rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

merge xdm into xserver

Browse Source
This commit is contained in:
Chris PeBenito 2006-01-30 22:51:35 +00:00
parent 18cc016f42
commit 0f5d13fe2e
13 changed files with 722 additions and 577 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
refpolicy/Changelog
View File

@ -1,3 +1,4 @@
- Merge xdm into xserver.
- Remove kernel module reversed interfaces. - Remove kernel module reversed interfaces.
- Add filename attribute to module XML tag and lineno attribute to - Add filename attribute to module XML tag and lineno attribute to
interface XML tag. interface XML tag.

3
refpolicy/policy/global_tunables
View File

@ -215,4 +215,7 @@ gen_tunable(user_ttyfile_stat,false)
## If this is disallowed, no Internet content ## If this is disallowed, no Internet content
## will be stored. ## will be stored.
gen_tunable(write_untrusted_content,false) gen_tunable(write_untrusted_content,false)
## Allow xdm logins as sysadm
gen_tunable(xdm_sysadm_login,false)
') ')

17
refpolicy/policy/modules/kernel/files.if
View File

@ -3023,6 +3023,23 @@ interface(`files_search_spool',`
allow $1 var_spool_t:dir search_dir_perms; allow $1 var_spool_t:dir search_dir_perms;
') ')
########################################
## <summary>
## Do not audit attempts to search generic
## spool directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_search_spool',`
gen_require(`
type var_spool_t;
')
dontaudit $1 var_spool_t:dir search_dir_perms;
')
######################################## ########################################
# #
# files_list_spool(domain) # files_list_spool(domain)

11
refpolicy/policy/modules/services/mta.if
View File

@ -595,6 +595,17 @@ interface(`mta_getattr_spool',`
allow $1 mail_spool_t:file getattr; allow $1 mail_spool_t:file getattr;
') ')
interface(`mta_dontaudit_getattr_spool',`
gen_require(`
type mail_spool_t;
')
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
####################################### #######################################
## <summary> ## <summary>
## Create private objects in the ## Create private objects in the

32
refpolicy/policy/modules/services/xdm.fc
View File

@ -1,32 +0,0 @@
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)

