add xauth and iceauth to xserver
This commit is contained in:
parent
dace0b2d9d
commit
acd87ca9b5
@ -1,3 +1,4 @@
|
|||||||
|
- Move ice_tmp_t from miscfiles to xserver.
|
||||||
- Login fixes from Serge Hallyn.
|
- Login fixes from Serge Hallyn.
|
||||||
- Move xserver_log_t from xdm to xserver.
|
- Move xserver_log_t from xdm to xserver.
|
||||||
- Add lpr per-userdomain policy to lpd.
|
- Add lpr per-userdomain policy to lpd.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xdm,1.1.2)
|
policy_module(xdm,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -75,7 +75,7 @@ dev_read_urand(xdm_t)
|
|||||||
|
|
||||||
files_read_etc_files(xdm_t)
|
files_read_etc_files(xdm_t)
|
||||||
files_read_etc_runtime_files(xdm_t)
|
files_read_etc_runtime_files(xdm_t)
|
||||||
files_exec_etc(xdm_t)
|
files_exec_etc_files(xdm_t)
|
||||||
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
|
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
|
||||||
files_read_usr_files(xdm_t)
|
files_read_usr_files(xdm_t)
|
||||||
|
|
||||||
@ -93,7 +93,7 @@ init_rw_utmp(xdm_t)
|
|||||||
# for reboot
|
# for reboot
|
||||||
init_write_initctl(xdm_t)
|
init_write_initctl(xdm_t)
|
||||||
|
|
||||||
libs_exec_lib(xdm_t)
|
libs_exec_lib_files(xdm_t)
|
||||||
|
|
||||||
seutil_read_config(xdm_t)
|
seutil_read_config(xdm_t)
|
||||||
seutil_read_default_contexts(xdm_t)
|
seutil_read_default_contexts(xdm_t)
|
||||||
|
@ -1,15 +1,20 @@
|
|||||||
|
|
||||||
|
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
|
||||||
|
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
|
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||||
|
|
||||||
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
|
|
||||||
# cjp: TODO: merge in iceauth stuff
|
/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
|
||||||
#/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
|
|
||||||
/tmp/\.ICE-unix/.* -s <<none>>
|
/tmp/\.ICE-unix/.* -s <<none>>
|
||||||
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
|
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
|
||||||
/tmp/\.X11-unix/.* -s <<none>>
|
/tmp/\.X11-unix/.* -s <<none>>
|
||||||
|
|
||||||
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
|
/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||||
/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
|
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||||
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
|
@ -206,11 +206,38 @@ template(`xserver_per_userdomain_template',`
|
|||||||
xserver_common_domain_template($1)
|
xserver_common_domain_template($1)
|
||||||
role $3 types $1_xserver_t;
|
role $3 types $1_xserver_t;
|
||||||
|
|
||||||
|
type $1_iceauth_t;
|
||||||
|
domain_type($1_iceauth_t)
|
||||||
|
role $3 types $1_iceauth_t;
|
||||||
|
|
||||||
|
type $1_iceauth_home_t alias $1_iceauth_rw_t;
|
||||||
|
files_poly_member($1_iceauth_home_t)
|
||||||
|
userdom_home_file($1,$1_iceauth_home_t)
|
||||||
|
|
||||||
|
type $1_xauth_t;
|
||||||
|
domain_type($1_xauth_t)
|
||||||
|
role $3 types $1_xauth_t;
|
||||||
|
|
||||||
|
type $1_xauth_home_t alias $1_xauth_rw_t;
|
||||||
|
files_poly_member($1_xauth_home_t)
|
||||||
|
userdom_home_file($1,$1_xauth_home_t)
|
||||||
|
|
||||||
|
type $1_xauth_tmp_t;
|
||||||
|
files_tmp_file($1_xauth_tmp_t)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Local policy
|
# $1_xserver_t Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
allow $1_xserver_t $1_xauth_t:fd use;
|
||||||
|
allow $1_xauth_t $1_xserver_t:fd use;
|
||||||
|
allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
|
||||||
|
allow $1_xauth_t $1_xserver_t:process sigchld;
|
||||||
|
|
||||||
|
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||||
|
|
||||||
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
|
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
|
||||||
allow $2 $1_xserver_t:fd use;
|
allow $2 $1_xserver_t:fd use;
|
||||||
allow $1_xserver_t $2:fd use;
|
allow $1_xserver_t $2:fd use;
|
||||||
@ -246,13 +273,6 @@ template(`xserver_per_userdomain_template',`
|
|||||||
# Read fonts
|
# Read fonts
|
||||||
read_fonts($1_xserver_t, $1)
|
read_fonts($1_xserver_t, $1)
|
||||||
|
|
||||||
ifdef(`xauth.te', `
|
|
||||||
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
|
||||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
|
||||||
', `
|
|
||||||
allow $1_xserver_t $1_home_t:file { getattr read };
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
||||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
@ -261,6 +281,116 @@ template(`xserver_per_userdomain_template',`
|
|||||||
allow $1_xserver_t xdm_var_run_t:dir search;
|
allow $1_xserver_t xdm_var_run_t:dir search;
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# $1_xauth_t Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow $1_xauth_t self:process signal;
|
||||||
|
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
||||||
|
userdom_filetrans_user_home_dir($1,$1_xauth_t,$1_xauth_home_t,file)
|
||||||
|
|
||||||
|
allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
|
||||||
|
allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
|
||||||
|
files_filetrans_tmp($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||||
|
|
||||||
|
domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
|
||||||
|
allow $2 $1_xauth_t:fd use;
|
||||||
|
allow $1_xauth_t $2:fd use;
|
||||||
|
allow $1_xauth_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_xauth_t $2:process sigchld;
|
||||||
|
|
||||||
|
allow $2 $1_xauth_t:process signal;
|
||||||
|
|
||||||
|
allow $2 $1_xauth_home_t:file manage_file_perms;
|
||||||
|
allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd($1_xauth_t)
|
||||||
|
|
||||||
|
files_read_etc_files($1_xauth_t)
|
||||||
|
files_search_pids($1_xauth_t)
|
||||||
|
|
||||||
|
fs_getattr_xattr_fs($1_xauth_t)
|
||||||
|
fs_search_auto_mountpoints($1_xauth_t)
