diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 7078d54..99c7778 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Merge xdm into xserver. - Remove kernel module reversed interfaces. - Add filename attribute to module XML tag and lineno attribute to interface XML tag. diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 76b7bb3..1dbfc75 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -215,4 +215,7 @@ gen_tunable(user_ttyfile_stat,false) ## If this is disallowed, no Internet content ## will be stored. gen_tunable(write_untrusted_content,false) + +## Allow xdm logins as sysadm +gen_tunable(xdm_sysadm_login,false) ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index e3264e0..7dbb20b 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -3024,6 +3024,23 @@ interface(`files_search_spool',` ') ######################################## +## +## Do not audit attempts to search generic +## spool directories. +## +## +## Domain to not audit. +## +# +interface(`files_dontaudit_search_spool',` + gen_require(` + type var_spool_t; + ') + + dontaudit $1 var_spool_t:dir search_dir_perms; +') + +######################################## # # files_list_spool(domain) # diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index a9451c9..f20330b 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -595,6 +595,17 @@ interface(`mta_getattr_spool',` allow $1 mail_spool_t:file getattr; ') +interface(`mta_dontaudit_getattr_spool',` + gen_require(` + type mail_spool_t; + ') + + files_dontaudit_search_spool($1) + dontaudit $1 mail_spool_t:dir search; + dontaudit $1 mail_spool_t:lnk_file read; + dontaudit $1 mail_spool_t:file getattr; +') + ####################################### ## ## Create private objects in the diff --git a/refpolicy/policy/modules/services/xdm.fc b/refpolicy/policy/modules/services/xdm.fc deleted file mode 100644 index 8cc4f02..0000000 --- a/refpolicy/policy/modules/services/xdm.fc +++ /dev/null @@ -1,32 +0,0 @@ - -/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - -/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) - -/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - -/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0) - -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) - -/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - -ifdef(`distro_suse',` -/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -') - -/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/xdm.if b/refpolicy/policy/modules/services/xdm.if deleted file mode 100644 index 4c29517..0000000 --- a/refpolicy/policy/modules/services/xdm.if +++ /dev/null @@ -1 +0,0 @@ -## X windows login display manager diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te deleted file mode 100644 index ea49d15..0000000 --- a/refpolicy/policy/modules/services/xdm.te +++ /dev/null @@ -1,440 +0,0 @@ - -policy_module(xdm,1.1.3) - -######################################## -# -# Declarations -# - -type xdm_t; - -# real declaration moved to mls until -# range_transition works in loadable modules -gen_require(` - type xdm_exec_t; -') -init_domain(xdm_t,xdm_exec_t) -init_daemon_domain(xdm_t,xdm_exec_t) - -type xsession_exec_t; -files_type(xsession_exec_t) - -type xdm_xserver_tmp_t; -files_type(xdm_xserver_tmp_t) - -type xdm_lock_t; -files_lock_file(xdm_lock_t) - -type xdm_rw_etc_t; -files_type(xdm_rw_etc_t) - -type xdm_var_lib_t; -files_type(xdm_var_lib_t) - -type xdm_var_run_t; -files_type(xdm_var_run_t) - -type xdm_tmp_t; -files_tmp_file(xdm_tmp_t) - -type xdm_tmpfs_t; -files_tmpfs_file(xdm_tmpfs_t) - -######################################## -# -# Local policy -# - -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms }; -allow xdm_t self:fifo_file rw_file_perms; -allow xdm_t self:shm create_shm_perms; -allow xdm_t self:sem create_sem_perms; -allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; -allow xdm_t self:tcp_socket create_stream_socket_perms; -allow xdm_t self:udp_socket create_socket_perms; - -# Allow gdm to run gdm-binary -can_exec(xdm_t, xdm_exec_t) - -# wdm has its own config dir /etc/X11/wdm -# this is ugly, daemons should not create files under /etc! -allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; -allow xdm_t xdm_rw_etc_t:file create_file_perms; - -allow xdm_t xdm_var_run_t:dir setattr; -# for xdmctl -allow xdm_t xdm_var_run_t:fifo_file create_file_perms; - -kernel_read_system_state(xdm_t) -kernel_read_kernel_sysctl(xdm_t) - -corecmd_exec_shell(xdm_t) -corecmd_exec_bin(xdm_t) -corecmd_exec_sbin(xdm_t) - -corenet_tcp_sendrecv_generic_if(xdm_t) -corenet_udp_sendrecv_generic_if(xdm_t) -corenet_raw_sendrecv_generic_if(xdm_t) -corenet_tcp_sendrecv_all_nodes(xdm_t) -corenet_udp_sendrecv_all_nodes(xdm_t) -corenet_raw_sendrecv_all_nodes(xdm_t) -corenet_tcp_sendrecv_all_ports(xdm_t) -corenet_udp_sendrecv_all_ports(xdm_t) -corenet_non_ipsec_sendrecv(xdm_t) -corenet_tcp_bind_all_nodes(xdm_t) -corenet_udp_bind_all_nodes(xdm_t) -corenet_tcp_connect_all_ports(xdm_t) -# xdm tries to bind to biff_port_t -corenet_dontaudit_tcp_bind_all_ports(xdm_t) - -dev_read_rand(xdm_t) -dev_read_urand(xdm_t) -dev_read_sysfs(xdm_t) -dev_getattr_framebuffer(xdm_t) -dev_setattr_framebuffer(xdm_t) -dev_getattr_mouse(xdm_t) -dev_setattr_mouse(xdm_t) -dev_rw_apm_bios(xdm_t) -dev_setattr_apm_bios(xdm_t) -dev_rw_dri_dev(xdm_t) -dev_rw_agp_dev(xdm_t) -dev_getattr_xserver_misc_dev(xdm_t) -dev_setattr_xserver_misc_dev(xdm_t) -dev_getattr_misc(xdm_t) -dev_setattr_misc(xdm_t) -dev_dontaudit_rw_misc(xdm_t) -dev_getattr_video_dev(xdm_t) -dev_setattr_video_dev(xdm_t) -dev_getattr_scanner(xdm_t) -dev_setattr_scanner(xdm_t) -dev_getattr_snd_dev(xdm_t) -dev_setattr_snd_dev(xdm_t) -dev_getattr_power_management(xdm_t) -dev_setattr_power_management(xdm_t) - -domain_use_wide_inherit_fd(xdm_t) -# Do not audit denied probes of /proc. -domain_dontaudit_read_all_domains_state(xdm_t) - -files_read_etc_files(xdm_t) -files_read_etc_runtime_files(xdm_t) -files_exec_etc_files(xdm_t) -files_list_mnt(xdm_t) -# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... -files_read_usr_files(xdm_t) -# Poweroff wants to create the /poweroff file when run from xdm -files_create_boot_flag(xdm_t) - -fs_getattr_all_fs(xdm_t) -fs_search_auto_mountpoints(xdm_t) - -selinux_get_fs_mount(xdm_t) -selinux_validate_context(xdm_t) -selinux_compute_access_vector(xdm_t) -selinux_compute_create_context(xdm_t) -selinux_compute_relabel_context(xdm_t) -selinux_compute_user_contexts(xdm_t) - -storage_dontaudit_read_fixed_disk(xdm_t) -storage_dontaudit_write_fixed_disk(xdm_t) -storage_dontaudit_setattr_fixed_disk(xdm_t) -storage_dontaudit_raw_read_removable_device(xdm_t) -storage_dontaudit_raw_write_removable_device(xdm_t) -storage_dontaudit_setattr_removable_device(xdm_t) -storage_dontaudit_rw_scsi_generic(xdm_t) - -term_setattr_console(xdm_t) -term_dontaudit_use_console(xdm_t) -term_use_unallocated_tty(xdm_t) -term_setattr_unallocated_ttys(xdm_t) - -auth_rw_lastlog(xdm_t) -auth_read_login_records(xdm_t) -auth_append_login_records(xdm_t) -auth_manage_pam_pid(xdm_t) -auth_exec_pam(xdm_t) -auth_manage_pam_console_data(xdm_t) - -init_rw_utmp(xdm_t) -init_use_script_pty(xdm_t) -# Run telinit->init to shutdown. -init_exec(xdm_t) -init_write_initctl(xdm_t) - -libs_use_ld_so(xdm_t) -libs_use_shared_libs(xdm_t) -libs_exec_lib_files(xdm_t) - -logging_send_syslog_msg(xdm_t) -logging_read_generic_logs(xdm_t) - -miscfiles_read_localization(xdm_t) -miscfiles_read_fonts(xdm_t) - -seutil_read_config(xdm_t) -seutil_read_default_contexts(xdm_t) - -sysnet_read_config(xdm_t) - -userdom_dontaudit_use_unpriv_user_fd(xdm_t) -userdom_dontaudit_search_sysadm_home_dir(xdm_t) -# for .dmrc -userdom_read_unpriv_user_home_files(xdm_t) -# Search /proc for any user domain processes. -userdom_read_all_userdomains_state(xdm_t) - -ifdef(`strict_policy',` - allow xdm_t xdm_lock_t:file create_file_perms; - files_filetrans_lock(xdm_t,xdm_lock_t) - - allow xdm_t xdm_tmp_t:dir create_dir_perms; - allow xdm_t xdm_tmp_t:file create_file_perms; - allow xdm_t xdm_tmp_t:file create_file_perms; - files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file }) - - allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - allow xdm_t xdm_var_lib_t:file create_file_perms; - allow xdm_t xdm_var_lib_t:dir create_dir_perms; - files_filetrans_var_lib(xdm_t,xdm_var_lib_t) - - allow xdm_t xdm_var_run_t:dir manage_dir_perms; - allow xdm_t xdm_var_run_t:fifo_file manage_file_perms; - files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file }) - - domain_subj_id_change_exempt(xdm_t) - domain_role_change_exempt(xdm_t) - domain_obj_id_change_exempt(xdm_t) - - auth_domtrans_chk_passwd(xdm_t) - auth_domtrans_pam_console(xdm_t) - - xserver_dontaudit_read_all_users_iceauth(xdm_t) - - optional_policy(`alsa',` - alsa_domtrans(xdm_t) - ') -') - -ifdef(`targeted_policy',` - allow xdm_t self:process { execheap execmem }; - unconfined_domain_template(xdm_t) - unconfined_domtrans(xdm_t) -') - -optional_policy(`gpm',` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) -') - -optional_policy(`hostname',` - hostname_exec(xdm_t) -') - -optional_policy(`loadkeys',` - loadkeys_exec(xdm_t) -') - -optional_policy(`locallogin',` - locallogin_signull(xdm_t) -') - -optional_policy(`nscd',` - nscd_use_socket(xdm_t) -') - -optional_policy(`selinuxutil',` - seutil_sigchld_newrole(xdm_t) -') - -optional_policy(`udev',` - udev_read_db(xdm_t) -') - -optional_policy(`userhelper',` - userhelper_dontaudit_search_config(xdm_t) -') - -optional_policy(`usermanage',` - usermanage_read_crack_db(xdm_t) -') - -ifdef(`TODO',` -# cjp: TODO: integrate strict policy: -allow initrc_t xdm_var_run_t:fifo_file