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te
--- refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 14:38:12.002579001 +0100
@@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
type xserver_log_t;
logging_log_file(xserver_log_t)
+type dmrc_home_t;
+userdom_user_home_content(dmrc_home_t)
+
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-# for .dmrc
-userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+# for .dmrc: this was used by the Gnome Display Manager (gdm)
+# and it is now obsolete in Gnome3
+xserver_read_user_dmrc(xdm_t)
+
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
@@ -843,12 +848,6 @@ corenet_tcp_bind_vnc_port(xserver_t)
init_use_fds(xserver_t)
-# FIXME: After per user fonts are properly working
-# xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-userdom_read_user_home_content_files(xserver_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote:
> Remove unneeded permissions to read user content from the
> xserver module (xserver and xdm domains).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
[...]
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 14:38:12.002579001 +0100
> @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
> type xserver_log_t;
> logging_log_file(xserver_log_t)
>
> +type dmrc_home_t;
> +userdom_user_home_content(dmrc_home_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
>
> userdom_dontaudit_use_unpriv_user_fds(xdm_t)
> userdom_create_all_users_keys(xdm_t)
> -# for .dmrc
> -userdom_read_user_home_content_files(xdm_t)
> # Search /proc for any user domain processes.
> userdom_read_all_users_state(xdm_t)
> userdom_signal_all_users(xdm_t)
>
> +# for .dmrc: this was used by the Gnome Display Manager (gdm)
> +# and it is now obsolete in Gnome3
> +xserver_read_user_dmrc(xdm_t)
Why not completely remove the rules if they're no longer needed?
--
Chris PeBenito
Hello Christopher!
I have not (yet) removed the rules completely in order to provide backward compatibility with Gnome2.
Best regards,
Guido
On the 4th of December 2016 14:00:18 CET, Chris PeBenito <[email protected]> wrote:
>On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote:
>> Remove unneeded permissions to read user content from the
>> xserver module (xserver and xdm domains).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>[...]
>> diff -pruN
>refpolicy-git-25112016-orig/policy/modules/services/xserver.te
>refpolicy-git-25112016/policy/modules/services/xserver.te
>> ---
>refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29
>16:29:13.454156211 +0200
>> +++
>refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02
>14:38:12.002579001 +0100
>> @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
>> type xserver_log_t;
>> logging_log_file(xserver_log_t)
>>
>> +type dmrc_home_t;
>> +userdom_user_home_content(dmrc_home_t)
>> +
>> ifdef(`enable_mcs',`
>> init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
>> init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
>> @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
>>
>> userdom_dontaudit_use_unpriv_user_fds(xdm_t)
>> userdom_create_all_users_keys(xdm_t)
>> -# for .dmrc
>> -userdom_read_user_home_content_files(xdm_t)
>> # Search /proc for any user domain processes.
>> userdom_read_all_users_state(xdm_t)
>> userdom_signal_all_users(xdm_t)
>>
>> +# for .dmrc: this was used by the Gnome Display Manager (gdm)
>> +# and it is now obsolete in Gnome3
>> +xserver_read_user_dmrc(xdm_t)
>
>Why not completely remove the rules if they're no longer needed?
On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote:
> Remove unneeded permissions to read user content from the
> xserver module (xserver and xdm domains).
Merged, though I had to mangle the patch a little, as v1 of this patch
was already merged.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/services/xserver.fc | 1 +
> policy/modules/services/xserver.if | 19 +++++++++++++++++++
> policy/modules/services/xserver.te | 15 +++++++--------
> 3 files changed, 27 insertions(+), 8 deletions(-)
>
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.fc refpolicy-git-25112016/policy/modules/services/xserver.fc
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.fc 2016-08-14 22:10:42.751848845 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.fc 2016-12-02 13:51:29.831384654 +0100
> @@ -1,6 +1,7 @@
> #
> # HOME_DIR
> #
> +HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0)
> HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
> HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
> HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-12-02 14:16:59.538175791 +0100
> +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-12-02 13:52:42.491965282 +0100
> @@ -621,6 +621,25 @@ interface(`xserver_read_user_iceauth',`
>
> ########################################
> ## <summary>
> +## Read all users .dmrc.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_read_user_dmrc',`
> + gen_require(`
> + type dmrc_home_t;
> + ')
> +
> + allow $1 dmrc_home_t:file read_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the X windows console named pipes.
> ## </summary>
> ## <param name="domain">
> diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.te refpolicy-git-25112016/policy/modules/services/xserver.te
> --- refpolicy-git-25112016-orig/policy/modules/services/xserver.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-25112016/policy/modules/services/xserver.te 2016-12-02 14:38:12.002579001 +0100
> @@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
> type xserver_log_t;
> logging_log_file(xserver_log_t)
>
> +type dmrc_home_t;
> +userdom_user_home_content(dmrc_home_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> @@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
>
> userdom_dontaudit_use_unpriv_user_fds(xdm_t)
> userdom_create_all_users_keys(xdm_t)
> -# for .dmrc
> -userdom_read_user_home_content_files(xdm_t)
> # Search /proc for any user domain processes.
> userdom_read_all_users_state(xdm_t)
> userdom_signal_all_users(xdm_t)
>
> +# for .dmrc: this was used by the Gnome Display Manager (gdm)
> +# and it is now obsolete in Gnome3
> +xserver_read_user_dmrc(xdm_t)
> +
> xserver_rw_session(xdm_t, xdm_tmpfs_t)
> xserver_unconfined(xdm_t)
>
> @@ -843,12 +848,6 @@ corenet_tcp_bind_vnc_port(xserver_t)
>
> init_use_fds(xserver_t)
>
> -# FIXME: After per user fonts are properly working
> -# xserver_t may no longer have any reason
> -# to read ROLE_home_t - examine this in more detail
> -# (xauth?)
> -userdom_read_user_home_content_files(xserver_t)
> -
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(xserver_t)
> fs_manage_nfs_files(xserver_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Thanks Christopher !
On Sun, 04/12/2016 at 10.52 -0500, Chris PeBenito wrote:
> On 12/02/16 08:44, Guido Trentalancia via refpolicy wrote:
> >
> > Remove unneeded permissions to read user content from the
> > xserver module (xserver and xdm domains).
>
> Merged, though I had to mangle the patch a little, as v1 of this
> patch?
> was already merged.
>
>
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/services/xserver.fc |????1 +
> > ?policy/modules/services/xserver.if |???19 +++++++++++++++++++
> > ?policy/modules/services/xserver.te |???15 +++++++--------
> > ?3 files changed, 27 insertions(+), 8 deletions(-)
> >
> > diff -pruN refpolicy-git-25112016-
> > orig/policy/modules/services/xserver.fc refpolicy-git-
> > 25112016/policy/modules/services/xserver.fc
> > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.fc
[...]