From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
Date: Sun, 1 Jan 2017 16:37:40 +0000 (UTC) [thread overview]
Message-ID: <1483288286.f6a604430f3cc0948d3d7fc97066ad65ba62e5c4.perfinion@gentoo> (raw)
commit: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 28 19:43:23 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:31:26 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443
xserver: introduce new fc and interface to manage X session logs
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++--
policy/modules/services/xserver.te | 3 ++
3 files changed, 68 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5b218c6..389b74f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1d41b5..59d5821 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',`
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',`
########################################
## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of X server logs.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ba96a78..1956ddb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)
WARNING: multiple messages have this Message-ID (diff)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Sun, 1 Jan 2017 16:36:50 +0000 (UTC) [thread overview]
Message-ID: <1483288286.f6a604430f3cc0948d3d7fc97066ad65ba62e5c4.perfinion@gentoo> (raw)
Message-ID: <20170101163650.XNO4j38f4X7Xam_91zmfQwrOmFx-2dZmDbGQk_LQNRI@z> (raw)
commit: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 28 19:43:23 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:31:26 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443
xserver: introduce new fc and interface to manage X session logs
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++--
policy/modules/services/xserver.te | 3 ++
3 files changed, 68 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5b218c6..389b74f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
@@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
+/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0)
#
# /usr
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1d41b5..59d5821 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ # for the .xsession-errors log file
+ xserver_user_home_dir_filetrans_user_xsession_log($2)
+ xserver_manage_xsession_log($2)
+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1)
+ xserver_rw_xsession_log($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',`
userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
+ xserver_rw_xsession_log($2)
xserver_ro_session($2,$3)
xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
########################################
## <summary>
+## Create a .xsession-errors log
+## file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
@@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',`
########################################
## <summary>
+## Read and write xsession log
+## files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage xsession log files such
+## as .xsession-errors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+ gen_require(`
+ type xsession_log_t;
+ ')
+
+ allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of X server logs.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ba96a78..1956ddb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
# Type for the X server log file.
type xserver_log_t;
logging_log_file(xserver_log_t)
next reply other threads:[~2017-01-01 16:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-01 16:37 Jason Zaman [this message]
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2017-09-10 14:03 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 14:24 Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:24 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-10 16:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:26 Jason Zaman
2015-08-02 19:26 Jason Zaman
2015-03-04 17:03 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483288286.f6a604430f3cc0948d3d7fc97066ad65ba62e5c4.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox