From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Xserver 1/1] The xserver module is not in base.
Date: Fri, 03 Sep 2010 10:59:19 -0400 [thread overview]
Message-ID: <4C810D47.7080204@tresys.com> (raw)
In-Reply-To: <20100903105326.GA22748@localhost.localdomain>
On 09/03/10 06:53, Dominick Grift wrote:
> The xserver module is not in base.
> That must mean its use is optional.
> Move all external xserver interface to optional policy blocks.
Not being required in base doesn't necessarily mean that it should be
optional in all policies that call it. For example, Evolution won't
work without it, thus its mandatory for the Evolution and not optional.
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 5d3d45c... 521f16d... M policy/modules/apps/evolution.te
> :100644 100644 cbf4bec... 7266190... M policy/modules/apps/mozilla.te
> :100644 100644 815a467... e6dc43a... M policy/modules/apps/mplayer.te
> :100644 100644 794c0be... c75a7ce... M policy/modules/apps/thunderbird.te
> :100644 100644 1f803bb... 8524075... M policy/modules/apps/vmware.te
> :100644 100644 1bdeb16... a4d2bc5... M policy/modules/apps/xscreensaver.te
> :100644 100644 0f262a7... ca59bdb... M policy/modules/services/rhgb.te
> :100644 100644 e226da4... 5216d19... M policy/modules/services/xserver.te
> :100644 100644 8b4f6d8... cf5f157... M policy/modules/system/userdomain.if
> policy/modules/apps/evolution.te | 26 +++++++++++++++++---------
> policy/modules/apps/mozilla.te | 10 ++++++----
> policy/modules/apps/mplayer.te | 6 ++++--
> policy/modules/apps/thunderbird.te | 10 ++++++----
> policy/modules/apps/vmware.te | 4 +++-
> policy/modules/apps/xscreensaver.te | 5 ++++-
> policy/modules/services/rhgb.te | 20 +++++++++++---------
> policy/modules/services/xserver.te | 2 +-
> policy/modules/system/userdomain.if | 30 ++++++++++++++++++------------
> 9 files changed, 70 insertions(+), 43 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index 5d3d45c..521f16d 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -223,9 +223,6 @@ userdom_dontaudit_read_user_home_content_files(evolution_t)
>
> mta_read_config(evolution_t)
>
> -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> -xserver_read_xdm_tmp_files(evolution_t)
> -
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(evolution_t)
> fs_manage_nfs_files(evolution_t)
> @@ -340,6 +337,11 @@ optional_policy(`
> spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
> + xserver_read_xdm_tmp_files(evolution_t)
> +')
> +
> ########################################
> #
> # Evolution alarm local policy
> @@ -385,8 +387,6 @@ userdom_search_user_home_dirs(evolution_alarm_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
>
> -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_alarm_t)
> @@ -408,6 +408,10 @@ optional_policy(`
> nscd_socket_use(evolution_alarm_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution exchange connector local policy
> @@ -469,8 +473,6 @@ userdom_search_user_home_dirs(evolution_exchange_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
>
> -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> -
> # Access evolution home
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(evolution_exchange_t)
> @@ -488,6 +490,10 @@ optional_policy(`
> nscd_socket_use(evolution_exchange_t)
> ')
>
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
> +')
> +
> ########################################
> #
> # Evolution data server local policy
> @@ -611,8 +617,10 @@ userdom_search_user_home_dirs(evolution_webcal_t)
> # until properly implemented
> userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
>
> -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> -
> optional_policy(`
> nscd_socket_use(evolution_webcal_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index cbf4bec..7266190 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -143,10 +143,6 @@ sysnet_dns_name_resolve(mozilla_t)
>
> userdom_use_user_ptys(mozilla_t)
>
> -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> -xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> -
> tunable_policy(`allow_execmem',`
> allow mozilla_t self:process { execmem execstack };
> ')
> @@ -266,3 +262,9 @@ optional_policy(`
> optional_policy(`
> thunderbird_domtrans(mozilla_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> + xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
> +')
> diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
> index 815a467..e6dc43a 100644
> --- a/policy/modules/apps/mplayer.te
> +++ b/policy/modules/apps/mplayer.te
> @@ -234,8 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
> userdom_read_user_home_content_symlinks(mplayer_t)
> userdom_write_user_tmp_sockets(mplayer_t)
>
> -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> -
> # Read songs
> ifdef(`enable_mls',`',`
> fs_search_removable(mplayer_t)
> @@ -309,3 +307,7 @@ optional_policy(`
> pulseaudio_exec(mplayer_t)
> pulseaudio_stream_connect(mplayer_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
> index 794c0be..c75a7ce 100644
> --- a/policy/modules/apps/thunderbird.te
> +++ b/policy/modules/apps/thunderbird.te
> @@ -109,10 +109,6 @@ userdom_manage_user_tmp_sockets(thunderbird_t)
> # .kde/....gtkrc
> userdom_read_user_home_content_files(thunderbird_t)
>
> -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> -xserver_read_xdm_tmp_files(thunderbird_t)