1
refpolicy/policy/modules/services/xdm.if
View File

@ -1 +0,0 @@
## <summary>X windows login display manager</summary>

440
refpolicy/policy/modules/services/xdm.te
View File

@ -1,440 +0,0 @@
policy_module(xdm,1.1.3)
########################################
#
# Declarations
#
type xdm_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type xdm_exec_t;
')
init_domain(xdm_t,xdm_exec_t)
init_daemon_domain(xdm_t,xdm_exec_t)
type xsession_exec_t;
files_type(xsession_exec_t)
type xdm_xserver_tmp_t;
files_type(xdm_xserver_tmp_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
type xdm_rw_etc_t;
files_type(xdm_rw_etc_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_type(xdm_var_run_t)
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
########################################
#
# Local policy
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
allow xdm_t xdm_rw_etc_t:file create_file_perms;
allow xdm_t xdm_var_run_t:dir setattr;
# for xdmctl
allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctl(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
corecmd_exec_sbin(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_raw_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
corenet_udp_sendrecv_all_nodes(xdm_t)
corenet_raw_sendrecv_all_nodes(xdm_t)
corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_non_ipsec_sendrecv(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
dev_read_rand(xdm_t)
dev_read_urand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer(xdm_t)
dev_setattr_framebuffer(xdm_t)
dev_getattr_mouse(xdm_t)
dev_setattr_mouse(xdm_t)
dev_rw_apm_bios(xdm_t)
dev_setattr_apm_bios(xdm_t)
dev_rw_dri_dev(xdm_t)
dev_rw_agp_dev(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc(xdm_t)
dev_setattr_misc(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner(xdm_t)
dev_setattr_scanner(xdm_t)
dev_getattr_snd_dev(xdm_t)
dev_setattr_snd_dev(xdm_t)
dev_getattr_power_management(xdm_t)
dev_setattr_power_management(xdm_t)
domain_use_wide_inherit_fd(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
selinux_get_fs_mount(xdm_t)
selinux_validate_context(xdm_t)
selinux_compute_access_vector(xdm_t)
selinux_compute_create_context(xdm_t)
selinux_compute_relabel_context(xdm_t)
selinux_compute_user_contexts(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
storage_dontaudit_setattr_fixed_disk(xdm_t)
storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_device(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
term_setattr_console(xdm_t)
term_dontaudit_use_console(xdm_t)
term_use_unallocated_tty(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
auth_rw_lastlog(xdm_t)
auth_read_login_records(xdm_t)
auth_append_login_records(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_exec_pam(xdm_t)
auth_manage_pam_console_data(xdm_t)
init_rw_utmp(xdm_t)
init_use_script_pty(xdm_t)
# Run telinit->init to shutdown.
init_exec(xdm_t)
init_write_initctl(xdm_t)
libs_use_ld_so(xdm_t)
libs_use_shared_libs(xdm_t)
libs_exec_lib_files(xdm_t)
logging_send_syslog_msg(xdm_t)
logging_read_generic_logs(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
seutil_read_config(xdm_t)
seutil_read_default_contexts(xdm_t)
sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fd(xdm_t)
userdom_dontaudit_search_sysadm_home_dir(xdm_t)
# for .dmrc
userdom_read_unpriv_user_home_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_userdomains_state(xdm_t)
ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_filetrans_lock(xdm_t,xdm_lock_t)
allow xdm_t xdm_tmp_t:dir create_dir_perms;
allow xdm_t xdm_tmp_t:file create_file_perms;
allow xdm_t xdm_tmp_t:file create_file_perms;
files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file })
allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow xdm_t xdm_var_lib_t:file create_file_perms;
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
files_filetrans_var_lib(xdm_t,xdm_var_lib_t)
allow xdm_t xdm_var_run_t:dir manage_dir_perms;
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
domain_subj_id_change_exempt(xdm_t)
domain_role_change_exempt(xdm_t)
domain_obj_id_change_exempt(xdm_t)
auth_domtrans_chk_passwd(xdm_t)
auth_domtrans_pam_console(xdm_t)
xserver_dontaudit_read_all_users_iceauth(xdm_t)
optional_policy(`alsa',`
alsa_domtrans(xdm_t)
')
')
ifdef(`targeted_policy',`
allow xdm_t self:process { execheap execmem };
unconfined_domain_template(xdm_t)
unconfined_domtrans(xdm_t)
')
optional_policy(`gpm',`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`hostname',`
hostname_exec(xdm_t)
')
optional_policy(`loadkeys',`
loadkeys_exec(xdm_t)
')
optional_policy(`locallogin',`
locallogin_signull(xdm_t)
')
optional_policy(`nscd',`
nscd_use_socket(xdm_t)
')
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(xdm_t)
')
optional_policy(`udev',`
udev_read_db(xdm_t)
')
optional_policy(`userhelper',`
userhelper_dontaudit_search_config(xdm_t)
')
optional_policy(`usermanage',`
usermanage_read_crack_db(xdm_t)
')
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
allow initrc_t xdm_var_run_t:fifo_file unlink;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
allow xdm_xserver_t xdm_t:process signal;
# init script wants to check if it needs to update windowmanagerlist
allow initrc_t xdm_rw_etc_t:file { getattr read };
ifdef(`distro_suse', `
# set permissions on /tmp/.X11-unix
allow initrc_t xdm_tmp_t:dir setattr;
')
# Transition to user domains for user sessions.
domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
allow unpriv_userdomain xdm_xserver_t:fd use;
allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
allow xdm_xserver_t unpriv_userdomain:fd use;
# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_log_t:file { write append };
# gnome-session creates socket under /tmp/.ICE-unix/
allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
allow unpriv_userdomain xdm_tmp_t:sock_file create;
# Allow xdm logins as sysadm_r:sysadm_t
bool xdm_sysadm_login false;
if (xdm_sysadm_login) {
domain_trans(xdm_t, xsession_exec_t, sysadm_t)
allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
allow sysadm_t xdm_xserver_t:shm r_shm_perms;
allow sysadm_t xdm_xserver_t:fd use;
allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
allow xdm_xserver_t sysadm_t:fd use;
}
# Label pid and temporary files with derived types.
rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
allow xdm_t device_t:dir rw_dir_perms;
can_resmgrd_connect(xdm_t)
# Access xdm log files.
file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
allow xdm_t xserver_log_t:dir rw_dir_perms;
allow xdm_t xserver_log_t:dir setattr;
# Access /var/gdm/.gdmfifo.
allow xdm_t xserver_log_t:fifo_file create_file_perms;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
# Remove /tmp/.X11-unix/X0.
allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
allow xdm_t var_lib_t:file { create write unlink };
# Connect to xfs.
ifdef(`xfs.te', `
allow xdm_t xfs_tmp_t:dir search;
allow xdm_t xfs_tmp_t:sock_file write;
can_unix_connect(xdm_t, xfs_t)
')
# Signal any user domain.
allow xdm_t userdomain:process signal_perms;
# Do not audit denied attempts to access devices.
dontaudit xdm_t devpts_t:dir search;
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_log_t:file { write append };
# Do not audit attempts to check whether user root has email
dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
dontaudit xdm_t mail_spool_t:file getattr;
# Run the X server in a derived domain.
xserver_domain(xdm)
ifdef(`rhgb.te', `
allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
allow xdm_xserver_t ramfs_t:file create_file_perms;
allow rhgb_t xdm_xserver_t:process signal;
')
# Insert video drivers.
allow insmod_t xserver_log_t:file write;
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
# Search /var/run.
allow xdm_xserver_t var_run_t:dir search;
# FIXME: After per user fonts are properly working
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
# Search home directories.
allow xdm_xserver_t home_root_t:dir search;
allow xdm_xserver_t user_home_type:dir search;
allow xdm_xserver_t user_home_type:file { getattr read };
if (use_nfs_home_dirs) {
allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
can_exec(xdm_t, nfs_t)
}
if (use_samba_home_dirs) {
allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
can_exec(xdm_t, cifs_t)
}
ifdef(`support_polyinstatiation', `
# xdm_t can polyinstantiate
files_polyinstantiate_all(xdm_t)
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
allow xdm_t polymember:lnk_file { create unlink };
# xdm needs access for copying .Xauthority into new home
allow xdm_t polymember:file { create getattr write };
')
#
# Wants to delete .xsession-errors file
#
allow xdm_t user_home_type:file unlink;
#
# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
') dnl end TODO

