deprecate userdom_xwindows_client_template
The X policy for users is currently split between userdom_xwindows_client_template() and xserver_role(). Deprecate the former and put the rules into the latter. For preserving restricted X roles (xguest), divide the rules into xserver_restricted_role() and xserver_role().
This commit is contained in:
Chris PeBenito
parent
fef5dcf3af
commit
93c49bdb04
@ -1,3 +1,4 @@
|
||||
- Deprecated the userdom_xwindwos_client_template().
|
||||
- Misc Gentoo fixes from Corentin Labbe.
|
||||
- Debian policykit fixes from Martin Orr.
|
||||
- Fix unconfined_r use of unconfined_java_t.
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
########################################
|
||||
## <summary>
|
||||
## Rules required for using the X Windows server
|
||||
## and environment.
|
||||
## and environment, for restricted users.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -16,7 +16,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_role',`
|
||||
interface(`xserver_restricted_role',`
|
||||
gen_require(`
|
||||
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
|
||||
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
|
||||
@ -44,41 +44,37 @@ interface(`xserver_role',`
|
||||
|
||||
role $1 types { xserver_t xauth_t iceauth_t };
|
||||
|
||||
# Xserver read/write client shm
|
||||
allow xserver_t $2:fd use;
|
||||
allow xserver_t $2:shm rw_shm_perms;
|
||||
|
||||
domtrans_pattern($2, xserver_exec_t, xserver_t)
|
||||
allow xserver_t $2:process signal;
|
||||
|
||||
allow xserver_t $2:shm rw_shm_perms;
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||
manage_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||
allow $2 user_fonts_t:dir list_dir_perms;
|
||||
allow $2 user_fonts_t:file read_file_perms;
|
||||
|
||||
allow $2 user_fonts_config_t:dir list_dir_perms;
|
||||
allow $2 user_fonts_config_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
|
||||
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
files_search_tmp($2)
|
||||
|
||||
# Communicate via System V shared memory.
|
||||
allow xserver_t $2:shm rw_shm_perms;
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_t:shm r_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file read_file_perms;
|
||||
|
||||
# allow ps to show iceauth
|
||||
ps_process_pattern($2, iceauth_t)
|
||||
|
||||
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
|
||||
|
||||
allow $2 iceauth_home_t:file manage_file_perms;
|
||||
allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
||||
allow $2 iceauth_home_t:file read_file_perms;
|
||||
|
||||
domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
|
||||
@ -86,11 +82,53 @@ interface(`xserver_role',`
|
||||
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2, xauth_t)
|
||||
allow $2 xserver_t:process signal;
|
||||
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
allow $2 xauth_home_t:file read_file_perms;
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
allow $2 xdm_t:fifo_file { getattr read write ioctl };
|
||||
allow $2 xdm_tmp_t:dir search;
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
# Client read xserver shm
|
||||
allow $2 xserver_t:fd use;
|
||||
allow $2 xserver_tmpfs_t:file read_file_perms;
|
||||
|
||||
# Read /tmp/.X0-lock
|
||||
allow $2 xserver_tmp_t:file { getattr read };
|
||||
|
||||
dev_rw_xserver_misc($2)
|
||||
dev_rw_power_management($2)
|
||||
dev_read_input($2)
|
||||
dev_read_misc($2)
|
||||
dev_write_misc($2)
|
||||
# open office is looking for the following
|
||||
dev_getattr_agp_dev($2)
|
||||
dev_dontaudit_rw_dri($2)
|
||||
# GNOME checks for usb and other devices:
|
||||
dev_rw_usbfs($2)
|
||||
|
||||
miscfiles_read_fonts($2)
|
||||
|
||||
xserver_common_x_domain_template(user, $2)
|
||||
xserver_xsession_entry_type($2)
|
||||
xserver_dontaudit_write_log($2)
|
||||
xserver_stream_connect_xdm($2)
|
||||
# certain apps want to read xdm.pid file
|
||||
xserver_read_xdm_pid($2)
|
||||
# gnome-session creates socket under /tmp/.ICE-unix/
|
||||
xserver_create_xdm_tmp_sockets($2)
|
||||
# Needed for escd, remove if we get escd policy
|
||||
xserver_manage_xdm_tmp_files($2)
|
||||
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -124,6 +162,57 @@ interface(`xserver_role',`
|
||||
allow $2 info_xproperty_t:x_property { create append write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Rules required for using the X Windows server
|
||||
## and environment.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_role',`
|
||||
gen_require(`
|
||||
type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
|
||||
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
|
||||
')
|
||||
|
||||
xserver_restricted_role($1, $2)
|
||||
|
||||
# Communicate via System V shared memory.
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
|
||||
allow $2 iceauth_home_t:file manage_file_perms;
|
||||
allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||
manage_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
|
||||
manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create sessions on the X server, with read-only
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver, 3.2.1)
|
||||
policy_module(xserver, 3.2.2)
|
||||
|
||||
gen_require(`
|
||||
class x_drawable all_x_drawable_perms;
|
||||
|
||||
@ -412,7 +412,7 @@ template(`userdom_basic_networking_template',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The template for creating a user xwindows client.
|
||||
## The template for creating a user xwindows client. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
@ -423,6 +423,7 @@ template(`userdom_basic_networking_template',`
|
||||
## <rolebase/>
|
||||
#
|
||||
template(`userdom_xwindows_client_template',`
|
||||
refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
|
||||
gen_require(`
|
||||
type $1_t, user_tmpfs_t;
|
||||
')
|
||||
@ -499,10 +500,6 @@ template(`userdom_common_user_template',`
|
||||
|
||||
userdom_basic_networking_template($1)
|
||||
|
||||
optional_policy(`
|
||||
userdom_xwindows_client_template($1)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# User domain Local policy
|
||||
@ -868,8 +865,6 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
userdom_xwindows_client_template($1)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
@ -890,6 +885,8 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
logging_send_audit_msgs($1_t)
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
xserver_restricted_role($1_r, $1_t)
|
||||
|
||||
optional_policy(`
|
||||
alsa_read_rw_config($1_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain, 4.2.0)
|
||||
policy_module(userdomain, 4.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user