add xauth and iceauth to xserver

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Move ice_tmp_t from miscfiles to xserver.
 - Login fixes from Serge Hallyn.
 - Move xserver_log_t from xdm to xserver.
 - Add lpr per-userdomain policy to lpd.

refpolicy/policy/modules/services/xdm.te

@@ -1,5 +1,5 @@
 
-policy_module(xdm,1.1.2)
+policy_module(xdm,1.1.3)
 
 ########################################
 #
@@ -75,7 +75,7 @@ dev_read_urand(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_etc_runtime_files(xdm_t)
-files_exec_etc(xdm_t)
+files_exec_etc_files(xdm_t)
 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
 files_read_usr_files(xdm_t)
 
@@ -93,7 +93,7 @@ init_rw_utmp(xdm_t)
 # for reboot
 init_write_initctl(xdm_t)
 
-libs_exec_lib(xdm_t)
+libs_exec_lib_files(xdm_t)
 
 seutil_read_config(xdm_t)
 seutil_read_default_contexts(xdm_t)

refpolicy/policy/modules/services/xserver.fc

@@ -1,15 +1,20 @@
 
+HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
+HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+
 /etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
 
-# cjp: TODO: merge in iceauth stuff
+/tmp/\.ICE-unix		-d	gen_context(system_u:object_r:ice_tmp_t,s0)
-#/tmp/\.ICE-unix		-d	gen_context(system_u:object_r:ice_tmp_t,s0)
 /tmp/\.ICE-unix/.*	-s	<<none>>
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
 
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
+/usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/xauth    --      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/X11R6/bin/XFree86	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)

refpolicy/policy/modules/services/xserver.if

@@ -206,11 +206,38 @@ template(`xserver_per_userdomain_template',`
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
+	type $1_iceauth_t;
+	domain_type($1_iceauth_t)
+	role $3 types $1_iceauth_t;
+
+	type $1_iceauth_home_t alias $1_iceauth_rw_t;
+	files_poly_member($1_iceauth_home_t)
+	userdom_home_file($1,$1_iceauth_home_t)
+
+	type $1_xauth_t;
+	domain_type($1_xauth_t)
+	role $3 types $1_xauth_t;
+
+	type $1_xauth_home_t alias $1_xauth_rw_t;
+	files_poly_member($1_xauth_home_t)
+	userdom_home_file($1,$1_xauth_home_t)
+
+	type $1_xauth_tmp_t;
+	files_tmp_file($1_xauth_tmp_t)
+
 	##############################
 	#
-	# Local policy
+	# $1_xserver_t Local policy
 	#
 
+	domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
+	allow $1_xserver_t $1_xauth_t:fd use;
+	allow $1_xauth_t $1_xserver_t:fd use;
+	allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
+	allow $1_xauth_t $1_xserver_t:process sigchld;
+
+	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+
 	domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
 	allow $2 $1_xserver_t:fd use;
 	allow $1_xserver_t $2:fd use;
@@ -246,13 +273,6 @@ template(`xserver_per_userdomain_template',`
 	# Read fonts
 	read_fonts($1_xserver_t, $1)
 