20
refpolicy/policy/modules/services/xfs.if
View File

@ -17,3 +17,23 @@ interface(`xfs_read_socket',`
allow $1 xfs_tmp_t:dir search; allow $1 xfs_tmp_t:dir search;
allow $1 xfs_tmp_t:sock_file { getattr read }; allow $1 xfs_tmp_t:sock_file { getattr read };
') ')
########################################
## <summary>
## Connect to a X font server over
## a unix domain stream socket.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`xfs_stream_connect',`
gen_require(`
type xfs_tmp_t, xfs_t;
')
files_search_tmp($1)
allow $1 xfs_tmp_t:dir search;
allow $1 xfs_tmp_t:sock_file write;
allow $1 xfs_t:unix_stream_socket connectto;
')

56
refpolicy/policy/modules/services/xserver.fc
View File

@ -1,17 +1,59 @@
#
# HOME_DIR
#
ifdef(`strict',`
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
')
#
# /etc
#
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
#
# /opt
#
/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
#
# /tmp
#
/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) /tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
/tmp/\.ICE-unix/.* -s <<none>> /tmp/\.ICE-unix/.* -s <<none>>
/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>> /tmp/\.X11-unix/.* -s <<none>>
#
# /usr
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
@ -23,11 +65,23 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
#
# /var
#
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')

205
refpolicy/policy/modules/services/xserver.if
View File

@ -6,9 +6,6 @@ template(`xserver_common_domain_template',`
# #
# Declarations # Declarations
# #
gen_require(`
type xkb_var_lib_t, xserver_log_t;
')
type $1_xserver_t; type $1_xserver_t;
domain_type($1_xserver_t) domain_type($1_xserver_t)
@ -52,6 +49,9 @@ template(`xserver_common_domain_template',`
allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms; allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms; allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms; allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms; allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
@ -151,6 +151,10 @@ template(`xserver_common_domain_template',`
nscd_use_socket($1_xserver_t) nscd_use_socket($1_xserver_t)
') ')
optional_policy(`xfs',`
xfs_stream_connect($1_xserver_t)
')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
ifdef(`rpm.te', ` ifdef(`rpm.te', `
@ -159,15 +163,6 @@ template(`xserver_common_domain_template',`
rpm_use_fd($1_xserver_t) rpm_use_fd($1_xserver_t)
') ')
') ')
file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
# Connect to xfs.
ifdef(`xfs.te', `
can_unix_connect($1_xserver_t, xfs_t)
allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
')
') dnl end TODO ') dnl end TODO
') ')
@ -205,12 +200,6 @@ template(`xserver_per_userdomain_template',`
# Declarations # Declarations
# #
gen_require(`
type xauth_exec_t;
type xserver_exec_t;
type iceauth_exec_t;
')
xserver_common_domain_template($1) xserver_common_domain_template($1)
role $3 types $1_xserver_t; role $3 types $1_xserver_t;
@ -326,6 +315,9 @@ template(`xserver_per_userdomain_template',`
allow $2 $1_xauth_home_t:file manage_file_perms; allow $2 $1_xauth_home_t:file manage_file_perms;
allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
allow xdm_t $1_xauth_home_t:file manage_file_perms;
userdom_filetrans_user_home_dir($1,xdm_t,$1_xauth_home_t,file)
domain_use_wide_inherit_fd($1_xauth_t) domain_use_wide_inherit_fd($1_xauth_t)
files_read_etc_files($1_xauth_t) files_read_etc_files($1_xauth_t)
@ -406,69 +398,6 @@ template(`xserver_per_userdomain_template',`
') ')
') ')
#######################################
## <summary>
## Define a derived domain for the X server when executed
## by an X Display Manager.
## </summary>
## <param name="prefix">
## The prefix of the display manager domain.
## </param>
## <param name="xdm_domain">
## The type of the display manager domain.
## </param>
#
template(`xserver_displaymgr_domain_template',`
##############################
#
# Declarations
#
xserver_common_domain_template($1)
init_system_domain($1_xserver_t,xserver_exec_t)
##############################
#
# Local policy
#
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
allow $2 $1_xserver_t:fd use;
allow $1_xserver_t $2:fd use;
allow $1_xserver_t $2:fifo_file rw_file_perms;
allow $1_xserver_t $2:process { signal sigchld };
allow $2 $1_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow $2 $1_xserver_tmp_t:file unlink;
allow $2 $1_xserver_tmp_t:dir r_dir_perms;
allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
allow $2 $1_xserver_t:unix_stream_socket connectto;
allow $2 $1_xserver_t:shm rw_shm_perms;
allow $1_xserver_t $2:shm rw_shm_perms;
# Run xkbcomp.
can_exec($1_xserver_t, xkb_var_lib_t)
allow $1_xserver_t xkb_var_lib_t:lnk_file read;
files_search_var_lib($1_xserver_t)
init_use_fd($1_xserver_t)
userdom_dontaudit_search_all_users_home($1_xserver_t)
ifdef(`TODO',`
# Read all global and per user fonts
read_fonts($1_xserver_t, sysadm)
read_fonts($1_xserver_t, staff)
read_fonts($1_xserver_t, user)
dontaudit $1_xserver_t sysadm_t:shm { unix_read unix_write };
allow $1_xserver_t xdm_tmpfs_t:file rw_file_perms;
') dnl end TODO
')
######################################## ########################################
## <summary> ## <summary>
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
@ -504,17 +433,119 @@ template(`xserver_domtrans_user_xauth',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to read all user ## Connect to XDM over a unix domain
## .ICEauthority files. ## stream socket.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## Domain do not audit. ## Domain allowed access.
## </param> ## </param>
# #
interface(`xserver_dontaudit_read_all_users_iceauth',` interface(`xserver_stream_connect_xdm',`
gen_require(` gen_require(`
attribute iceauth_home_type; type xdm_t;
') ')
dontaudit $1 iceauth_home_type:file r_file_perms; allow $1 xdm_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Create a named socket in a XDM
## temporary directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`xserver_create_xdm_tmp_socket',`
gen_require(`
type xdm_tmp_t;
')
files_search_tmp($1)
allow $1 xdm_tmp_t:dir ra_dir_perms;
allow $1 xdm_tmp_t:sock_file create;
')
########################################
## <summary>
## Read XDM pid files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`xserver_read_xdm_pid',`
gen_require(`
type xdm_var_run_t;
')
files_search_pids($1)
allow $1 xdm_var_run_t:file r_file_perms;
')
########################################
## <summary>
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
## The domain for which the shell is an entrypoint.
## </param>
#
interface(`xserver_xsession_entry_type',`
gen_require(`
type xsession_exec_t;
')
domain_entry_file($1,xsession_exec_t)
')
########################################
## <summary>
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Execute an Xsession in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="target_domain">
## The type of the shell process.
## </param>
#
interface(`xserver_xsession_spec_domtrans',`
gen_require(`
type xsession_exec_t;
')
domain_trans($1,xsession_exec_t,$2)
')
########################################
## <summary>
## Do not audit attempts to write the X server
## log files.
## </summary>
## <param name="domain">
## Domain to not audit
## </param>
#
interface(`xserver_dontaudit_write_log',`
gen_require(`
type xserver_log_t;
')
dontaudit $1 xserver_log_t:file { append write };
') ')

443
refpolicy/policy/modules/services/xserver.te
View File

@ -1,13 +1,11 @@
policy_module(xserver,1.0.0) policy_module(xserver,1.0.1)
######################################## ########################################
# #
# Declarations # Declarations
# #
attribute iceauth_home_type;
type ice_tmp_t; type ice_tmp_t;
files_tmp_file(ice_tmp_t) files_tmp_file(ice_tmp_t)
@ -17,6 +15,33 @@ files_type(iceauth_exec_t)
type xauth_exec_t; type xauth_exec_t;
files_type(xauth_exec_t) files_type(xauth_exec_t)
type xdm_t;
# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
type xdm_exec_t;
')
init_domain(xdm_t,xdm_exec_t)
init_daemon_domain(xdm_t,xdm_exec_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
type xdm_rw_etc_t;
files_type(xdm_rw_etc_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
# type for /var/lib/xkb # type for /var/lib/xkb
type xkb_var_lib_t; type xkb_var_lib_t;
files_config_file(xkb_var_lib_t) files_config_file(xkb_var_lib_t)
@ -25,10 +50,422 @@ files_config_file(xkb_var_lib_t)
type xserver_exec_t; type xserver_exec_t;
files_type(xserver_exec_t) files_type(xserver_exec_t)
type xsession_exec_t;
files_type(xsession_exec_t)
# Type for the X server log file. # Type for the X server log file.
type xserver_log_t; type xserver_log_t;
logging_log_file(xserver_log_t) logging_log_file(xserver_log_t)
ifdef(`strict_policy',`
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
')
optional_policy(`prelink',` optional_policy(`prelink',`
prelink_object_file(xkb_var_lib_t) prelink_object_file(xkb_var_lib_t)
') ')
########################################
#
# XDM Local policy
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
allow xdm_t xdm_rw_etc_t:file create_file_perms;
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctl(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
corecmd_exec_sbin(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_raw_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
corenet_udp_sendrecv_all_nodes(xdm_t)
corenet_raw_sendrecv_all_nodes(xdm_t)
corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_non_ipsec_sendrecv(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
dev_read_rand(xdm_t)
dev_read_urand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer(xdm_t)
dev_setattr_framebuffer(xdm_t)
dev_getattr_mouse(xdm_t)
dev_setattr_mouse(xdm_t)
dev_rw_apm_bios(xdm_t)
dev_setattr_apm_bios(xdm_t)
dev_rw_dri_dev(xdm_t)
dev_rw_agp_dev(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc(xdm_t)
dev_setattr_misc(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner(xdm_t)
dev_setattr_scanner(xdm_t)
dev_getattr_snd_dev(xdm_t)
dev_setattr_snd_dev(xdm_t)
dev_getattr_power_management(xdm_t)
dev_setattr_power_management(xdm_t)
domain_use_wide_inherit_fd(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
selinux_get_fs_mount(xdm_t)
selinux_validate_context(xdm_t)
selinux_compute_access_vector(xdm_t)
selinux_compute_create_context(xdm_t)
selinux_compute_relabel_context(xdm_t)
selinux_compute_user_contexts(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
storage_dontaudit_setattr_fixed_disk(xdm_t)
storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_device(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
term_setattr_console(xdm_t)
term_dontaudit_use_console(xdm_t)
term_use_unallocated_tty(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
auth_rw_lastlog(xdm_t)
auth_read_login_records(xdm_t)
auth_append_login_records(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_exec_pam(xdm_t)
auth_manage_pam_console_data(xdm_t)
init_rw_utmp(xdm_t)
init_use_script_pty(xdm_t)
# Run telinit->init to shutdown.
init_exec(xdm_t)
init_write_initctl(xdm_t)
libs_use_ld_so(xdm_t)
libs_use_shared_libs(xdm_t)
libs_exec_lib_files(xdm_t)
logging_send_syslog_msg(xdm_t)
logging_read_generic_logs(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
seutil_read_config(xdm_t)
seutil_read_default_contexts(xdm_t)
sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fd(xdm_t)
userdom_dontaudit_search_sysadm_home_dir(xdm_t)
# for .dmrc
userdom_read_unpriv_user_home_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_userdomains_state(xdm_t)
userdom_signal_all_users(xdm_t)
ifdef(`enable_polyinstantiation',`
# xdm_t can polyinstantiate
files_polyinstantiate_all(xdm_t)
')
ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_filetrans_lock(xdm_t,xdm_lock_t)
allow xdm_t xdm_tmp_t:dir create_dir_perms;
allow xdm_t xdm_tmp_t:file create_file_perms;
allow xdm_t xdm_tmp_t:file create_file_perms;
files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file })
allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow xdm_t xdm_var_lib_t:file create_file_perms;
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
files_filetrans_var_lib(xdm_t,xdm_var_lib_t)
allow xdm_t xdm_var_run_t:dir manage_dir_perms;
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
# transition to the xdm xserver
domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
allow xdm_t xdm_xserver_t:fd use;
allow xdm_xserver_t xdm_t:fd use;
allow xdm_xserver_t xdm_t:fifo_file rw_file_perms;
allow xdm_xserver_t xdm_t:process { signal sigchld };
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
# connect to xdm xserver over stream socket
allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
# Remove /tmp/.X11-unix/X0.
allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
allow xdm_t xdm_xserver_tmp_t:file unlink;
allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
allow xdm_t xserver_log_t:file manage_file_perms;
allow xdm_t xserver_log_t:fifo_file manage_file_perms;
logging_filetrans_log(xdm_t,xserver_log_t,file)
domain_subj_id_change_exempt(xdm_t)
domain_role_change_exempt(xdm_t)
domain_obj_id_change_exempt(xdm_t)
auth_domtrans_chk_passwd(xdm_t)
auth_domtrans_pam_console(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,userdomain)
',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,unpriv_userdomain)
# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
')
optional_policy(`alsa',`
alsa_domtrans(xdm_t)
')
')
ifdef(`targeted_policy',`
allow xdm_t self:process { execheap execmem };
unconfined_domain_template(xdm_t)
unconfined_domtrans(xdm_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
fs_manage_nfs_symlinks(xdm_t)
fs_execute_nfs_files(xdm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_t)
fs_manage_cifs_files(xdm_t)
fs_manage_cifs_symlinks(xdm_t)
fs_execute_cifs_files(xdm_t)
')
optional_policy(`gpm',`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`hostname',`
hostname_exec(xdm_t)
')
optional_policy(`loadkeys',`
loadkeys_exec(xdm_t)
')
optional_policy(`locallogin',`
locallogin_signull(xdm_t)
')
optional_policy(`mta',`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool(xdm_t)
')
optional_policy(`nscd',`
nscd_use_socket(xdm_t)
')
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(xdm_t)
')
optional_policy(`udev',`
udev_read_db(xdm_t)
')
optional_policy(`userhelper',`
userhelper_dontaudit_search_config(xdm_t)
')
optional_policy(`usermanage',`
usermanage_read_crack_db(xdm_t)
')
optional_policy(`xfs',`
xfs_stream_connect(xdm_t)
')
########################################
#
# XDM Xserver local policy
#
ifdef(`strict_policy',`
allow xdm_xserver_t xdm_t:process signal;
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
# Label pid and temporary files with derived types.
allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
# Run xkbcomp.
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
fs_search_auto_mountpoints(xdm_xserver_t)
init_use_fd(xdm_xserver_t)
# FIXME: After per user fonts are properly working
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_user_home_files(xdm_xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
fs_manage_nfs_symlinks(xdm_xserver_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_xserver_t)
fs_manage_cifs_files(xdm_xserver_t)
fs_manage_cifs_symlinks(xdm_xserver_t)
')
ifdef(`TODO',`
# Read all global and per user fonts
read_fonts(xdm_xserver_t, sysadm)
read_fonts(xdm_xserver_t, staff)
read_fonts(xdm_xserver_t, user)
') dnl end TODO
')
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
# init script wants to check if it needs to update windowmanagerlist
allow initrc_t xdm_rw_etc_t:file { getattr read };
ifdef(`distro_suse', `
# set permissions on /tmp/.X11-unix
allow initrc_t xdm_tmp_t:dir setattr;
')
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
can_resmgrd_connect(xdm_t)
# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
allow xdm_t var_lib_t:file { create write unlink };
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
ifdef(`rhgb.te', `
allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
allow xdm_xserver_t ramfs_t:file create_file_perms;
allow rhgb_t xdm_xserver_t:process signal;
')
ifdef(`enable_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
allow xdm_t polymember:lnk_file { create unlink };
# xdm needs access for copying .Xauthority into new home
allow xdm_t polymember:file { create getattr write };
')
#
# Wants to delete .xsession-errors file
#
allow xdm_t user_home_type:file unlink;
#
# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO

68
refpolicy/policy/modules/system/userdomain.if
View File

@ -436,6 +436,17 @@ template(`base_user_template',`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
') ')
optional_policy(`xserver',`
dev_rw_xserver_misc_dev($1_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_socket($1_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# #
# Cups daemon running as user tries to write /etc/printcap # Cups daemon running as user tries to write /etc/printcap
@ -464,20 +475,8 @@ template(`base_user_template',`
# Use X # Use X
x_client_domain($1, $1) x_client_domain($1, $1)
ifdef(`xserver.te', `
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', ` ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file r_file_perms; allow $1_t xdm_var_lib_t:file r_file_perms;
allow xdm_t $1_home_dir_t:dir getattr;
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
') ')
# start read_fonts() # start read_fonts()
@ -2540,6 +2539,28 @@ interface(`userdom_spec_domtrans_all_users',`
allow userdomain $1:process sigchld; allow userdomain $1:process sigchld;
') ')
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_xsession_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
xserver_xsession_spec_domtrans($1,userdomain)
allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Execute a shell in all unprivileged user domains. This ## Execute a shell in all unprivileged user domains. This
@ -2562,6 +2583,28 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld; allow unpriv_userdomain $1:process sigchld;
') ')
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
xserver_xsession_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Manage unpriviledged user SysV sempaphores. ## Manage unpriviledged user SysV sempaphores.
@ -3616,6 +3659,7 @@ interface(`userdom_read_unpriv_user_home_files',`
attribute user_home_dir_type, user_home_type; attribute user_home_dir_type, user_home_type;
') ')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms; allow $1 user_home_dir_type:dir search_dir_perms;
allow $1 user_home_type:dir r_dir_perms; allow $1 user_home_type:dir r_dir_perms;
allow $1 user_home_type:lnk_file { getattr read }; allow $1 user_home_type:lnk_file { getattr read };

2
refpolicy/policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.2.5) policy_module(userdomain,1.2.6)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;