policy mods for xfs (to support xfstt and xfs-xtt)

policy mods for xfs (to support xfstt and xfs-xtt)

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

i added quite a lot of fonts, two more xfont servers and also added
some non-free truetype fonts.

this resulted in a stack more mods needed to xfs.te.

xfstt and xfs-xtt behave a bit weird for example xfstt attempts
to delete /tmp/.font-unix.

a number of truetype fonts are symlinks.

also xfstt uses a cache which i assigned to the fonts_t type, this
may not be appropriate but i was in a hurry.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


[-- Attachment #2: xfs --]
[-- Type: text/plain, Size: 2917 bytes --]

diff -Naur 
--- default.1.14/domains/program/xfs.te	2004-08-02 08:28:37.000000000 +0100
+++ current/domains/program/xfs.te	2004-08-17 19:10:23.000000000 +0100
@@ -24,6 +24,7 @@
 ')
 
 allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t { etc_runtime_t }:dir { getattr search };
 allow xfs_t proc_t:file { getattr read };
 
 allow xfs_t self:process setpgid;
@@ -38,5 +39,37 @@
 allow xfs_t xfs_t:unix_dgram_socket create_socket_perms;
 
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
-allow xfs_t fonts_t:dir search;
-allow xfs_t fonts_t:file { getattr read };
+# xfstt to access var/cache/xfstt and truetype somewhere
+allow xfs_t fonts_t:dir { getattr read search };
+allow xfs_t fonts_t:file { getattr read write };
+
+allow xfs_t var_lib_t:dir { search };
+	#EXE=/usr/X11R6/bin/xfs  NAME=lib   :  search
+
+allow xfs_t fonts_t:file { write };
+	#EXE=/usr/bin/xfstt  NAME=ttinfo.dir   :  write
+
+allow xfs_t tmp_t:dir { remove_name write };
+	#EXE=/usr/bin/xfstt  NAME=tmp   :  write
+	#EXE=/usr/bin/xfstt  NAME=tmp   :  write
+	#EXE=/usr/bin/xfstt  NAME=.font-unix   :  remove_name
+	#EXE=/usr/bin/xfstt  NAME=tmp   :  write
+	#EXE=/usr/bin/xfstt  NAME=.font-unix   :  remove_name
+
+allow xfs_t xfs_tmp_t:dir { remove_name rmdir search write };
+	#EXE=/usr/X11R6/bin/xfs  NAME=.font-unix   :  search
+	#EXE=/usr/X11R6/bin/xfs-xtt  NAME=.font-unix   :  search
+	#EXE=/usr/X11R6/bin/xfs  NAME=.font-unix   :  search
+	#EXE=/usr/X11R6/bin/xfs  NAME=.font-unix   :  write
+	#EXE=/usr/X11R6/bin/xfs  NAME=fs7100   :  remove_name
+	#EXE=/usr/bin/xfstt  NAME=.font-unix   :  rmdir
+	#EXE=/usr/X11R6/bin/xfs  NAME=.font-unix   :  search
+	#EXE=/usr/X11R6/bin/xfs  NAME=.font-unix   :  write
+	#EXE=/usr/X11R6/bin/xfs  NAME=fs7100   :  remove_name
+	#EXE=/usr/bin/xfstt  NAME=.font-unix   :  rmdir
+
+allow xfs_t fonts_t:lnk_file { read };
+	#EXE=/usr/X11R6/bin/xfs-xtt  NAME=luximb.ttf   :  read
+	#EXE=/usr/X11R6/bin/xfs-xtt  NAME=luximb.ttf   :  read
+	#EXE=/usr/X11R6/bin/xfs  NAME=luximb.ttf   :  read
+
diff -Naur 
--- default.1.14/file_contexts/program/xfs.fc	2004-08-02 08:28:37.000000000 +0100
+++ current/file_contexts/program/xfs.fc	2004-08-14 20:52:10.000000000 +0100
@@ -1,3 +1,5 @@
 # xfs
 /tmp/\.font-unix(/.*)?		system_u:object_r:xfs_tmp_t
 /usr/X11R6/bin/xfs	--	system_u:object_r:xfs_exec_t
+/usr/X11R6/bin/xfs-xtt	--	system_u:object_r:xfs_exec_t
+/usr/bin/xfstt		--	system_u:object_r:xfs_exec_t
diff -Naur 
--- default.1.14/file_contexts/types.fc	2004-08-02 08:28:37.000000000 +0100
+++ current/file_contexts/types.fc	2004-08-23 10:35:18.000000000 +0100
@@ -396,6 +404,8 @@
 # Fonts dir
 #
 /usr/X11R6/lib/X11/fonts(/.*)?		system_u:object_r:fonts_t
+/var/lib/msttcorefonts(/.*)?		system_u:object_r:fonts_t
+/var/cache/xfstt(/.*)?			system_u:object_r:fonts_t
 /usr/share/fonts(/.*)?			system_u:object_r:fonts_t
 /usr/local/share/fonts(/.*)?		system_u:object_r:fonts_t
 

Re: policy mods for xfs (to support xfstt and xfs-xtt)

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

What is /usr/bin/xfs-xtt?  Contents-i386.gz doesn't list it.

