public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2015-03-04 17:03 Sven Vermeulen
  0 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2015-03-04 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     66bb200d47dcfa85b39c491171b4f3a6a4f341ed
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  4 16:42:33 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar  4 16:42:33 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d

Support SSH agent forwarding

When using SSH agent forwarding, the SSH daemon creates the necessary
sockets somewhere in a random /tmp/ssh-* location. These sockets get the
sshd_tmp_t type associated.

Currently, the SSH client (running as ssh_t) does not have any
privileges on sshd_tmp_t *socket* files, but it has manage rights on the
*regular* files. This means that any attempt to make use of the agent
forwarding (i.e. from the logged-in server, attempt to SSH to another
server while using the SSH agent running on the users' workstation) will
fail.

By granting rw_socket_file_perms permissions to ssh_t against the
sshd_tmp_t socket files, agent forwarding is working well.

X-Gentoo-Bug: 529336
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336

 policy/modules/services/ssh.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 147888c..b63f585 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -358,3 +358,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
+
+ifdef(`distro_gentoo',`
+	# Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding)
+	allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms;
+')


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2015-08-02 19:26 Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2015-08-02 19:26 UTC (permalink / raw
  To: gentoo-commits

commit:     35e90ad86ba18ed67f37e94ceffe97349c899c68
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Jul 19 17:48:28 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:21:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35e90ad8

Allow ssh-agent to send signals to itself

This is neccessary for "ssh-agent -k".

 policy/modules/services/ssh.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index cbd0cdd..3fda887 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -346,7 +346,7 @@ template(`ssh_role_template',`
 	# SSH agent local policy
 	#
 
-	allow $1_ssh_agent_t self:process setrlimit;
+	allow $1_ssh_agent_t self:process { setrlimit signal };
 	allow $1_ssh_agent_t self:capability setgid;
 
 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2015-08-02 19:26 Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2015-08-02 19:26 UTC (permalink / raw
  To: gentoo-commits

commit:     39d8b095afd5ef78ef353bf04b7a11764daca067
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jul 20 14:01:52 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:21:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39d8b095

Module version bump for ssh-agent -k fix from Luis Ressel.

 policy/modules/services/ssh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b63f585..783d0e7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.6.0)
+policy_module(ssh, 2.6.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
  2015-10-10 16:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-11 10:48 ` Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
  To: gentoo-commits

commit:     deb9b102fb562bc57e776cba6c1dee7c674c76ac
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Oct 10 15:36:32 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 10 16:09:15 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deb9b102

services/postgresql.fc: Drop obsolete distro_gentoo block

Only some of the binaries in /usr/lib/postgresql-.../bin should be
marked postgresql_exec_t (e.g. pg_ctl), the others (e.g. psql) should
get a bin_t marking so they're user-accessible. refpolicy applies
correct labels since last year (commit 3738cf10), but this ifdef block
still overrides them on Gentoo.

 policy/modules/services/postgresql.fc | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 2a1b1a3..d3bc4bb 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -54,8 +54,3 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
-


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
  2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     8cae0e05081a2d859bc3c4861a2ecd7787ad3e11
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 19:13:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cae0e05

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm (currently used by the userdomain module in
  the common user template);
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.if | 21 +++++++++++++++++++++
 policy/modules/services/xserver.te |  6 +++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..690c2b6 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -713,6 +713,27 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Read xdm process state files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fc19905..44a561b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.3)
+policy_module(xserver, 3.11.4)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -511,6 +511,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2016-12-06 14:24 Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2016-12-06 14:24 UTC (permalink / raw
  To: gentoo-commits

commit:     365c71e7df78b3d981252f7bc627739d578e52b3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 14:10:25 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=365c71e7

xserver: Rearrange lines

 policy/modules/services/xserver.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 96cc1ff..1a8a311 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -102,6 +102,9 @@ typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
 typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
 typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
 
+type dmrc_home_t;
+userdom_user_home_content(dmrc_home_t)
+
 type remote_t;
 xserver_object_types_template(remote)
 xserver_common_x_domain_template(remote, remote_t)
@@ -211,9 +214,6 @@ corecmd_executable_file(xsession_exec_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
-type dmrc_home_t;
-userdom_user_home_content(dmrc_home_t)
-
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
  2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2016-12-06 14:24 ` Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2016-12-06 14:24 UTC (permalink / raw
  To: gentoo-commits

commit:     5ab142a89ffc948fc066f546fd4b57ece9eb2a36
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 14:11:02 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ab142a8

Module version bump for xserver changes from Guido Trentalancia.

