This patch updates the xscreensaver module so that it can be
effectively used.
It should support most "hacks", in particular those that do
not require the execution of external programs.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/xscreensaver.fc | 8 ++++-
policy/modules/contrib/xscreensaver.if | 10 +++++-
policy/modules/contrib/xscreensaver.te | 50 ++++++++++++++++++++++++++++++++-
3 files changed, 65 insertions(+), 3 deletions(-)
diff -pru a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc
--- a/policy/modules/contrib/xscreensaver.fc 2016-12-19 23:57:46.532943113 +0100
+++ b/policy/modules/contrib/xscreensaver.fc 2016-12-20 00:05:58.587459582 +0100
@@ -1 +1,7 @@
-/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+HOME_DIR/\.xscreensaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0)
+
+/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+
+/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
diff -pru a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if
--- a/policy/modules/contrib/xscreensaver.if 2016-12-19 23:57:46.532943113 +0100
+++ b/policy/modules/contrib/xscreensaver.if 2016-12-20 00:06:49.115214837 +0100
@@ -18,16 +18,24 @@
interface(`xscreensaver_role',`
gen_require(`
attribute_role xscreensaver_roles;
- type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t;
+ attribute_role xscreensaver_helper_roles;
+ type xscreensaver_t, xscreensaver_exec_t;
+ type xscreensaver_helper_t;
+ type xscreensaver_config_t, xscreensaver_tmpfs_t;
')
roleattribute $1 xscreensaver_roles;
+ roleattribute $1 xscreensaver_helper_roles;
domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
allow $2 xscreensaver_t:process { ptrace signal_perms };
ps_process_pattern($2, xscreensaver_t)
+ allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms };
+
allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
+
+ allow xscreensaver_helper_t $2:fd use;
')
diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
--- a/policy/modules/contrib/xscreensaver.te 2016-12-19 23:57:46.533943132 +0100
+++ b/policy/modules/contrib/xscreensaver.te 2016-12-20 00:22:00.872463504 +0100
@@ -6,12 +6,21 @@ policy_module(xscreensaver, 1.2.0)
#
attribute_role xscreensaver_roles;
+attribute_role xscreensaver_helper_roles;
type xscreensaver_t;
type xscreensaver_exec_t;
userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
role xscreensaver_roles types xscreensaver_t;
+type xscreensaver_helper_t;
+type xscreensaver_helper_exec_t;
+userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t)
+role xscreensaver_helper_roles types xscreensaver_helper_t;
+
+type xscreensaver_config_t;
+userdom_user_home_content(xscreensaver_config_t)
+
type xscreensaver_tmpfs_t;
userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
@@ -20,16 +29,25 @@ userdom_user_tmpfs_file(xscreensaver_tmp
# Local policy
#
-allow xscreensaver_t self:process signal;
+allow xscreensaver_t self:capability { setgid setuid };
+allow xscreensaver_t self:process { setsched signal sigstop };
allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
+
+allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
+
kernel_read_system_state(xscreensaver_t)
files_read_usr_files(xscreensaver_t)
+fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
+
auth_use_nsswitch(xscreensaver_t)
auth_domtrans_chk_passwd(xscreensaver_t)
+domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)
+
init_read_utmp(xscreensaver_t)
logging_send_audit_msgs(xscreensaver_t)
@@ -41,3 +59,33 @@ userdom_use_user_terminals(xscreensaver_
userdom_read_user_home_content_files(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+
+########################################
+#
+# Helper local policy
+#
+
+allow xscreensaver_helper_t self:process { execmem signal };
+allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
+
+allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
+
+dev_read_sysfs(xscreensaver_helper_t)
+
+kernel_read_system_state(xscreensaver_helper_t)
+
+files_dontaudit_search_home(xscreensaver_helper_t)
+
+# /etc/drirc
+files_read_etc_files(xscreensaver_helper_t)
+
+files_read_usr_files(xscreensaver_helper_t)
+
+fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
+
+miscfiles_read_fonts(xscreensaver_helper_t)
+miscfiles_read_localization(xscreensaver_helper_t)
+
+optional_policy(`
+ xserver_stream_connect(xscreensaver_helper_t)
+')
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
3 files changed, 12 insertions(+)
diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te 2016-12-17 17:29:27.013224286 +0100
+++ b/policy/modules/roles/staff.te 2016-12-19 23:49:03.273075067 +0100
@@ -60,6 +60,10 @@ optional_policy(`
')
optional_policy(`
+ xscreensaver_role(staff_r, staff_t)
+')
+
+optional_policy(`
xserver_role(staff_r, staff_t)
')
diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
--- a/policy/modules/roles/sysadm.te 2016-12-17 17:29:27.014224298 +0100
+++ b/policy/modules/roles/sysadm.te 2016-12-19 23:48:30.570713001 +0100
@@ -1199,6 +1199,10 @@ optional_policy(`
')
optional_policy(`
+ xscreensaver_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
xserver_role(sysadm_r, sysadm_t)
')
diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2016-12-17 17:29:27.014224298 +0100
+++ b/policy/modules/roles/unprivuser.te 2016-12-19 23:47:57.260344193 +0100
@@ -29,6 +29,10 @@ optional_policy(`
')
optional_policy(`
+ xscreensaver_role(user_r, user_t)
+')
+
+optional_policy(`
xserver_role(user_r, user_t)
')
On 12/19/16 18:47, Guido Trentalancia via refpolicy wrote:
> This patch updates the xscreensaver module so that it can be
> effectively used.
>
> It should support most "hacks", in particular those that do
> not require the execution of external programs.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/xscreensaver.fc | 8 ++++-
> policy/modules/contrib/xscreensaver.if | 10 +++++-
> policy/modules/contrib/xscreensaver.te | 50 ++++++++++++++++++++++++++++++++-
> 3 files changed, 65 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc
> --- a/policy/modules/contrib/xscreensaver.fc 2016-12-19 23:57:46.532943113 +0100
> +++ b/policy/modules/contrib/xscreensaver.fc 2016-12-20 00:05:58.587459582 +0100
> @@ -1 +1,7 @@
> -/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
> +HOME_DIR/\.xscreensaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0)
> +
> +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
> +/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> +/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> +
> +/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
> diff -pru a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if
> --- a/policy/modules/contrib/xscreensaver.if 2016-12-19 23:57:46.532943113 +0100
> +++ b/policy/modules/contrib/xscreensaver.if 2016-12-20 00:06:49.115214837 +0100
> @@ -18,16 +18,24 @@
> interface(`xscreensaver_role',`
> gen_require(`
> attribute_role xscreensaver_roles;
> - type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t;
> + attribute_role xscreensaver_helper_roles;
> + type xscreensaver_t, xscreensaver_exec_t;
> + type xscreensaver_helper_t;
> + type xscreensaver_config_t, xscreensaver_tmpfs_t;
> ')
>
> roleattribute $1 xscreensaver_roles;
> + roleattribute $1 xscreensaver_helper_roles;
>
> domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
>
> allow $2 xscreensaver_t:process { ptrace signal_perms };
> ps_process_pattern($2, xscreensaver_t)
>
> + allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms };
> +
> allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
> allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
> +
> + allow xscreensaver_helper_t $2:fd use;
> ')
> diff -pru a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
> --- a/policy/modules/contrib/xscreensaver.te 2016-12-19 23:57:46.533943132 +0100
> +++ b/policy/modules/contrib/xscreensaver.te 2016-12-20 00:22:00.872463504 +0100
> @@ -6,12 +6,21 @@ policy_module(xscreensaver, 1.2.0)
> #
>
> attribute_role xscreensaver_roles;
> +attribute_role xscreensaver_helper_roles;
>
> type xscreensaver_t;
> type xscreensaver_exec_t;
> userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
> role xscreensaver_roles types xscreensaver_t;
>
> +type xscreensaver_helper_t;
> +type xscreensaver_helper_exec_t;
> +userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t)
> +role xscreensaver_helper_roles types xscreensaver_helper_t;
> +
> +type xscreensaver_config_t;
> +userdom_user_home_content(xscreensaver_config_t)
> +
> type xscreensaver_tmpfs_t;
> userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
>
> @@ -20,16 +29,25 @@ userdom_user_tmpfs_file(xscreensaver_tmp
> # Local policy
> #
>
> -allow xscreensaver_t self:process signal;
> +allow xscreensaver_t self:capability { setgid setuid };
> +allow xscreensaver_t self:process { setsched signal sigstop };
> allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
>
> +allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
> +
> +allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
> +
> kernel_read_system_state(xscreensaver_t)
>
> files_read_usr_files(xscreensaver_t)
>
> +fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
> +
> auth_use_nsswitch(xscreensaver_t)
> auth_domtrans_chk_passwd(xscreensaver_t)
>
> +domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)
> +
> init_read_utmp(xscreensaver_t)
>
> logging_send_audit_msgs(xscreensaver_t)
> @@ -41,3 +59,33 @@ userdom_use_user_terminals(xscreensaver_
> userdom_read_user_home_content_files(xscreensaver_t)
>
> xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +
> +########################################
> +#
> +# Helper local policy
> +#
> +
> +allow xscreensaver_helper_t self:process { execmem signal };
> +allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
> +
> +allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
> +
> +dev_read_sysfs(xscreensaver_helper_t)
> +
> +kernel_read_system_state(xscreensaver_helper_t)
> +
> +files_dontaudit_search_home(xscreensaver_helper_t)
> +
> +# /etc/drirc
> +files_read_etc_files(xscreensaver_helper_t)
> +
> +files_read_usr_files(xscreensaver_helper_t)
> +
> +fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
> +
> +miscfiles_read_fonts(xscreensaver_helper_t)
> +miscfiles_read_localization(xscreensaver_helper_t)
> +
> +optional_policy(`
> + xserver_stream_connect(xscreensaver_helper_t)
> +')
Merged.
--
Chris PeBenito
On 12/19/16 18:48, Guido Trentalancia via refpolicy wrote:
> This patch enables the xscreensaver role so that the
> xscreensaver module is used on those systems where the
> corresponding application is installed.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/roles/staff.te | 4 ++++
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/roles/unprivuser.te | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te 2016-12-17 17:29:27.013224286 +0100
> +++ b/policy/modules/roles/staff.te 2016-12-19 23:49:03.273075067 +0100
> @@ -60,6 +60,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xscreensaver_role(staff_r, staff_t)
> +')
> +
> +optional_policy(`
> xserver_role(staff_r, staff_t)
> ')
>
> diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> --- a/policy/modules/roles/sysadm.te 2016-12-17 17:29:27.014224298 +0100
> +++ b/policy/modules/roles/sysadm.te 2016-12-19 23:48:30.570713001 +0100
> @@ -1199,6 +1199,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xscreensaver_role(sysadm_r, sysadm_t)
> +')
> +
> +optional_policy(`
> xserver_role(sysadm_r, sysadm_t)
> ')
>
> diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2016-12-17 17:29:27.014224298 +0100
> +++ b/policy/modules/roles/unprivuser.te 2016-12-19 23:47:57.260344193 +0100
> @@ -29,6 +29,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xscreensaver_role(user_r, user_t)
> +')
> +
> +optional_policy(`
> xserver_role(user_r, user_t)
> ')
>
Merged, though it may make sense to nest the optional inside the xserver
optional.
--
Chris PeBenito