|
||||||
|
|
||||||
|
# cjp: why?
|
||||||
|
term_use_ptmx($1_xauth_t)
|
||||||
|
|
||||||
|
libs_use_ld_so($1_xauth_t)
|
||||||
|
libs_use_shared_libs($1_xauth_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve($1_xauth_t)
|
||||||
|
|
||||||
|
userdom_use_user_terminals($1,$1_xauth_t)
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
fs_manage_nfs_files($1_xauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
fs_manage_cifs_files($1_xauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis',`
|
||||||
|
nis_use_ypbind($1_xauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
ifdef(`ssh.te', `
|
||||||
|
domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
|
||||||
|
|
||||||
|
allow $1_xauth_t sshd_t:fifo_file { getattr read };
|
||||||
|
allow $1_xauth_t sshd_t:process sigchld;
|
||||||
|
')dnl end if ssh
|
||||||
|
|
||||||
|
# allow ps to show xauth
|
||||||
|
can_ps($1_t, $1_xauth_t)
|
||||||
|
|
||||||
|
allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# $1_iceauth_t Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
|
||||||
|
allow $2 $1_iceauth_t:fd use;
|
||||||
|
allow $1_iceauth_t $2:fd use;
|
||||||
|
allow $1_iceauth_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_iceauth_t $2:process sigchld;
|
||||||
|
|
||||||
|
allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
|
||||||
|
userdom_filetrans_user_home_dir($1,$1_iceauth_t,$1_iceauth_home_t,file)
|
||||||
|
|
||||||
|
allow $2 $1_iceauth_home_t:file manage_file_perms;
|
||||||
|
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints($1_iceauth_t)
|
||||||
|
|
||||||
|
libs_use_ld_so($1_iceauth_t)
|
||||||
|
libs_use_shared_libs($1_iceauth_t)
|
||||||
|
|
||||||
|
userdom_use_user_terminals($1,$1_iceauth_t)
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
fs_manage_nfs_files($1_iceauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
fs_manage_cifs_files($1_iceauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
# Supress xdm trying to restore .ICEauthority permissions
|
||||||
|
ifdef(`xdm.te', `
|
||||||
|
dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -6,6 +6,15 @@ policy_module(xserver,1.0.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
type ice_tmp_t;
|
||||||
|
files_tmp_file(ice_tmp_t)
|
||||||
|
|
||||||
|
type iceauth_exec_t;
|
||||||
|
files_type(iceauth_exec_t)
|
||||||
|
|
||||||
|
type xauth_exec_t;
|
||||||
|
files_type(xauth_exec_t)
|
||||||
|
|
||||||
# type for /var/lib/xkb
|
# type for /var/lib/xkb
|
||||||
type xkb_var_lib_t;
|
type xkb_var_lib_t;
|
||||||
files_config_file(xkb_var_lib_t)
|
files_config_file(xkb_var_lib_t)
|
||||||
|
@ -25,12 +25,6 @@ files_config_file(fonts_t)
|
|||||||
type hwdata_t;
|
type hwdata_t;
|
||||||
files_type(hwdata_t)
|
files_type(hwdata_t)
|
||||||
|
|
||||||
#
|
|
||||||
# type for /tmp/.ICE-unix
|
|
||||||
#
|
|
||||||
type ice_tmp_t;
|
|
||||||
files_tmp_file(ice_tmp_t)
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# locale_t is the type for system localization
|
# locale_t is the type for system localization
|
||||||
#
|
#
|
||||||
|
@ -1633,6 +1633,49 @@ template(`userdom_create_user_home',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create objects in a user home directory with
|
||||||
|
## a type transition to a specified type.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create objects in a user home directory with
|
||||||
|
## a type transition to a specified type.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="private_type">
|
||||||
|
## The type of the object to create. If this is
|
||||||
|
## not specified, the regular home directory
|
||||||
|
## type is used.
|
||||||
|
## </param>
|
||||||
|
## <param name="object_class">
|
||||||
|
## The class of the object to be created. If not
|
||||||
|
## specified, file is used.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_filetrans_user_home_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_home_dir_t, $1_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($2)
|
||||||
|
allow $2 $1_home_dir_t:dir rw_dir_perms;
|
||||||
|
|
||||||
|
type_transition $2 $1_home_dir_t:$4 $3;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Write to user temporary named sockets.
|
## Write to user temporary named sockets.
|
||||||
|
Loading…
Reference in New Issue
Block a user