Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
policy/support/obj_perm_sets.spt | 3 ++-
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e70046db..b60957fb 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
########################################
## <summary>
+## Write to inherited xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_inherited_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file write_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
## Read and write xsession log
## files such as .xsession-errors.
## </summary>
@@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
########################################
## <summary>
+## Write to inherited X server log
+## files like /var/log/lightdm/lightdm.log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_inherited_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ allow $1 xserver_log_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of X server logs.
## </summary>
## <param name="domain">
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 65576772..39e2edc3 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }')
define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
+define(`write_file_perms',`{ open write_inherited_file_perms }')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`create_file_perms',`{ getattr create open }')
--
2.13.6
On 12/06/2017 01:28 PM, David Sugar via refpolicy wrote:
> Add interfaces to grant write only access to inherited xserver_log_t and xsession_log_t files.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
> policy/support/obj_perm_sets.spt | 3 ++-
> 2 files changed, 41 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e70046db..b60957fb 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
>
> ########################################
> ## <summary>
> +## Write to inherited xsession log
> +## files such as .xsession-errors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_xsession_log',`
> + gen_require(`
> + type xsession_log_t;
> + ')
> +
> + allow $1 xsession_log_t:file write_inherited_file_perms;
> +')
> +
> +
> +########################################
> +## <summary>
> ## Read and write xsession log
> ## files such as .xsession-errors.
> ## </summary>
> @@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
>
> ########################################
> ## <summary>
> +## Write to inherited X server log
> +## files like /var/log/lightdm/lightdm.log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_write_inherited_log',`
> + gen_require(`
> + type xserver_log_t;
> + ')
> +
> + allow $1 xserver_log_t:file write_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of X server logs.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 65576772..39e2edc3 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -157,7 +157,8 @@ define(`read_file_perms',`{ getattr open read lock ioctl }')
> define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
> define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
> define(`append_file_perms',`{ getattr open append lock ioctl }')
> -define(`write_file_perms',`{ getattr open write append lock ioctl }')
> +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
> +define(`write_file_perms',`{ open write_inherited_file_perms }')
I'd prefer not to have the nested macro, so one can look at the file and
easily and clearly see what perms a particular set has. Otherwise I'm
fine with the patch.
--
Chris PeBenito