> -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> -
> # Access ~/.thunderbird
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(thunderbird_t)
> @@ -208,3 +204,9 @@ optional_policy(`
> mozilla_domtrans(thunderbird_t)
> mozilla_dbus_chat(thunderbird_t)
> ')
> +
> +optional_policy(`
> + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
> + xserver_read_xdm_tmp_files(thunderbird_t)
> + xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
> +')
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 1f803bb..8524075 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -278,4 +278,6 @@ userdom_read_user_home_content_files(vmware_t)
> sysnet_dns_name_resolve(vmware_t)
> sysnet_read_config(vmware_t)
>
> -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
> +')
> diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
> index 1bdeb16..a4d2bc5 100644
> --- a/policy/modules/apps/xscreensaver.te
> +++ b/policy/modules/apps/xscreensaver.te
> @@ -41,4 +41,7 @@ userdom_use_user_ptys(xscreensaver_t)
> #access to .icons and ~/.xscreensaver
> userdom_read_user_home_content_files(xscreensaver_t)
>
> -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +optional_policy(`
> + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
> +')
> +
> diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
> index 0f262a7..ca59bdb 100644
> --- a/policy/modules/services/rhgb.te
> +++ b/policy/modules/services/rhgb.te
> @@ -110,15 +110,6 @@ sysnet_domtrans_ifconfig(rhgb_t)
> userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
> userdom_dontaudit_search_user_home_content(rhgb_t)
>
> -xserver_read_tmp_files(rhgb_t)
> -xserver_kill(rhgb_t)
> -# for running setxkbmap
> -xserver_read_xkb_libs(rhgb_t)
> -xserver_domtrans(rhgb_t)
> -xserver_signal(rhgb_t)
> -xserver_read_xdm_tmp_files(rhgb_t)
> -xserver_stream_connect(rhgb_t)
> -
> optional_policy(`
> consoletype_exec(rhgb_t)
> ')
> @@ -135,6 +126,17 @@ optional_policy(`
> udev_read_db(rhgb_t)
> ')
>
> +optional_policy(`
> + xserver_read_tmp_files(rhgb_t)
> + xserver_kill(rhgb_t)
> + # for running setxkbmap
> + xserver_read_xkb_libs(rhgb_t)
> + xserver_domtrans(rhgb_t)
> + xserver_signal(rhgb_t)
> + xserver_read_xdm_tmp_files(rhgb_t)
> + xserver_stream_connect(rhgb_t)
> +')
> +
> ifdef(`TODO',`
> #this seems a bit much
> allow domain rhgb_devpts_t:chr_file { read write };
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index e226da4..5216d19 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -494,7 +494,7 @@ tunable_policy(`use_samba_home_dirs',`
> tunable_policy(`xdm_sysadm_login',`
> userdom_xsession_spec_domtrans_all_users(xdm_t)
> # FIXME:
> -# xserver_rw_session_template(xdm,userdomain)
> + # xserver_rw_session_template(xdm,userdomain)
> ',`
> userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
> # FIXME:
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..cf5f157 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -431,16 +431,18 @@ template(`userdom_xwindows_client_template',`
> # GNOME checks for usb and other devices:
> dev_rw_usbfs($1_t)
>
> - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> - xserver_xsession_entry_type($1_t)
> - xserver_dontaudit_write_log($1_t)
> - xserver_stream_connect_xdm($1_t)
> - # certain apps want to read xdm.pid file
> - xserver_read_xdm_pid($1_t)
> - # gnome-session creates socket under /tmp/.ICE-unix/
> - xserver_create_xdm_tmp_sockets($1_t)
> - # Needed for escd, remove if we get escd policy
> - xserver_manage_xdm_tmp_files($1_t)
> + optional_policy(`
> + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
> + xserver_xsession_entry_type($1_t)
> + xserver_dontaudit_write_log($1_t)
> + xserver_stream_connect_xdm($1_t)
> + # certain apps want to read xdm.pid file
> + xserver_read_xdm_pid($1_t)
> + # gnome-session creates socket under /tmp/.ICE-unix/
> + xserver_create_xdm_tmp_sockets($1_t)
> + # Needed for escd, remove if we get escd policy
> + xserver_manage_xdm_tmp_files($1_t)
> + ')
> ')
>
> #######################################
> @@ -881,8 +883,6 @@ template(`userdom_restricted_xwindows_user_template',`
> logging_send_audit_msgs($1_t)
> selinux_get_enforce_mode($1_t)
>
> - xserver_restricted_role($1_r, $1_t)
> -
> optional_policy(`
> alsa_read_rw_config($1_t)
> ')
> @@ -907,6 +907,10 @@ template(`userdom_restricted_xwindows_user_template',`
> optional_policy(`
> setroubleshoot_dontaudit_stream_connect($1_t)
> ')
> +
> + optional_policy(`
> + xserver_restricted_role($1_r, $1_t)
> + ')
> ')
>
> #######################################
> @@ -2674,6 +2678,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, userdomain)
> +
> allow userdomain $1:fd use;
> allow userdomain $1:fifo_file rw_file_perms;
> allow userdomain $1:process sigchld;
> @@ -2720,6 +2725,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
> ')
>
> xserver_xsession_spec_domtrans($1, unpriv_userdomain)
> +
> allow unpriv_userdomain $1:fd use;
> allow unpriv_userdomain $1:fifo_file rw_file_perms;
> allow unpriv_userdomain $1:process sigchld;
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2010-09-03 14:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 10:53 [refpolicy] [Xserver 1/1] The xserver module is not in base Dominick Grift
2010-09-03 14:59 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C810D47.7080204@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.