unlink; - -# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open -# handle of a file inside the dir!!! -allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; - -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:process signal; -allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; -allow xdm_xserver_t xdm_t:process signal; - -# init script wants to check if it needs to update windowmanagerlist -allow initrc_t xdm_rw_etc_t:file { getattr read }; -ifdef(`distro_suse', ` -# set permissions on /tmp/.X11-unix -allow initrc_t xdm_tmp_t:dir setattr; -') - -# Transition to user domains for user sessions. -domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) -allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; -allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; -allow unpriv_userdomain xdm_xserver_t:fd use; -allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; -allow xdm_xserver_t unpriv_userdomain:fd use; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# gnome-session creates socket under /tmp/.ICE-unix/ -allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; -allow unpriv_userdomain xdm_tmp_t:sock_file create; - -# Allow xdm logins as sysadm_r:sysadm_t -bool xdm_sysadm_login false; -if (xdm_sysadm_login) { -domain_trans(xdm_t, xsession_exec_t, sysadm_t) -allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; -allow sysadm_t xdm_xserver_t:shm r_shm_perms; -allow sysadm_t xdm_xserver_t:fd use; -allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t sysadm_t:shm rw_shm_perms; -allow xdm_xserver_t sysadm_t:fd use; -} - -# Label pid and temporary files with derived types. -rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) -allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; - -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; - -allow xdm_t device_t:dir rw_dir_perms; -can_resmgrd_connect(xdm_t) - -# Access xdm log files. -file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) -allow xdm_t xserver_log_t:dir rw_dir_perms; -allow xdm_t xserver_log_t:dir setattr; -# Access /var/gdm/.gdmfifo. -allow xdm_t xserver_log_t:fifo_file create_file_perms; - -allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; -allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; - -# Remove /tmp/.X11-unix/X0. -allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; -allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -# Connect to xfs. -ifdef(`xfs.te', ` -allow xdm_t xfs_tmp_t:dir search; -allow xdm_t xfs_tmp_t:sock_file write; -can_unix_connect(xdm_t, xfs_t) -') - -# Signal any user domain. -allow xdm_t userdomain:process signal_perms; - -# Do not audit denied attempts to access devices. -dontaudit xdm_t devpts_t:dir search; - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# Do not audit attempts to check whether user root has email -dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; -dontaudit xdm_t mail_spool_t:file getattr; - -# Run the X server in a derived domain. -xserver_domain(xdm) - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file create_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - -# Insert video drivers. -allow insmod_t xserver_log_t:file write; -allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; - -# Search /var/run. -allow xdm_xserver_t var_run_t:dir search; - -# FIXME: After per user fonts are properly working -# xdm_xserver_t may no longer have any reason -# to read ROLE_home_t - examine this in more detail -# (xauth?) - -# Search home directories. -allow xdm_xserver_t home_root_t:dir search; -allow xdm_xserver_t user_home_type:dir search; -allow xdm_xserver_t user_home_type:file { getattr read }; - -if (use_nfs_home_dirs) { -allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; -allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, nfs_t) -} - -if (use_samba_home_dirs) { -allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, cifs_t) -} - -ifdef(`support_polyinstatiation', ` -# xdm_t can polyinstantiate -files_polyinstantiate_all(xdm_t) -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -') - -# -# Wants to delete .xsession-errors file -# -allow xdm_t user_home_type:file unlink; -# -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -# -allow pam_t xdm_t:fifo_file { getattr ioctl write }; - -# VNC v4 module in X server -corenet_tcp_bind_vnc_port(xdm_xserver_t) - -# Supress permission check on .ICE-unix -dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; -') dnl end TODO diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if index 676a628..93e0241 100644 --- a/refpolicy/policy/modules/services/xfs.if +++ b/refpolicy/policy/modules/services/xfs.if @@ -17,3 +17,23 @@ interface(`xfs_read_socket',` allow $1 xfs_tmp_t:dir search; allow $1 xfs_tmp_t:sock_file { getattr read }; ') + +######################################## +## +## Connect