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1a8a311..9898817 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.1)
+policy_module(xserver, 3.12.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/ Jason Zaman
@ 2017-01-01 16:36 ` Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     f6a604430f3cc0948d3d7fc97066ad65ba62e5c4
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 28 19:43:23 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:31:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443

xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.fc |  2 ++
 policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++--
 policy/modules/services/xserver.te |  3 ++
 3 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5b218c6..389b74f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors	--	gen_context(system_u:object_r:xsession_log_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
@@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
+/tmp/xses-%{USERNAME}	--	gen_context(system_u:object_r:xsession_log_t,s0)
 
 #
 # /usr

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1d41b5..59d5821 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
 
+	# for the .xsession-errors log file
+	xserver_user_home_dir_filetrans_user_xsession_log($2)
+	xserver_manage_xsession_log($2)
+
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
 
 	userdom_search_user_home_dirs($1)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($1)
+	xserver_rw_xsession_log($1)
 
 	xserver_ro_session($1,$2)
 	xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',`
 
 	userdom_search_user_home_dirs($2)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($2)
+	xserver_rw_xsession_log($2)
 
 	xserver_ro_session($2,$3)
 	xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
 
 ########################################
 ## <summary>
+##	Create a .xsession-errors log
+##	file in the user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
 ##	Read all users fonts, user font configurations,
 ##	and manage all users font caches.
 ## </summary>
@@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',`
 
 ########################################
 ## <summary>
+##	Read and write xsession log
+##	files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage xsession log files such
+##	as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ba96a78..1956ddb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
 
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
 # Type for the X server log file.
 type xserver_log_t;
 logging_log_file(xserver_log_t)


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2017-01-01 16:37 Jason Zaman
  2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 10+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     f6a604430f3cc0948d3d7fc97066ad65ba62e5c4
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 28 19:43:23 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:31:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443

xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.fc |  2 ++
 policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++--
 policy/modules/services/xserver.te |  3 ++
 3 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5b218c6..389b74f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors	--	gen_context(system_u:object_r:xsession_log_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
@@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
+/tmp/xses-%{USERNAME}	--	gen_context(system_u:object_r:xsession_log_t,s0)
 
 #
 # /usr

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1d41b5..59d5821 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
 
+	# for the .xsession-errors log file
+	xserver_user_home_dir_filetrans_user_xsession_log($2)
+	xserver_manage_xsession_log($2)
+
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
 
 	userdom_search_user_home_dirs($1)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($1)
+	xserver_rw_xsession_log($1)
 
 	xserver_ro_session($1,$2)
 	xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',`
 
 	userdom_search_user_home_dirs($2)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($2)
+	xserver_rw_xsession_log($2)
 
 	xserver_ro_session($2,$3)
 	xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
 
 ########################################
 ## <summary>
+##	Create a .xsession-errors log
+##	file in the user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
 ##	Read all users fonts, user font configurations,
 ##	and manage all users font caches.
 ## </summary>
@@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',`
 
 ########################################
 ## <summary>
+##	Read and write xsession log
+##	files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage xsession log files such
+##	as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ba96a78..1956ddb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
 
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
 # Type for the X server log file.
 type xserver_log_t;
 logging_log_file(xserver_log_t)


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/
@ 2017-09-10 14:03 Jason Zaman
  0 siblings, 0 replies; 10+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
  To: gentoo-commits

commit:     30a012aabb170a3570d6f1b6db26e684754f0609
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:55:13 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 12:55:13 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30a012aa

xserver: add map perms

 policy/modules/services/xserver.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a88e4af5..fe100b06 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -667,6 +667,7 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
+allow xserver_t xserver_tmpfs_t:file map;
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -779,6 +780,7 @@ userdom_use_user_ttys(xserver_t)
 userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
+userdom_map_user_tmpfs_files(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
 


^ permalink raw reply related	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2017-09-10 14:03 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/ Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  -- strict thread matches above, loose matches on Subject: below --
2017-09-10 14:03 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 14:24 Jason Zaman
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:24 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-10 16:11 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:26 Jason Zaman
2015-08-02 19:26 Jason Zaman
2015-03-04 17:03 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox