diff --git a/refpolicy/Changelog b/refpolicy/Changelog index ade7cf7..060c291 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Move xserver_log_t from xdm to xserver. - Add lpr per-userdomain policy to lpd. - Miscellaneous fixes from Dan Walsh. - Change initrc_var_run_t interface noun from script_pid to utmp, @@ -7,6 +8,7 @@ portage userhelper usernetctl + xserver * Tue Jan 17 2006 Chris PeBenito - 20060117 - Adds support for generating corenetwork interfaces based on attributes diff --git a/refpolicy/policy/modules/services/xdm.fc b/refpolicy/policy/modules/services/xdm.fc index f175401..8cc4f02 100644 --- a/refpolicy/policy/modules/services/xdm.fc +++ b/refpolicy/policy/modules/services/xdm.fc @@ -22,17 +22,11 @@ /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - -/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index 91f46de..b10805d 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -19,12 +19,6 @@ init_daemon_domain(xdm_t,xdm_exec_t) type xsession_exec_t; files_type(xsession_exec_t) -# temp: -typeattribute xsession_exec_t entry_type; - -type xserver_log_t; -files_type(xserver_log_t) - type xdm_xserver_tmp_t; files_type(xdm_xserver_tmp_t) diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc new file mode 100644 index 0000000..a74d1ad --- /dev/null +++ b/refpolicy/policy/modules/services/xserver.fc @@ -0,0 +1,28 @@ + +/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) + +# cjp: TODO: merge in iceauth stuff +#/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) +/tmp/\.ICE-unix/.* -s <> +/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) +/tmp/\.X11-unix/.* -s <> + +/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + +/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0) + +/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) +/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) + +/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + +/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + +/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if new file mode 100644 index 0000000..f27d000 --- /dev/null +++ b/refpolicy/policy/modules/services/xserver.if @@ -0,0 +1,321 @@ +## X Windows Server + +template(`xserver_common_domain_template',` + + ############################## + # + # Declarations + # + + type $1_xserver_t; + domain_type($1_xserver_t) + + type $1_xserver_tmp_t; + files_tmp_file($1_xserver_tmp_t) + + type $1_xserver_tmpfs_t; + files_tmpfs_file($1_xserver_tmpfs_t) + + ############################## + # + # $1_xserver_t local policy + # + + # setuid/setgid for the wrapper program to change UID + # sys_rawio is for iopl access - should not be needed for frame-buffer + # sys_admin, locking shared mem? chowning IPC message queues or semaphores? + # admin of APM bios? + # sys_nice is so that the X server can set a negative nice value + # execheap needed until the X module loader is fixed. + + allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit $1_xserver_t self:capability chown; + allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_xserver_t self:process { execmem execheap setsched }; + allow $1_xserver_t self:fd use; + allow $1_xserver_t self:fifo_file rw_file_perms; + allow $1_xserver_t self:sock_file r_file_perms; + allow $1_xserver_t self:shm create_shm_perms; + allow $1_xserver_t self:sem create_sem_perms; + allow $1_xserver_t self:msgq create_msgq_perms; + allow $1_xserver_t self:msg { send receive }; + allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto }; + allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_xserver_t self:tcp_socket create_stream_socket_perms; + allow $1_xserver_t self:udp_socket create_socket_perms; + + allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms; + allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms; + allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms; + files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) + + allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms; + allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms; + allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms; + allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms; + allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms; + fs_filetrans_tmpfs($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms; + allow $1_xserver_t xkb_var_lib_t:file manage_file_perms; + allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms; + files_search_var_lib($1_xserver_t) + + # Create files in /var/log with the xserver_log_t type. + allow $1_xserver_t xserver_log_t:file manage_file_perms; + allow $1_xserver_t xserver_log_t:dir r_dir_perms; + logging_filetrans_log($1_xserver_t,xserver_log_t,file) + + kernel_read_system_state($1_xserver_t) + kernel_read_device_sysctl($1_xserver_t) + # Xorg wants to check if kernel is tainted + kernel_read_kernel_sysctl($1_xserver_t) + + # Run helper programs in $1_xserver_t. + corecmd_search_sbin($1_xserver_t) + corecmd_exec_bin($1_xserver_t) + corecmd_exec_shell($1_xserver_t) + + corenet_non_ipsec_sendrecv($1_xserver_t) + corenet_tcp_sendrecv_generic_if($1_xserver_t) + corenet_udp_sendrecv_generic_if($1_xserver_t) + corenet_raw_sendrecv_generic_if($1_xserver_t) + corenet_tcp_sendrecv_all_nodes($1_xserver_t) + corenet_udp_sendrecv_all_nodes($1_xserver_t) + corenet_raw_sendrecv_all_nodes($1_xserver_t) + corenet_tcp_sendrecv_all_ports($1_xserver_t) + corenet_udp_sendrecv_all_ports($1_xserver_t) + corenet_tcp_bind_all_nodes($1_xserver_t) + corenet_udp_bind_all_nodes($1_xserver_t) + corenet_tcp_bind_xserver_port($1_xserver_t) + corenet_tcp_connect_all_ports($1_xserver_t) + + dev_read_sysfs($1_xserver_t) + dev_rw_mouse($1_xserver_t) + dev_rw_mtrr($1_xserver_t) + dev_rw_apm_bios($1_xserver_t) + dev_rw_agp_dev($1_xserver_t) + dev_rw_framebuffer($1_xserver_t) + dev_manage_dri_dev($1_xserver_t) + dev_create_dir($1_xserver_t) + dev_setattr_dev_dir($1_xserver_t) + # raw memory access is needed if not using the frame buffer + dev_read_raw_memory($1_xserver_t) + dev_write_raw_memory($1_xserver_t) + # for other device nodes such as the NVidia binary-only driver + dev_rw_xserver_misc_dev($1_xserver_t) + # read events - the synaptics touchpad driver reads raw events + dev_rw_input_dev($1_xserver_t) + + files_read_etc_files($1_xserver_t) + files_read_etc_runtime_files($1_xserver_t) + # brought on by rhgb + files_search_mnt($1_xserver_t) + # for nscd + files_dontaudit_search_pids($1_xserver_t) + + fs_getattr_xattr_fs($1_xserver_t) + fs_search_nfs($1_xserver_t) + fs_search_auto_mountpoints($1_xserver_t) + + term_setattr_unallocated_ttys($1_xserver_t) + term_use_unallocated_tty($1_xserver_t) + + libs_use_ld_so($1_xserver_t) + libs_use_shared_libs($1_xserver_t) + + logging_send_syslog_msg($1_xserver_t) + + miscfiles_read_localization($1_xserver_t) + miscfiles_read_fonts($1_xserver_t) + + seutil_dontaudit_search_config($1_xserver_t) + + sysnet_read_config($1_xserver_t) + + optional_policy(`authlogin',` + auth_search_pam_console_data($1_xserver_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_xserver_t) + ') + + optional_policy(`nscd',` + nscd_use_socket($1_xserver_t) + ') + + ifdef(`TODO',` + ifdef(`distro_redhat',` + kernel_read_modprobe_sysctl($1_xserver_t) + + modutils_domtrans_insmod($1_xserver_t) + + ifdef(`rpm.te', ` + allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; + allow $1_xserver_t rpm_tmpfs_t:file { read write }; + rpm_use_fd($1_xserver_t) + ') + ') + + file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) + + # Connect to xfs. + ifdef(`xfs.te', ` + can_unix_connect($1_xserver_t, xfs_t) + allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; + allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; + ') + ') dnl end TODO +') + +####################################### +## +## The per user domain template for the xserver module. +## +## +##

+## Define a derived domain for the X server when executed +## by a user domain (e.g. via startx). See the xdm module +## if using an X Display Manager. +##

+##

+## This is invoked automatically for each user and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`xserver_per_userdomain_template',` + + ############################## + # + # Declarations + # + + xserver_common_domain_template($1) + role $3 types $1_xserver_t; + + ############################## + # + # Local policy + # + + domain_auto_trans($2, xserver_exec_t, $1_xserver_t) + allow $2 $1_xserver_t:fd use; + allow $1_xserver_t $2:fd use; + allow $1_xserver_t $2:fifo_file rw_file_perms; + allow $1_xserver_t $2:process { signal sigchld }; + + allow $1_xserver_t $2:shm rw_shm_perms; + + allow $2 $1_xserver_tmp_t:dir r_dir_perms; + allow $2 $1_xserver_tmp_t:sock_file rw_file_perms; + allow $2 $1_xserver_t:unix_stream_socket connectto; + + allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + + # Communicate via System V shared memory. + allow $1_xserver_t $2:shm rw_shm_perms; + allow $2 $1_xserver_t:shm rw_shm_perms; + + getty_use_fd($1_xserver_t) + + locallogin_use_fd($1_xserver_t) + + userdom_search_user_home($1,$1_xserver_t) + userdom_use_user_tty($1,$1_xserver_t) + userdom_setattr_user_tty($1,$1_xserver_t) + userdom_rw_user_tmpfs_files($1,$1_xserver_t) + + optional_policy(`userhelper',` + userhelper_search_config($1_xserver_t) + ') + + ifdef(`TODO',` + # Read fonts + read_fonts($1_xserver_t, $1) + + ifdef(`xauth.te', ` + domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) + allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + ', ` + allow $1_xserver_t $1_home_t:file { getattr read }; + ') + + allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; + allow $1_t xdm_xserver_t:unix_stream_socket connectto; + + ifdef(`xdm.te', ` + allow $1_t xdm_tmp_t:sock_file unlink; + allow $1_xserver_t xdm_var_run_t:dir search; + ') + ') dnl end TODO +') + +####################################### +## +## Define a derived domain for the X server when executed +## by an X Display Manager. +## +## +## The prefix of the display manager domain. +## +## +## The type of the display manager domain. +## +# +template(`xserver_displaymgr_domain_template',` + + ############################## + # + # Declarations + # + + xserver_common_domain_template($1) + role system_r types xdm_xserver_t; + + ############################## + # + # Local policy + # + + domain_auto_trans($2, xserver_exec_t, $1_xserver_t) + allow $2 $1_xserver_t:fd use; + allow $1_xserver_t $2:fd use; + allow $1_xserver_t $2:fifo_file rw_file_perms; + allow $1_xserver_t $2:process { signal sigchld }; + + allow $2 $1_xserver_t:process signal; + + allow $2 $1_xserver_tmp_t:dir r_dir_perms; + allow $2 $1_xserver_tmp_t:sock_file rw_file_perms; + allow $2 $1_xserver_t:unix_stream_socket connectto; + + allow $2 $1_xserver_t:shm rw_shm_perms; + allow $1_xserver_t $2:shm rw_shm_perms; + + init_use_fd($1_xserver_t) + + userdom_dontaudit_search_all_users_home($1_xserver_t) + + ifdef(`TODO',` + # Read all global and per user fonts + read_fonts($1_xserver_t, sysadm) + read_fonts($1_xserver_t, staff) + read_fonts($1_xserver_t, user) + + dontaudit $1_xserver_t sysadm_t:shm { unix_read unix_write }; + allow $1_xserver_t xdm_tmpfs_t:file rw_file_perms; + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te new file mode 100644 index 0000000..4ea14a6 --- /dev/null +++ b/refpolicy/policy/modules/services/xserver.te @@ -0,0 +1,19 @@ + +policy_module(xserver,1.0.0) + +######################################## +# +# Declarations +# + +# type for /var/lib/xkb +type xkb_var_lib_t; +files_config_file(xkb_var_lib_t) + +# Type for the executable used to start the X server, e.g. Xwrapper. +type xserver_exec_t; +files_type(xserver_exec_t) + +# Type for the X server log file. +type xserver_log_t; +logging_log_file(xserver_log_t) diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 93d8149..0491609 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -5,15 +5,12 @@ ## Execute gettys in the getty domain. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`getty_domtrans',` gen_require(` type getty_t, getty_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -27,16 +24,31 @@ interface(`getty_domtrans',` ######################################## ## +## Inherit and use getty file descriptors. +## +## +## Domain allowed access. +## +# +interface(`getty_use_fd',` + gen_require(` + type getty_t; + ') + + allow $1 getty_t:fd use; +') + +######################################## +## ## Allow process to read getty log file. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`getty_read_log',` gen_require(` type getty_log_t; - class file { getattr read }; ') logging_search_logs($1) @@ -48,13 +60,12 @@ interface(`getty_read_log',` ## Allow process to read getty config file. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`getty_read_config',` gen_require(` type getty_etc_t; - class file { getattr read }; ') files_search_etc($1) @@ -66,13 +77,12 @@ interface(`getty_read_config',` ## Allow process to edit getty config file. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`getty_modify_config',` gen_require(` type getty_etc_t; - class file rw_file_perms; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 77a415b..4865495 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1985,6 +1985,38 @@ template(`userdom_manage_user_tmp_sockets',` ######################################## ## +## Read user tmpfs files. +## +## +##

+## Read user tmpfs files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Domain allowed access. +## +# +template(`userdom_rw_user_tmpfs_files',` + gen_require(` + type $1_tmp_t; + ') + + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; + allow $2 $1_tmpfs_t:file rw_file_perms; + allow $2 $1_tmpfs_t:lnk_file { getattr read }; +') + +######################################## +## ## List users untrusted directories. ## ##