add xauth and iceauth to xserver
This commit is contained in:
parent
dace0b2d9d
commit
acd87ca9b5
@ -1,3 +1,4 @@
|
||||
- Move ice_tmp_t from miscfiles to xserver.
|
||||
- Login fixes from Serge Hallyn.
|
||||
- Move xserver_log_t from xdm to xserver.
|
||||
- Add lpr per-userdomain policy to lpd.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xdm,1.1.2)
|
||||
policy_module(xdm,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -75,7 +75,7 @@ dev_read_urand(xdm_t)
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_etc_runtime_files(xdm_t)
|
||||
files_exec_etc(xdm_t)
|
||||
files_exec_etc_files(xdm_t)
|
||||
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
|
||||
files_read_usr_files(xdm_t)
|
||||
|
||||
@ -93,7 +93,7 @@ init_rw_utmp(xdm_t)
|
||||
# for reboot
|
||||
init_write_initctl(xdm_t)
|
||||
|
||||
libs_exec_lib(xdm_t)
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
seutil_read_config(xdm_t)
|
||||
seutil_read_default_contexts(xdm_t)
|
||||
|
@ -1,15 +1,20 @@
|
||||
|
||||
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
|
||||
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
|
||||
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
||||
# cjp: TODO: merge in iceauth stuff
|
||||
#/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
|
||||
/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
|
||||
/tmp/\.ICE-unix/.* -s <<none>>
|
||||
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
|
||||
/tmp/\.X11-unix/.* -s <<none>>
|
||||
|
||||
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
@ -206,11 +206,38 @@ template(`xserver_per_userdomain_template',`
|
||||
xserver_common_domain_template($1)
|
||||
role $3 types $1_xserver_t;
|
||||
|
||||
type $1_iceauth_t;
|
||||
domain_type($1_iceauth_t)
|
||||
role $3 types $1_iceauth_t;
|
||||
|
||||
type $1_iceauth_home_t alias $1_iceauth_rw_t;
|
||||
files_poly_member($1_iceauth_home_t)
|
||||
userdom_home_file($1,$1_iceauth_home_t)
|
||||
|
||||
type $1_xauth_t;
|
||||
domain_type($1_xauth_t)
|
||||
role $3 types $1_xauth_t;
|
||||
|
||||
type $1_xauth_home_t alias $1_xauth_rw_t;
|
||||
files_poly_member($1_xauth_home_t)
|
||||
userdom_home_file($1,$1_xauth_home_t)
|
||||
|
||||
type $1_xauth_tmp_t;
|
||||
files_tmp_file($1_xauth_tmp_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
# $1_xserver_t Local policy
|
||||
#
|
||||
|
||||
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
allow $1_xserver_t $1_xauth_t:fd use;
|
||||
allow $1_xauth_t $1_xserver_t:fd use;
|
||||
allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
|
||||
allow $1_xauth_t $1_xserver_t:process sigchld;
|
||||
|
||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
|
||||
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
|
||||
allow $2 $1_xserver_t:fd use;
|
||||
allow $1_xserver_t $2:fd use;
|
||||
@ -246,13 +273,6 @@ template(`xserver_per_userdomain_template',`
|
||||
# Read fonts
|
||||
read_fonts($1_xserver_t, $1)
|
||||
|
||||
ifdef(`xauth.te', `
|
||||
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
', `
|
||||
allow $1_xserver_t $1_home_t:file { getattr read };
|
||||
')
|
||||
|
||||
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
|
||||
@ -261,6 +281,116 @@ template(`xserver_per_userdomain_template',`
|
||||
allow $1_xserver_t xdm_var_run_t:dir search;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_xauth_t Local policy
|
||||
#
|
||||
|
||||
allow $1_xauth_t self:process signal;
|
||||
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
||||
userdom_filetrans_user_home_dir($1,$1_xauth_t,$1_xauth_home_t,file)
|
||||
|
||||
allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
|
||||
allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||
|
||||
domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
|
||||
allow $2 $1_xauth_t:fd use;
|
||||
allow $1_xauth_t $2:fd use;
|
||||
allow $1_xauth_t $2:fifo_file rw_file_perms;
|
||||
allow $1_xauth_t $2:process sigchld;
|
||||
|
||||
allow $2 $1_xauth_t:process signal;
|
||||
|
||||
allow $2 $1_xauth_home_t:file manage_file_perms;
|
||||
allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
domain_use_wide_inherit_fd($1_xauth_t)
|
||||
|
||||
files_read_etc_files($1_xauth_t)
|
||||
files_search_pids($1_xauth_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_xauth_t)
|
||||
fs_search_auto_mountpoints($1_xauth_t)
