From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3D123139085 for ; Sun, 1 Jan 2017 16:38:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F10CAE0EBE; Sun, 1 Jan 2017 16:37:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BDB91E0EBE for ; Sun, 1 Jan 2017 16:37:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 060CA341016 for ; Sun, 1 Jan 2017 16:37:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 18CC425D1 for ; Sun, 1 Jan 2017 16:37:40 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1483288286.f6a604430f3cc0948d3d7fc97066ad65ba62e5c4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/xserver.fc policy/modules/services/xserver.if policy/modules/services/xserver.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4 X-VCS-Branch: next Date: Sun, 1 Jan 2017 16:37:40 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: bc49b589-efb6-4fb1-8644-bfc364ca22f0 X-Archives-Hash: f783748eca65a017d2ecd735bde5a7d5 commit: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4 Author: Guido Trentalancia trentalancia net> AuthorDate: Wed Dec 28 19:43:23 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:31:26 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443 xserver: introduce new fc and interface to manage X session logs The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interface to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). The second version of the patch correctly uses file type transitions and uses more tight permissions. The third version simply moves some interface calls. The fourth version introduces the new template for username-dependent file contexts. The fifth version moves other interface calls thanks to further revisions from Christopher PeBenito (the corresponding contrib policy part remains unchanged at version 4). This sixth version, adds the missing diff relative to the xserver.te policy file to declare the new xsession_log_t type. The corresponding base policy patch is at version 4. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/services/xserver.fc | 2 ++ policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++-- policy/modules/services/xserver.te | 3 ++ 3 files changed, 68 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 5b218c6..389b74f 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c1d41b5..59d5821 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + # for the .xsession-errors log file + xserver_user_home_dir_filetrans_user_xsession_log($2) + xserver_manage_xsession_log($2) + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; @@ -307,7 +311,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_rw_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',` userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` ######################################## ## +## Create a .xsession-errors log +## file in the user home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") +') + +######################################## +## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## @@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',` ######################################## ## +## Read and write xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file rw_file_perms; +') + +######################################## +## +## Manage xsession log files such +## as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## +## ## Get the attributes of X server logs. ## ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index ba96a78..1956ddb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) +type xsession_log_t; +userdom_user_home_content(xsession_log_t) + # Type for the X server log file. type xserver_log_t; logging_log_file(xserver_log_t) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 26046139085 for ; Sun, 1 Jan 2017 16:37:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7165EE0E8F; Sun, 1 Jan 2017 16:36:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3D2C7E0E8F for ; Sun, 1 Jan 2017 16:36:56 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7BF9E341130 for ; Sun, 1 Jan 2017 16:36:54 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E8A0625D5 for ; Sun, 1 Jan 2017 16:36:50 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1483288286.f6a604430f3cc0948d3d7fc97066ad65ba62e5c4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/xserver.fc policy/modules/services/xserver.if policy/modules/services/xserver.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4 X-VCS-Branch: master Date: Sun, 1 Jan 2017 16:36:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 12d00c4c-c917-422f-8b4d-5bbcfa64b2b0 X-Archives-Hash: 9def079d7c3c623e3dcd4c8c91df2f80 Message-ID: <20170101163650.XNO4j38f4X7Xam_91zmfQwrOmFx-2dZmDbGQk_LQNRI@z> commit: f6a604430f3cc0948d3d7fc97066ad65ba62e5c4 Author: Guido Trentalancia trentalancia net> AuthorDate: Wed Dec 28 19:43:23 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:31:26 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443 xserver: introduce new fc and interface to manage X session logs The following patch (split in two parts, one for base and another one for contrib) introduces a new file context for the X session log files and two new interface to manage them (instead of allowing to manage the whole user home content files). It is required after the recent confinement of graphical desktop components (e.g. wm, xscreensaver). The second version of the patch correctly uses file type transitions and uses more tight permissions. The third version simply moves some interface calls. The fourth version introduces the new template for username-dependent file contexts. The fifth version moves other interface calls thanks to further revisions from Christopher PeBenito (the corresponding contrib policy part remains unchanged at version 4). This sixth version, adds the missing diff relative to the xserver.te policy file to declare the new xsession_log_t type. The corresponding base policy patch is at version 4. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/services/xserver.fc | 2 ++ policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++-- policy/modules/services/xserver.te | 3 ++ 3 files changed, 68 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 5b218c6..389b74f 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c1d41b5..59d5821 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + # for the .xsession-errors log file + xserver_user_home_dir_filetrans_user_xsession_log($2) + xserver_manage_xsession_log($2) + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; @@ -307,7 +311,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_rw_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',` userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` ######################################## ## +## Create a .xsession-errors log +## file in the user home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") +') + +######################################## +## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## @@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',` ######################################## ## +## Read and write xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file rw_file_perms; +') + +######################################## +## +## Manage xsession log files such +## as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## +## ## Get the attributes of X server logs. ## ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index ba96a78..1956ddb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) +type xsession_log_t; +userdom_user_home_content(xsession_log_t) + # Type for the X server log file. type xserver_log_t; logging_log_file(xserver_log_t)