work on xdm

refpolicy/policy/modules/services/xserver.if

@@ -448,6 +448,39 @@ interface(`xserver_stream_connect_xdm',`
 	allow $1 xdm_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##	Read xdm-writable configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_read_xdm_rw_config',`
+	gen_require(`
+		type xdm_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 xdm_rw_etc_t:dir { getattr read };
+')
+
+########################################
+## <summary>
+##	Set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_setattr_xdm_tmp_dirs',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Create a named socket in a XDM
@@ -570,3 +603,22 @@ interface(`xserver_dontaudit_write_log',`
 
 	dontaudit $1 xserver_log_t:file { append write };
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the X server
+##	log files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit
+## </param>
+#
+interface(`xserver_delete_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xserver_log_t:dir rw_dir_perms;
+	allow $1 xserver_log_t:file unlink;
+')

refpolicy/policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.0.1)
+policy_module(xserver,1.0.2)
 
 ########################################
 #
@@ -368,53 +368,53 @@ optional_policy(`xfs',`
 # XDM Xserver local policy
 #
 
+allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+
+# Label pid and temporary files with derived types.
+allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
+allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
+allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
+allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
+
+# Run xkbcomp.
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+files_search_var_lib(xdm_xserver_t)
+
+# VNC v4 module in X server
+corenet_tcp_bind_vnc_port(xdm_xserver_t)
+
+fs_search_auto_mountpoints(xdm_xserver_t)
+
+init_use_fd(xdm_xserver_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(xdm_xserver_t)
+	fs_manage_nfs_files(xdm_xserver_t)
+	fs_manage_nfs_symlinks(xdm_xserver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(xdm_xserver_t)
+	fs_manage_cifs_files(xdm_xserver_t)
+	fs_manage_cifs_symlinks(xdm_xserver_t)
+')
+
 ifdef(`strict_policy',`
-	allow xdm_xserver_t xdm_t:process signal;
-	allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-
-	# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-	# handle of a file inside the dir!!!
-	allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-	dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-
-	allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-
-	# Label pid and temporary files with derived types.
-	allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
-	allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
-	allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
-	allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
-
-	# Run xkbcomp.
-	allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-	can_exec(xdm_xserver_t, xkb_var_lib_t)
-	files_search_var_lib(xdm_xserver_t)
-
-	# VNC v4 module in X server
-	corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-	fs_search_auto_mountpoints(xdm_xserver_t)
-
-	init_use_fd(xdm_xserver_t)
-
 	# FIXME: After per user fonts are properly working
 	# xdm_xserver_t may no longer have any reason
 	# to read ROLE_home_t - examine this in more detail
 	# (xauth?)
 	userdom_read_unpriv_user_home_files(xdm_xserver_t)
 
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs(xdm_xserver_t)
-		fs_manage_nfs_files(xdm_xserver_t)
-		fs_manage_nfs_symlinks(xdm_xserver_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs(xdm_xserver_t)
-		fs_manage_cifs_files(xdm_xserver_t)
-		fs_manage_cifs_symlinks(xdm_xserver_t)
-	')
-
 	ifdef(`TODO',`
 	# Read all global and per user fonts
 	read_fonts(xdm_xserver_t, sysadm)
@@ -431,14 +431,6 @@ ifdef(`targeted_policy',`
 ')
 
 ifdef(`TODO',`
-# cjp: TODO: integrate strict policy:
-# init script wants to check if it needs to update windowmanagerlist
-allow initrc_t xdm_rw_etc_t:file { getattr read };
-ifdef(`distro_suse', `
-# set permissions on /tmp/.X11-unix
-allow initrc_t xdm_tmp_t:dir setattr;
-')
-
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 
 can_resmgrd_connect(xdm_t)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.2.1)
+policy_module(init,1.2.2)
 
 gen_require(`
 	class passwd rootok;
@@ -428,30 +428,46 @@ ifdef(`distro_redhat',`
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
 
-	fs_rw_tmpfs_chr_files(initrc_t)
-
-	storage_create_fixed_disk(initrc_t)
-	storage_getattr_removable_dev(initrc_t)
-
 	files_create_boot_flag(initrc_t)
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
 
-	miscfiles_read_fonts(initrc_t)
+	fs_rw_tmpfs_chr_files(initrc_t)
-	miscfiles_read_hwdata(initrc_t)
+
+	storage_create_fixed_disk(initrc_t)
+	storage_getattr_removable_dev(initrc_t)
 
 	# readahead asks for these
 	auth_dontaudit_read_shadow(initrc_t)
 
+	miscfiles_read_fonts(initrc_t)
+	miscfiles_read_hwdata(initrc_t)
+
 	optional_policy(`bind',`
 		bind_manage_config_dirs(initrc_t)
+		bind_write_config(initrc_t)
 	')
 
 	optional_policy(`rpc',`
 		#for /etc/rc.d/init.d/nfs to create /etc/exports
 		rpc_write_exports(initrc_t)
 	')
+
+	optional_policy(`sysnetwork',`
+		sysnet_rw_dhcp_config(initrc_t)
+	')
+
+	optional_policy(`xserver',`
+		xserver_delete_log(initrc_t)
+	')
+')
+
+ifdef(`distro_suse',`
+	optional_policy(`xserver',`
+		# set permissions on /tmp/.X11-unix
+		xserver_setattr_xdm_tmp_dirs(initrc_t)
+	')
 ')
 
 ifdef(`targeted_policy',`
@@ -484,12 +500,6 @@ optional_policy(`bind',`
 
 	# for chmod in start script
 	bind_setattr_pid_dirs(initrc_t)
-
-	# for /etc/rndc.key
-	ifdef(`distro_redhat',`
-		# Allow init script to cp localtime to named_conf_t
-		bind_write_config(initrc_t)
-	')
 ')
 
 optional_policy(`bluetooth',`
@@ -668,10 +678,6 @@ optional_policy(`su',`
 ')
 
 optional_policy(`sysnetwork',`
-	ifdef(`distro_redhat',`
-		sysnet_rw_dhcp_config(initrc_t)
-	')
-
 	sysnet_read_dhcpc_state(initrc_t)
 ')
 
@@ -682,6 +688,11 @@ optional_policy(`xfs',`
 	xfs_read_sockets(initrc_t)
 ')
 
+optional_policy(`xserver',`
+	# init s	cript wants to check if it needs to update windowmanagerlist
+	xserver_read_xdm_rw_config(initrc_t)
+')
+
 optional_policy(`zebra',`
 	zebra_read_config(initrc_t)
 ')
@@ -690,17 +701,7 @@ ifdef(`TODO',`
 # Set device ownerships/modes.
 allow initrc_t xconsole_device_t:fifo_file setattr;
 
-# during boot up initrc needs to do the following
-allow initrc_t default_t:dir write;
-
 ifdef(`distro_redhat', `
 	allow initrc_t device_t:dir create;
-
-	ifdef(`xserver.te', `
-	# wants to cleanup xserver log dir
-	allow initrc_t xserver_log_t:dir rw_dir_perms;
-	allow initrc_t xserver_log_t:file unlink;
-	')
-
 ')
 ') dnl end TODO