|
||||
|
||||
# cjp: why?
|
||||
term_use_ptmx($1_xauth_t)
|
||||
|
||||
libs_use_ld_so($1_xauth_t)
|
||||
libs_use_shared_libs($1_xauth_t)
|
||||
|
||||
sysnet_dns_name_resolve($1_xauth_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_xauth_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_xauth_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_xauth_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind($1_xauth_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`ssh.te', `
|
||||
domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
|
||||
dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
|
||||
|
||||
allow $1_xauth_t sshd_t:fifo_file { getattr read };
|
||||
allow $1_xauth_t sshd_t:process sigchld;
|
||||
')dnl end if ssh
|
||||
|
||||
# allow ps to show xauth
|
||||
can_ps($1_t, $1_xauth_t)
|
||||
|
||||
allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
|
||||
') dnl end TODO
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_iceauth_t Local policy
|
||||
#
|
||||
|
||||
domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
|
||||
allow $2 $1_iceauth_t:fd use;
|
||||
allow $1_iceauth_t $2:fd use;
|
||||
allow $1_iceauth_t $2:fifo_file rw_file_perms;
|
||||
allow $1_iceauth_t $2:process sigchld;
|
||||
|
||||
allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
|
||||
userdom_filetrans_user_home_dir($1,$1_iceauth_t,$1_iceauth_home_t,file)
|
||||
|
||||
allow $2 $1_iceauth_home_t:file manage_file_perms;
|
||||
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
fs_search_auto_mountpoints($1_iceauth_t)
|
||||
|
||||
libs_use_ld_so($1_iceauth_t)
|
||||
libs_use_shared_libs($1_iceauth_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_iceauth_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_iceauth_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_iceauth_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Supress xdm trying to restore .ICEauthority permissions
|
||||
ifdef(`xdm.te', `
|
||||
dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -6,6 +6,15 @@ policy_module(xserver,1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type ice_tmp_t;
|
||||
files_tmp_file(ice_tmp_t)
|
||||
|
||||
type iceauth_exec_t;
|
||||
files_type(iceauth_exec_t)
|
||||
|
||||
type xauth_exec_t;
|
||||
files_type(xauth_exec_t)
|
||||
|
||||
# type for /var/lib/xkb
|
||||
type xkb_var_lib_t;
|
||||
files_config_file(xkb_var_lib_t)
|
||||
|
@ -25,12 +25,6 @@ files_config_file(fonts_t)
|
||||
type hwdata_t;
|
||||
files_type(hwdata_t)
|
||||
|
||||
#
|
||||
# type for /tmp/.ICE-unix
|
||||
#
|
||||
type ice_tmp_t;
|
||||
files_tmp_file(ice_tmp_t)
|
||||
|
||||
#
|
||||
# locale_t is the type for system localization
|
||||
#
|
||||
|
@ -1633,6 +1633,49 @@ template(`userdom_create_user_home',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in a user home directory with
|
||||
## a type transition to a specified type.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create objects in a user home directory with
|
||||
## a type transition to a specified type.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
## <param name="private_type">
|
||||
## The type of the object to create. If this is
|
||||
## not specified, the regular home directory
|
||||
## type is used.
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## The class of the object to be created. If not
|
||||
## specified, file is used.
|
||||
## </param>
|
||||
#
|
||||
template(`userdom_filetrans_user_home_dir',`
|
||||
gen_require(`
|
||||
type $1_home_dir_t, $1_home_t;
|
||||
')
|
||||
|
||||
files_search_home($2)
|
||||
allow $2 $1_home_dir_t:dir rw_dir_perms;
|
||||
|
||||
type_transition $2 $1_home_dir_t:$4 $3;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to user temporary named sockets.
|
||||
|
Loading…
Reference in New Issue
Block a user