to a X font server over +## a unix domain stream socket. +## +## +## Domain allowed access. +## +# +interface(`xfs_stream_connect',` + gen_require(` + type xfs_tmp_t, xfs_t; + ') + + files_search_tmp($1) + allow $1 xfs_tmp_t:dir search; + allow $1 xfs_tmp_t:sock_file write; + allow $1 xfs_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc index 5277385..79bc20c 100644 --- a/refpolicy/policy/modules/services/xserver.fc +++ b/refpolicy/policy/modules/services/xserver.fc @@ -1,17 +1,59 @@ - +# +# HOME_DIR +# +ifdef(`strict',` HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +') + +# +# /etc +# /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) +/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) + +/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) +/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) + +# +# /opt +# + +/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0) + +# +# /tmp +# + /tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> +/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +# +# /usr +# + +/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + +/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) @@ -23,11 +65,23 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) +# +# /var +# + /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) /var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) + +/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +ifdef(`distro_suse',` +/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) +') diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 37de6fb..37ac35e 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -6,9 +6,6 @@ template(`xserver_common_domain_template',` # # Declarations # - gen_require(` - type xkb_var_lib_t, xserver_log_t; - ') type $1_xserver_t; domain_type($1_xserver_t) @@ -52,6 +49,9 @@ template(`xserver_common_domain_template',` allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms; files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) + allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms; + type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t; + allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms; allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms; allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms; @@ -151,6 +151,10 @@ template(`xserver_common_domain_template',` nscd_use_socket($1_xserver_t) ') + optional_policy(`xfs',` + xfs_stream_connect($1_xserver_t) + ') + ifdef(`TODO',` ifdef(`distro_redhat',` ifdef(`rpm.te', ` @@ -159,15 +163,6 @@ template(`xserver_common_domain_template',` rpm_use_fd($1_xserver_t) ') ') - - file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) - - # Connect to xfs. - ifdef(`xfs.te', ` - can_unix_connect($1_xserver_t, xfs_t) - allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; - allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; - ') ') dnl end TODO ') @@ -205,12 +200,6 @@ template(`xserver_per_userdomain_template',` # Declarations # - gen_require(` - type xauth_exec_t; - type xserver_exec_t; - type iceauth_exec_t; - ') - xserver_common_domain_template($1) role $3 types $1_xserver_t; @@ -326,6 +315,9 @@ template(`xserver_per_userdomain_template',` allow $2 $1_xauth_home_t:file manage_file_perms; allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; + allow xdm_t $1_xauth_home_t:file manage_file_perms; + userdom_filetrans_user_home_dir($1,xdm_t,$1_xauth_home_t,file) + domain_use_wide_inherit_fd($1_xauth_t) files_read_etc_files($1_xauth_t) @@ -406,115 +398,154 @@ template(`xserver_per_userdomain_template',` ') ') -####################################### +######################################## ## -## Define a derived domain for the X server when executed -## by an X Display Manager. +## Transition to a user Xauthority domain. ## -## -## The prefix of the display manager domain. +## +##

+## Transition to a user Xauthority domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). ## -## -## The type of the display manager domain. +## +## Domain allowed access. ## # -template(`xserver_displaymgr_domain_template',` - - ############################## - # - # Declarations - # - - xserver_common_domain_template($1) - init_system_domain($1_xserver_t,xserver_exec_t) - - ############################## - # - # Local policy - # +template(`xserver_domtrans_user_xauth',` + gen_require(` + type $1_xauth_t, xauth_exec_t; + ') - domain_auto_trans($2, xserver_exec_t, $1_xserver_t) - allow $2 $1_xserver_t:fd use; - allow $1_xserver_t $2:fd use; - allow $1_xserver_t $2:fifo_file rw_file_perms; - allow $1_xserver_t $2:process { signal sigchld }; - allow $2 $1_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + domain_auto_trans($2, xauth_exec_t, $1_xauth_t) + allow $2 $1_xauth_t:fd use; + allow $1_xauth_t $2:fd use; + allow $1_xauth_t $2:fifo_file rw_file_perms; + allow $1_xauth_t $2:process sigchld; +') - allow $2 $1_xserver_tmp_t:file unlink; +######################################## +## +## Connect to XDM over a unix domain +## stream socket. +## +## +## Domain allowed access. +## +# +interface(`xserver_stream_connect_xdm',` + gen_require(` + type xdm_t; + ') - allow $2 $1_xserver_tmp_t:dir r_dir_perms; - allow $2 $1_xserver_tmp_t:sock_file rw_file_perms; - allow $2 $1_xserver_t:unix_stream_socket connectto; + allow $1 xdm_t:unix_stream_socket connectto; +') - allow $2 $1_xserver_t:shm rw_shm_perms; - allow $1_xserver_t $2:shm rw_shm_perms; +######################################## +## +## Create a named socket in a XDM +## temporary directory. +## +## +## Domain allowed access. +## +# +interface(`xserver_create_xdm_tmp_socket',` + gen_require(` + type xdm_tmp_t; + ') - # Run xkbcomp. - can_exec($1_xserver_t, xkb_var_lib_t) - allow $1_xserver_t xkb_var_lib_t:lnk_file read; - files_search_var_lib($1_xserver_t) + files_search_tmp($1) + allow $1 xdm_tmp_t:dir ra_dir_perms; + allow $1 xdm_tmp_t:sock_file create; +') - init_use_fd($1_xserver_t) +######################################## +## +## Read XDM pid files. +## +## +## Domain allowed access. +## +# +interface(`xserver_read_xdm_pid',` + gen_require(` + type xdm_var_run_t; + ') - userdom_dontaudit_search_all_users_home($1_xserver_t) + files_search_pids($1) + allow $1 xdm_var_run_t:file r_file_perms; +') - ifdef(`TODO',` - # Read all global and per user fonts - read_fonts($1_xserver_t, sysadm) - read_fonts($1_xserver_t, staff) - read_fonts($1_xserver_t, user) +######################################## +## +## Make an X session script an entrypoint for the specified domain. +## +## +## The domain for which the shell is an entrypoint. +## +# +interface(`xserver_xsession_entry_type',` + gen_require(` + type xsession_exec_t; + ') - dontaudit $1_xserver_t sysadm_t:shm { unix_read unix_write }; - allow $1_xserver_t xdm_tmpfs_t:file rw_file_perms; - ') dnl end TODO + domain_entry_file($1,xsession_exec_t) ') ######################################## ## -## Transition to a user Xauthority domain. +## Execute an X session in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ## ## ##

-## Transition to a user Xauthority domain. +## Execute an Xsession in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). ##

##

-## This is a templated interface, and should only -## be called from a per-userdomain template. +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. ##

## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## ## ## Domain allowed access. ## +## +## The type of the shell process. +## # -template(`xserver_domtrans_user_xauth',` +interface(`xserver_xsession_spec_domtrans',` gen_require(` - type $1_xauth_t, xauth_exec_t; + type xsession_exec_t; ') - domain_auto_trans($2, xauth_exec_t, $1_xauth_t) - allow $2 $1_xauth_t:fd use; - allow $1_xauth_t $2:fd use; - allow $1_xauth_t $2:fifo_file rw_file_perms; - allow $1_xauth_t $2:process sigchld; + domain_trans($1,xsession_exec_t,$2) ') ######################################## ## -## Do not audit attempts to read all user -## .ICEauthority files. +## Do not audit attempts to write the X server +## log files. ## ## -## Domain do not audit. +## Domain to not audit ## # -interface(`xserver_dontaudit_read_all_users_iceauth',` +interface(`xserver_dontaudit_write_log',` gen_require(` - attribute iceauth_home_type; + type xserver_log_t; ') - dontaudit $1 iceauth_home_type:file r_file_perms; + dontaudit $1 xserver_log_t:file { append write }; ') diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 1b291fc..623f759 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -1,13 +1,11 @@ -policy_module(xserver,1.0.0) +policy_module(xserver,1.0.1) ######################################## # # Declarations # -attribute iceauth_home_type; - type ice_tmp_t; files_tmp_file(ice_tmp_t) @@ -17,6 +15,33 @@ files_type(iceauth_exec_t) type xauth_exec_t; files_type(xauth_exec_t) +type xdm_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type xdm_exec_t; +') +init_domain(xdm_t,xdm_exec_t) +init_daemon_domain(xdm_t,xdm_exec_t) + +type xdm_lock_t; +files_lock_file(xdm_lock_t) + +type xdm_rw_etc_t; +files_type(xdm_rw_etc_t) + +type xdm_var_lib_t; +files_type(xdm_var_lib_t) + +type xdm_var_run_t; +files_pid_file(xdm_var_run_t) + +type xdm_tmp_t; +files_tmp_file(xdm_tmp_t) + +type xdm_tmpfs_t; +files_tmpfs_file(xdm_tmpfs_t) + # type for /var/lib/xkb type xkb_var_lib_t; files_config_file(xkb_var_lib_t) @@ -25,10 +50,422 @@ files_config_file(xkb_var_lib_t) type xserver_exec_t; files_type(xserver_exec_t) +type xsession_exec_t; +files_type(xsession_exec_t) + # Type for the X server log file. type xserver_log_t; logging_log_file(xserver_log_t) +ifdef(`strict_policy',` + xserver_common_domain_template(xdm) + init_system_domain(xdm_xserver_t,xserver_exec_t) +') + optional_policy(`prelink',` prelink_object_file(xkb_var_lib_t) ') + +######################################## +# +# XDM Local policy +# + +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms }; +allow xdm_t self:fifo_file rw_file_perms; +allow xdm_t self:shm create_shm_perms; +allow xdm_t self:sem create_sem_perms; +allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:tcp_socket create_stream_socket_perms; +allow xdm_t self:udp_socket create_socket_perms; + +# Supress permission check on .ICE-unix +dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; + +# Allow gdm to run gdm-binary +can_exec(xdm_t, xdm_exec_t) + +# wdm has its own config dir /etc/X11/wdm +# this is ugly, daemons should not create files under /etc! +allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; +allow xdm_t xdm_rw_etc_t:file create_file_perms; + +kernel_read_system_state(xdm_t) +kernel_read_kernel_sysctl(xdm_t) + +corecmd_exec_shell(xdm_t) +corecmd_exec_bin(xdm_t) +corecmd_exec_sbin(xdm_t) + +corenet_tcp_sendrecv_generic_if(xdm_t) +corenet_udp_sendrecv_generic_if(xdm_t) +corenet_raw_sendrecv_generic_if(xdm_t) +corenet_tcp_sendrecv_all_nodes(xdm_t) +corenet_udp_sendrecv_all_nodes(xdm_t) +corenet_raw_sendrecv_all_nodes(xdm_t) +corenet_tcp_sendrecv_all_ports(xdm_t) +corenet_udp_sendrecv_all_ports(xdm_t) +corenet_non_ipsec_sendrecv(xdm_t) +corenet_tcp_bind_all_nodes(xdm_t) +corenet_udp_bind_all_nodes(xdm_t) +corenet_tcp_connect_all_ports(xdm_t) +# xdm tries to bind to biff_port_t +corenet_dontaudit_tcp_bind_all_ports(xdm_t) + +dev_read_rand(xdm_t) +dev_read_urand(xdm_t) +dev_read_sysfs(xdm_t) +dev_getattr_framebuffer(xdm_t) +dev_setattr_framebuffer(xdm_t) +dev_getattr_mouse(xdm_t) +dev_setattr_mouse(xdm_t) +dev_rw_apm_bios(xdm_t) +dev_setattr_apm_bios(xdm_t) +dev_rw_dri_dev(xdm_t) +dev_rw_agp_dev(xdm_t) +dev_getattr_xserver_misc_dev(xdm_t) +dev_setattr_xserver_misc_dev(xdm_t) +dev_getattr_misc(xdm_t) +dev_setattr_misc(xdm_t) +dev_dontaudit_rw_misc(xdm_t) +dev_getattr_video_dev(xdm_t) +dev_setattr_video_dev(xdm_t) +dev_getattr_scanner(xdm_t) +dev_setattr_scanner(xdm_t) +dev_getattr_snd_dev(xdm_t) +dev_setattr_snd_dev(xdm_t) +dev_getattr_power_management(xdm_t) +dev_setattr_power_management(xdm_t) + +domain_use_wide_inherit_fd(xdm_t) +# Do not audit denied probes of /proc. +domain_dontaudit_read_all_domains_state(xdm_t) + +files_read_etc_files(xdm_t) +files_read_etc_runtime_files(xdm_t) +files_exec_etc_files(xdm_t) +files_list_mnt(xdm_t) +# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... +files_read_usr_files(xdm_t) +# Poweroff wants to create the /poweroff file when run from xdm +files_create_boot_flag(xdm_t) + +fs_getattr_all_fs(xdm_t) +fs_search_auto_mountpoints(xdm_t) + +selinux_get_fs_mount(xdm_t) +selinux_validate_context(xdm_t) +selinux_compute_access_vector(xdm_t) +selinux_compute_create_context(xdm_t) +selinux_compute_relabel_context(xdm_t) +selinux_compute_user_contexts(xdm_t) + +storage_dontaudit_read_fixed_disk(xdm_t) +storage_dontaudit_write_fixed_disk(xdm_t) +storage_dontaudit_setattr_fixed_disk(xdm_t) +storage_dontaudit_raw_read_removable_device(xdm_t) +storage_dontaudit_raw_write_removable_device(xdm_t) +storage_dontaudit_setattr_removable_device(xdm_t) +storage_dontaudit_rw_scsi_generic(xdm_t) + +term_setattr_console(xdm_t) +term_dontaudit_use_console(xdm_t) +term_use_unallocated_tty(xdm_t) +term_setattr_unallocated_ttys(xdm_t) + +auth_rw_lastlog(xdm_t) +auth_read_login_records(xdm_t) +auth_append_login_records(xdm_t) +auth_manage_pam_pid(xdm_t) +auth_exec_pam(xdm_t) +auth_manage_pam_console_data(xdm_t) + +init_rw_utmp(xdm_t) +init_use_script_pty(xdm_t) +# Run telinit->init to shutdown. +init_exec(xdm_t) +init_write_initctl(xdm_t) + +libs_use_ld_so(xdm_t) +libs_use_shared_libs(xdm_t) +libs_exec_lib_files(xdm_t) + +logging_send_syslog_msg(xdm_t) +logging_read_generic_logs(xdm_t) + +miscfiles_read_localization(xdm_t) +miscfiles_read_fonts(xdm_t) + +seutil_read_config(xdm_t) +seutil_read_default_contexts(xdm_t) + +sysnet_read_config(xdm_t) + +userdom_dontaudit_use_unpriv_user_fd(xdm_t) +userdom_dontaudit_search_sysadm_home_dir(xdm_t) +# for .dmrc +userdom_read_unpriv_user_home_files(xdm_t) +# Search /proc for any user domain processes. +userdom_read_all_userdomains_state(xdm_t) +userdom_signal_all_users(xdm_t) + +ifdef(`enable_polyinstantiation',` + # xdm_t can polyinstantiate + files_polyinstantiate_all(xdm_t) +') + +ifdef(`strict_policy',` + allow xdm_t xdm_lock_t:file create_file_perms; + files_filetrans_lock(xdm_t,xdm_lock_t) + + allow xdm_t xdm_tmp_t:dir create_dir_perms; + allow xdm_t xdm_tmp_t:file create_file_perms; + allow xdm_t xdm_tmp_t:file create_file_perms; + files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file }) + + allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow xdm_t xdm_var_lib_t:file create_file_perms; + allow xdm_t xdm_var_lib_t:dir create_dir_perms; + files_filetrans_var_lib(xdm_t,xdm_var_lib_t) + + allow xdm_t xdm_var_run_t:dir manage_dir_perms; + allow xdm_t xdm_var_run_t:fifo_file manage_file_perms; + files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file }) + + allow xdm_t xdm_xserver_t:process signal; + allow xdm_t xdm_xserver_t:unix_stream_socket connectto; + + allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; + allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; + + # transition to the xdm xserver + domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) + allow xdm_t xdm_xserver_t:fd use; + allow xdm_xserver_t xdm_t:fd use; + allow xdm_xserver_t xdm_t:fifo_file rw_file_perms; + allow xdm_xserver_t xdm_t:process { signal sigchld }; + allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + + allow xdm_t xdm_xserver_t:shm rw_shm_perms; + + # connect to xdm xserver over stream socket + allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; + allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; + allow xdm_t xdm_xserver_t:unix_stream_socket connectto; + + # Remove /tmp/.X11-unix/X0. + allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; + allow xdm_t xdm_xserver_tmp_t:sock_file unlink; + allow xdm_t xdm_xserver_tmp_t:file unlink; + + allow xdm_t xserver_log_t:dir { rw_dir_perms setattr }; + allow xdm_t xserver_log_t:file manage_file_perms; + allow xdm_t xserver_log_t:fifo_file manage_file_perms; + logging_filetrans_log(xdm_t,xserver_log_t,file) + + domain_subj_id_change_exempt(xdm_t) + domain_role_change_exempt(xdm_t) + domain_obj_id_change_exempt(xdm_t) + + auth_domtrans_chk_passwd(xdm_t) + auth_domtrans_pam_console(xdm_t) + + # FIXME: + # xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) + + tunable_policy(`xdm_sysadm_login',` + userdom_xsession_spec_domtrans_all_users(xdm_t) + # FIXME: +# xserver_rw_session_template(xdm,userdomain) + ',` + userdom_xsession_spec_domtrans_unpriv_users(xdm_t) + # FIXME: +# xserver_rw_session_template(xdm,unpriv_userdomain) +# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; +# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; + ') + + optional_policy(`alsa',` + alsa_domtrans(xdm_t) + ') +') + +ifdef(`targeted_policy',` + allow xdm_t self:process { execheap execmem }; + unconfined_domain_template(xdm_t) + unconfined_domtrans(xdm_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) + fs_manage_nfs_symlinks(xdm_t) + fs_execute_nfs_files(xdm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_t) + fs_manage_cifs_files(xdm_t) + fs_manage_cifs_symlinks(xdm_t) + fs_execute_cifs_files(xdm_t) +') + +optional_policy(`gpm',` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) +') + +optional_policy(`hostname',` + hostname_exec(xdm_t) +') + +optional_policy(`loadkeys',` + loadkeys_exec(xdm_t) +') + +optional_policy(`locallogin',` + locallogin_signull(xdm_t) +') + +optional_policy(`mta',` + # Do not audit attempts to check whether user root has email + mta_dontaudit_getattr_spool(xdm_t) +') + +optional_policy(`nscd',` + nscd_use_socket(xdm_t) +') + +optional_policy(`selinuxutil',` + seutil_sigchld_newrole(xdm_t) +') + +optional_policy(`udev',` + udev_read_db(xdm_t) +') + +optional_policy(`userhelper',` + userhelper_dontaudit_search_config(xdm_t) +') + +optional_policy(`usermanage',` + usermanage_read_crack_db(xdm_t) +') + +optional_policy(`xfs',` + xfs_stream_connect(xdm_t) +') + +######################################## +# +# XDM Xserver local policy +# + +ifdef(`strict_policy',` + allow xdm_xserver_t xdm_t:process signal; + allow xdm_xserver_t xdm_t:shm rw_shm_perms; + + # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open + # handle of a file inside the dir!!! + allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; + dontaudit xdm_xserver_t xdm_var_lib_t:dir search; + + allow xdm_xserver_t xdm_var_run_t:file { getattr read }; + + # Label pid and temporary files with derived types. + allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms; + allow xdm_xserver_t xdm_tmp_t:file manage_file_perms; + allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms; + allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms; + + # Run xkbcomp. + allow xdm_xserver_t xkb_var_lib_t:lnk_file read; + can_exec(xdm_xserver_t, xkb_var_lib_t) + files_search_var_lib(xdm_xserver_t) + + # VNC v4 module in X server + corenet_tcp_bind_vnc_port(xdm_xserver_t) + + fs_search_auto_mountpoints(xdm_xserver_t) + + init_use_fd(xdm_xserver_t) + + # FIXME: After per user fonts are properly working + # xdm_xserver_t may no longer have any reason + # to read ROLE_home_t - examine this in more detail + # (xauth?) + userdom_read_unpriv_user_home_files(xdm_xserver_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(xdm_xserver_t) + fs_manage_nfs_files(xdm_xserver_t) + fs_manage_nfs_symlinks(xdm_xserver_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_xserver_t) + fs_manage_cifs_files(xdm_xserver_t) + fs_manage_cifs_symlinks(xdm_xserver_t) + ') + + ifdef(`TODO',` + # Read all global and per user fonts + read_fonts(xdm_xserver_t, sysadm) + read_fonts(xdm_xserver_t, staff) + read_fonts(xdm_xserver_t, user) + ') dnl end TODO +') + +ifdef(`TODO',` +# cjp: TODO: integrate strict policy: +# init script wants to check if it needs to update windowmanagerlist +allow initrc_t xdm_rw_etc_t:file { getattr read }; +ifdef(`distro_suse', ` +# set permissions on /tmp/.X11-unix +allow initrc_t xdm_tmp_t:dir setattr; +') + +allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; + +can_resmgrd_connect(xdm_t) + +# Need to further investigate these permissions and +# perhaps define derived types. +allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +allow xdm_t var_lib_t:file { create write unlink }; + +# Do not audit attempts to write to index files under /usr +dontaudit xdm_t usr_t:file write; + +ifdef(`rhgb.te', ` +allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +allow xdm_xserver_t ramfs_t:file create_file_perms; +allow rhgb_t xdm_xserver_t:process signal; +') + +ifdef(`enable_polyinstantiation',` +# xdm needs access for linking .X11-unix to poly /tmp +allow xdm_t polymember:dir { add_name remove_name write }; +allow xdm_t polymember:lnk_file { create unlink }; +# xdm needs access for copying .Xauthority into new home +allow xdm_t polymember:file { create getattr write }; +') + +# +# Wants to delete .xsession-errors file +# +allow xdm_t user_home_type:file unlink; +# +# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# +allow pam_t xdm_t:fifo_file { getattr ioctl write }; +') dnl end TODO diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index bcfeb15..863c3be 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -436,6 +436,17 @@ template(`base_user_template',` usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') + optional_policy(`xserver',` + dev_rw_xserver_misc_dev($1_t) + xserver_xsession_entry_type($1_t) + xserver_dontaudit_write_log($1_t) + xserver_stream_connect_xdm($1_t) + # certain apps want to read xdm.pid file + xserver_read_xdm_pid($1_t) + # gnome-session creates socket under /tmp/.ICE-unix/ + xserver_create_xdm_tmp_socket($1_t) + ') + ifdef(`TODO',` # # Cups daemon running as user tries to write /etc/printcap @@ -464,20 +475,8 @@ template(`base_user_template',` # Use X x_client_domain($1, $1) - ifdef(`xserver.te', ` - allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; - ') - ifdef(`xdm.te', ` - # Connect to the X server run by the X Display Manager. - can_unix_connect($1_t, xdm_t) - # certain apps want to read xdm.pid file - r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file r_file_perms; - allow xdm_t $1_home_dir_t:dir getattr; - ifdef(`xauth.te', ` - file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) - ') ') # start read_fonts() @@ -2542,6 +2541,28 @@ interface(`userdom_spec_domtrans_all_users',` ######################################## ## +## Execute an Xserver session in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## Domain allowed access. +## +# +interface(`userdom_xsession_spec_domtrans_all_users',` + gen_require(` + attribute userdomain; + ') + + xserver_xsession_spec_domtrans($1,userdomain) + allow $1 userdomain:fd use; + allow userdomain $1:fd use; + allow userdomain $1:fifo_file rw_file_perms; + allow userdomain $1:process sigchld; +') + +######################################## +## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). @@ -2564,6 +2585,28 @@ interface(`userdom_spec_domtrans_unpriv_users',` ######################################## ## +## Execute an Xserver session in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +## Domain allowed access. +## +# +interface(`userdom_xsession_spec_domtrans_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + xserver_xsession_spec_domtrans($1,unpriv_userdomain) + allow $1 unpriv_userdomain:fd use; + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; +') + +######################################## +## ## Manage unpriviledged user SysV sempaphores. ## ## @@ -3616,6 +3659,7 @@ interface(`userdom_read_unpriv_user_home_files',` attribute user_home_dir_type, user_home_type; ') + files_search_home($1) allow $1 user_home_dir_type:dir search_dir_perms; allow $1 user_home_type:dir r_dir_perms; allow $1 user_home_type:lnk_file { getattr read }; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 92d9aa6..834645a 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.5) +policy_module(userdomain,1.2.6) gen_require(` role sysadm_r, staff_r, user_r;