+allow xfs_t { etc_runtime_t }:dir { getattr search };

There should not be a directory of type etc_runtime_t (there is no 
file_contexts entry for it).

What is /var/cache/xfstt?  The name implies that xfs would write to it, in 
which case fonts_t is not the appropriate type label.  Changing the policy to 
allow xfs_t to write to fonts_t changes the way things work.  I think that we 
probably need different types for read-only files and writable files.

I've put a few things from your patch in my tree and attached the relevant 
files in a tgz so we can work from the same base.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: xfs.tgz --]
[-- Type: application/x-tgz, Size: 4599 bytes --]

Re: policy mods for xfs (to support xfstt and xfs-xtt)

[Luke Kenneth Casson Leighton]

On Wed, Aug 25, 2004 at 09:24:12PM +1000, Russell Coker wrote:
> What is /usr/bin/xfs-xtt?  Contents-i386.gz doesn't list it.
 
 apt-cache show xfs-xtt:

	Description: X-TrueType font server
	This package provide X-TrueType font server. This is compatible
	normal X font server, but added X-TrueType font handling scheme
	support instead of FreeType backend. XFree86 4.0's font server
	can handle TrueType too, but it can not handle TTCap. By
	using TTCap description, support for font transformations,
	such as slanting, adjusting glyph width, pseudo-bolding, etc.
	.
	xfs-xtt is a daemon that listens on a network port and serves X
	fonts to X servers (and thus to X clients).  All X servers have
	the ability to serve locally installed fonts for themselves,
	but xfs makes it possible to offload that job from the X server,
	and/or have a central repository of fonts on a networked machine
	running xfs so that all the machines running X servers on a
	network do not require their own set of fonts.  xfs may also
	be invoked by users to, for instance, make available X fonts
	in user accounts that are not available to the X server or to
	an already running system xfs-xtt.


 apt-cache show xfstt:

 Description: TrueType Font Server for X11
	xfstt means "X11 Font Server for TT fonts".  TT fonts
	are generally regarded to be the best scalable fonts for
	displays. Applications needing scalable fonts that are to be
	displayed on a screen benefit most.  This server will allow
	X11 applications to use the exact same fonts as the TrueType
	fonts used on most Windows Machines.  NB: This package contains
	NO FONTS. They MUST be obtained separately


 i just installed them both.
 
 well... actually i installed all the font servers i could find.

 maybe i shouldn't have, but i don't care, they're there, ItWorks,
 ItAin'tBroken, IAintGonnaTouchItUnlessItBreaks.


> +allow xfs_t { etc_runtime_t }:dir { getattr search };
> 
> There should not be a directory of type etc_runtime_t (there is no 
> file_contexts entry for it).

 oops!

> What is /var/cache/xfstt?  

 i _really_ don't know!  i was in a hurry!

> The name implies that xfs would write to it, in 
> which case fonts_t is not the appropriate type label.  Changing the policy to 
> allow xfs_t to write to fonts_t changes the way things work.  I think that we 
> probably need different types for read-only files and writable files.
> 
> I've put a few things from your patch in my tree and attached the relevant 
> files in a tgz so we can work from the same base.

 ack.

 ta.  will be in a position to look at it on saturday.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy mods for xfs (to support xfstt and xfs-xtt)

[Erich Schubert]

Hi,
are you aware that X11 does support TrueType fonts out of the box since
version 4, removing the need for a truetype font server?

In fact, in my experience it is best to avoid using font servers unless
you have a reason to do so (for example with thin clients, where you do
not want or maybe even cannot copy the fonts to the xserver itself)

I'd suggest you to only install and use stuff that is needed. The more
you install, the more resources are needed, the longer the startup
takes, and the more likely security issues will arise. (Even when a
security issue with the font server is likely do be limited in damage by
selinux, you still do not want it)

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
       Die einzige Hoffnung auf Freude liegt in den menschlichen       V_/_
               Beziehungen. --- Antoine de Saint-Exupéry



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy mods for xfs (to support xfstt and xfs-xtt)

[Luke Kenneth Casson Leighton]

On Thu, Aug 26, 2004 at 12:16:08AM +0200, Erich Schubert wrote:
> Hi,
> are you aware that X11 does support TrueType fonts out of the box since
> version 4, removing the need for a truetype font server?
 
 *lol*.

 noooo :)

> In fact, in my experience it is best to avoid using font servers unless
> you have a reason to do so (for example with thin clients, where you do
> not want or maybe even cannot copy the fonts to the xserver itself)
> 
> I'd suggest you to only install and use stuff that is needed. The more
> you install, the more resources are needed, the longer the startup
> takes, and the more likely security issues will arise. (Even when a
> security issue with the font server is likely do be limited in damage by
> selinux, you still do not want it)

 okay, i get rid of them.

 thanks.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.