deprecate userdom_xwindows_client_template

The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
This commit is contained in:
Chris PeBenito 2009-08-28 13:29:36 -04:00
parent fef5dcf3af
commit 93c49bdb04
5 changed files with 117 additions and 30 deletions

View File

@ -1,3 +1,4 @@
- Deprecated the userdom_xwindwos_client_template().
- Misc Gentoo fixes from Corentin Labbe. - Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr. - Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t. - Fix unconfined_r use of unconfined_java_t.

View File

@ -3,7 +3,7 @@
######################################## ########################################
## <summary> ## <summary>
## Rules required for using the X Windows server ## Rules required for using the X Windows server
## and environment. ## and environment, for restricted users.
## </summary> ## </summary>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -16,7 +16,7 @@
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`xserver_role',` interface(`xserver_restricted_role',`
gen_require(` gen_require(`
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
@ -44,41 +44,37 @@ interface(`xserver_role',`
role $1 types { xserver_t xauth_t iceauth_t }; role $1 types { xserver_t xauth_t iceauth_t };
# Xserver read/write client shm
allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
domtrans_pattern($2, xserver_exec_t, xserver_t) domtrans_pattern($2, xserver_exec_t, xserver_t)
allow xserver_t $2:process signal; allow xserver_t $2:process signal;
allow xserver_t $2:shm rw_shm_perms; allow xserver_t $2:shm rw_shm_perms;
manage_dirs_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_t:dir list_dir_perms;
manage_files_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_t:file read_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_config_t:dir list_dir_perms;
allow $2 user_fonts_config_t:file read_file_perms;
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
files_search_tmp($2)
allow $2 xserver_tmpfs_t:file rw_file_perms;
# Communicate via System V shared memory. # Communicate via System V shared memory.
allow xserver_t $2:shm rw_shm_perms; allow $2 xserver_t:shm r_shm_perms;
allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file read_file_perms;
# allow ps to show iceauth # allow ps to show iceauth
ps_process_pattern($2, iceauth_t) ps_process_pattern($2, iceauth_t)
domtrans_pattern($2, iceauth_exec_t, iceauth_t) domtrans_pattern($2, iceauth_exec_t, iceauth_t)
allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
domtrans_pattern($2, xauth_exec_t, xauth_t) domtrans_pattern($2, xauth_exec_t, xauth_t)
@ -86,11 +82,53 @@ interface(`xserver_role',`
# allow ps to show xauth # allow ps to show xauth
ps_process_pattern($2, xauth_t) ps_process_pattern($2, xauth_t)
allow $2 xserver_t:process signal;
allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file read_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_tmp_t:dir search;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
# Client read xserver shm
allow $2 xserver_t:fd use;
allow $2 xserver_tmpfs_t:file read_file_perms;
# Read /tmp/.X0-lock
allow $2 xserver_tmp_t:file { getattr read };
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
dev_read_input($2)
dev_read_misc($2)
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
dev_dontaudit_rw_dri($2)
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2) xserver_common_x_domain_template(user, $2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($2)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
############################## ##############################
# #
@ -124,6 +162,57 @@ interface(`xserver_role',`
allow $2 info_xproperty_t:x_property { create append write }; allow $2 info_xproperty_t:x_property { create append write };
') ')
########################################
## <summary>
## Rules required for using the X Windows server
## and environment.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_role',`
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
')
xserver_restricted_role($1, $2)
# Communicate via System V shared memory.
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
')
####################################### #######################################
## <summary> ## <summary>
## Create sessions on the X server, with read-only ## Create sessions on the X server, with read-only

View File

@ -1,5 +1,5 @@
policy_module(xserver, 3.2.1) policy_module(xserver, 3.2.2)
gen_require(` gen_require(`
class x_drawable all_x_drawable_perms; class x_drawable all_x_drawable_perms;

View File

@ -412,7 +412,7 @@ template(`userdom_basic_networking_template',`
####################################### #######################################
## <summary> ## <summary>
## The template for creating a user xwindows client. ## The template for creating a user xwindows client. (Deprecated)
## </summary> ## </summary>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">
## <summary> ## <summary>
@ -423,6 +423,7 @@ template(`userdom_basic_networking_template',`
## <rolebase/> ## <rolebase/>
# #
template(`userdom_xwindows_client_template',` template(`userdom_xwindows_client_template',`
refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
gen_require(` gen_require(`
type $1_t, user_tmpfs_t; type $1_t, user_tmpfs_t;
') ')
@ -499,10 +500,6 @@ template(`userdom_common_user_template',`
userdom_basic_networking_template($1) userdom_basic_networking_template($1)
optional_policy(`
userdom_xwindows_client_template($1)
')
############################## ##############################
# #
# User domain Local policy # User domain Local policy
@ -868,8 +865,6 @@ template(`userdom_restricted_xwindows_user_template',`
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
userdom_xwindows_client_template($1)
############################## ##############################
# #
# Local policy # Local policy
@ -890,6 +885,8 @@ template(`userdom_restricted_xwindows_user_template',`
logging_send_audit_msgs($1_t) logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t) selinux_get_enforce_mode($1_t)
xserver_restricted_role($1_r, $1_t)
optional_policy(` optional_policy(`
alsa_read_rw_config($1_t) alsa_read_rw_config($1_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(userdomain, 4.2.0) policy_module(userdomain, 4.2.1)
######################################## ########################################
# #