-	ifdef(`xauth.te', `
-		domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
-		allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-	', `
-		allow $1_xserver_t $1_home_t:file { getattr read };
-	')
-
 	allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
 	allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 
@@ -261,6 +281,116 @@ template(`xserver_per_userdomain_template',`
 		allow $1_xserver_t xdm_var_run_t:dir search;
 	')
 	') dnl end TODO
+
+	##############################
+	#
+	# $1_xauth_t Local policy
+	#
+
+	allow $1_xauth_t self:process signal;
+	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
+	userdom_filetrans_user_home_dir($1,$1_xauth_t,$1_xauth_home_t,file)
+
+	allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
+	allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
+	files_filetrans_tmp($1_xauth_t, $1_xauth_tmp_t, { file dir })
+
+	domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
+	allow $2 $1_xauth_t:fd use;
+	allow $1_xauth_t $2:fd use;
+	allow $1_xauth_t $2:fifo_file rw_file_perms;
+	allow $1_xauth_t $2:process sigchld;
+
+	allow $2 $1_xauth_t:process signal;
+
+	allow $2 $1_xauth_home_t:file manage_file_perms;
+	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
+
+	domain_use_wide_inherit_fd($1_xauth_t)
+
+	files_read_etc_files($1_xauth_t)
+	files_search_pids($1_xauth_t)
+
+	fs_getattr_xattr_fs($1_xauth_t)
+	fs_search_auto_mountpoints($1_xauth_t)
+
+	# cjp: why?
+	term_use_ptmx($1_xauth_t)
+
+	libs_use_ld_so($1_xauth_t)
+	libs_use_shared_libs($1_xauth_t)
+
+	sysnet_dns_name_resolve($1_xauth_t)
+
+	userdom_use_user_terminals($1,$1_xauth_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_xauth_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_xauth_t)
+	')
+
+	optional_policy(`nis',`
+		nis_use_ypbind($1_xauth_t)
+	')
+
+	ifdef(`TODO',`
+	ifdef(`ssh.te', `
+		domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
+		dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
+
+		allow $1_xauth_t sshd_t:fifo_file { getattr read };
+		allow $1_xauth_t sshd_t:process sigchld;
+	')dnl end if ssh
+
+	# allow ps to show xauth
+	can_ps($1_t, $1_xauth_t)
+
+	allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
+	') dnl end TODO
+
+	##############################
+	#
+	# $1_iceauth_t Local policy
+	#
+
+	domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
+	allow $2 $1_iceauth_t:fd use;
+	allow $1_iceauth_t $2:fd use;
+	allow $1_iceauth_t $2:fifo_file rw_file_perms;
+	allow $1_iceauth_t $2:process sigchld;
+
+	allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
+	userdom_filetrans_user_home_dir($1,$1_iceauth_t,$1_iceauth_home_t,file)
+
+	allow $2 $1_iceauth_home_t:file manage_file_perms;
+	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+
+	fs_search_auto_mountpoints($1_iceauth_t)
+
+	libs_use_ld_so($1_iceauth_t)
+	libs_use_shared_libs($1_iceauth_t)
+
+	userdom_use_user_terminals($1,$1_iceauth_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_iceauth_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_iceauth_t)
+	')
+
+	ifdef(`TODO',`
+	# Supress xdm trying to restore .ICEauthority permissions
+	ifdef(`xdm.te', `
+	dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
+	')
+	') dnl end TODO
 ')
 
 #######################################

refpolicy/policy/modules/services/xserver.te

@@ -6,6 +6,15 @@ policy_module(xserver,1.0.0)
 # Declarations
 #
 
+type ice_tmp_t;
+files_tmp_file(ice_tmp_t)
+
+type iceauth_exec_t;
+files_type(iceauth_exec_t)
+
+type xauth_exec_t;
+files_type(xauth_exec_t)
+
 # type for /var/lib/xkb
 type xkb_var_lib_t;
 files_config_file(xkb_var_lib_t)

refpolicy/policy/modules/system/miscfiles.te

@@ -25,12 +25,6 @@ files_config_file(fonts_t)
 type hwdata_t;
 files_type(hwdata_t)
 
-#
-# type for /tmp/.ICE-unix
-#
-type ice_tmp_t;
-files_tmp_file(ice_tmp_t)
-
 #
 # locale_t is the type for system localization
 #

refpolicy/policy/modules/system/userdomain.if

@@ -1633,6 +1633,49 @@ template(`userdom_create_user_home',`
 	')
 ')
 
+########################################
+## <summary>
+##	Create objects in a user home directory with
+##	a type transition to a specified type.
+## </summary>
+## <desc>
+##	<p>
+##	Create objects in a user home directory with
+##	a type transition to a specified type.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="private_type">
+##	The type of the object to create.  If this is
+##	not specified, the regular home directory
+##	type is used.
+## </param>
+## <param name="object_class">
+##	The class of the object to be created.  If not
+##	specified, file is used.
+## </param>
+#
+template(`userdom_filetrans_user_home_dir',`
+	gen_require(`
+		type $1_home_dir_t, $1_home_t;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir rw_dir_perms;
+
+	type_transition $2 $1_home_dir_t:$4 $3;
+')
+
 ########################################
 ## <summary>
 ##      Write to user temporary named sockets.