diff --git a/refpolicy/Changelog b/refpolicy/Changelog index f2811d3..37b120d 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Move ice_tmp_t from miscfiles to xserver. - Login fixes from Serge Hallyn. - Move xserver_log_t from xdm to xserver. - Add lpr per-userdomain policy to lpd. diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index 2df0eb3..1226f45 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -1,5 +1,5 @@ -policy_module(xdm,1.1.2) +policy_module(xdm,1.1.3) ######################################## # @@ -75,7 +75,7 @@ dev_read_urand(xdm_t) files_read_etc_files(xdm_t) files_read_etc_runtime_files(xdm_t) -files_exec_etc(xdm_t) +files_exec_etc_files(xdm_t) # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... files_read_usr_files(xdm_t) @@ -93,7 +93,7 @@ init_rw_utmp(xdm_t) # for reboot init_write_initctl(xdm_t) -libs_exec_lib(xdm_t) +libs_exec_lib_files(xdm_t) seutil_read_config(xdm_t) seutil_read_default_contexts(xdm_t) diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc index a74d1ad..5277385 100644 --- a/refpolicy/policy/modules/services/xserver.fc +++ b/refpolicy/policy/modules/services/xserver.fc @@ -1,15 +1,20 @@ +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) +HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) + /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) -# cjp: TODO: merge in iceauth stuff -#/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) +/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 3f3da1a..d2a3793 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -206,11 +206,38 @@ template(`xserver_per_userdomain_template',` xserver_common_domain_template($1) role $3 types $1_xserver_t; + type $1_iceauth_t; + domain_type($1_iceauth_t) + role $3 types $1_iceauth_t; + + type $1_iceauth_home_t alias $1_iceauth_rw_t; + files_poly_member($1_iceauth_home_t) + userdom_home_file($1,$1_iceauth_home_t) + + type $1_xauth_t; + domain_type($1_xauth_t) + role $3 types $1_xauth_t; + + type $1_xauth_home_t alias $1_xauth_rw_t; + files_poly_member($1_xauth_home_t) + userdom_home_file($1,$1_xauth_home_t) + + type $1_xauth_tmp_t; + files_tmp_file($1_xauth_tmp_t) + ############################## # - # Local policy + # $1_xserver_t Local policy # + domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) + allow $1_xserver_t $1_xauth_t:fd use; + allow $1_xauth_t $1_xserver_t:fd use; + allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms; + allow $1_xauth_t $1_xserver_t:process sigchld; + + allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + domain_auto_trans($2, xserver_exec_t, $1_xserver_t) allow $2 $1_xserver_t:fd use; allow $1_xserver_t $2:fd use; @@ -246,13 +273,6 @@ template(`xserver_per_userdomain_template',` # Read fonts read_fonts($1_xserver_t, $1) - ifdef(`xauth.te', ` - domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) - allow $1_xserver_t $1_xauth_home_t:file { getattr read }; - ', ` - allow $1_xserver_t $1_home_t:file { getattr read }; - ') - allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; allow $1_t xdm_xserver_t:unix_stream_socket connectto; @@ -261,6 +281,116 @@ template(`xserver_per_userdomain_template',` allow $1_xserver_t xdm_var_run_t:dir search; ') ') dnl end TODO + + ############################## + # + # $1_xauth_t Local policy + # + + allow $1_xauth_t self:process signal; + allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; + + allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; + userdom_filetrans_user_home_dir($1,$1_xauth_t,$1_xauth_home_t,file) + + allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms; + allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms; + files_filetrans_tmp($1_xauth_t, $1_xauth_tmp_t, { file dir }) + + domain_auto_trans($2, xauth_exec_t, $1_xauth_t) + allow $2 $1_xauth_t:fd use; + allow $1_xauth_t $2:fd use; + allow $1_xauth_t $2:fifo_file rw_file_perms; + allow $1_xauth_t $2:process sigchld; + + allow $2 $1_xauth_t:process signal; + + allow $2 $1_xauth_home_t:file manage_file_perms; + allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; + + domain_use_wide_inherit_fd($1_xauth_t) + + files_read_etc_files($1_xauth_t) + files_search_pids($1_xauth_t) + + fs_getattr_xattr_fs($1_xauth_t) + fs_search_auto_mountpoints($1_xauth_t) + + # cjp: why? + term_use_ptmx($1_xauth_t) + + libs_use_ld_so($1_xauth_t) + libs_use_shared_libs($1_xauth_t) + + sysnet_dns_name_resolve($1_xauth_t) + + userdom_use_user_terminals($1,$1_xauth_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_xauth_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_xauth_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_xauth_t) + ') + + ifdef(`TODO',` + ifdef(`ssh.te', ` + domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) + dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; + + allow $1_xauth_t sshd_t:fifo_file { getattr read }; + allow $1_xauth_t sshd_t:process sigchld; + ')dnl end if ssh + + # allow ps to show xauth + can_ps($1_t, $1_xauth_t) + + allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; + ') dnl end TODO + + ############################## + # + # $1_iceauth_t Local policy + # + + domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t) + allow $2 $1_iceauth_t:fd use; + allow $1_iceauth_t $2:fd use; + allow $1_iceauth_t $2:fifo_file rw_file_perms; + allow $1_iceauth_t $2:process sigchld; + + allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; + userdom_filetrans_user_home_dir($1,$1_iceauth_t,$1_iceauth_home_t,file) + + allow $2 $1_iceauth_home_t:file manage_file_perms; + allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; + + fs_search_auto_mountpoints($1_iceauth_t) + + libs_use_ld_so($1_iceauth_t) + libs_use_shared_libs($1_iceauth_t) + + userdom_use_user_terminals($1,$1_iceauth_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_iceauth_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_iceauth_t) + ') + + ifdef(`TODO',` + # Supress xdm trying to restore .ICEauthority permissions + ifdef(`xdm.te', ` + dontaudit xdm_t $1_iceauth_home_t:file r_file_perms; + ') + ') dnl end TODO ') ####################################### diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 4ea14a6..1f4dcc1 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -6,6 +6,15 @@ policy_module(xserver,1.0.0) # Declarations # +type ice_tmp_t; +files_tmp_file(ice_tmp_t) + +type iceauth_exec_t; +files_type(iceauth_exec_t) + +type xauth_exec_t; +files_type(xauth_exec_t) + # type for /var/lib/xkb type xkb_var_lib_t; files_config_file(xkb_var_lib_t) diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 1d93ba8..f12850f 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -26,12 +26,6 @@ type hwdata_t; files_type(hwdata_t) # -# type for /tmp/.ICE-unix -# -type ice_tmp_t; -files_tmp_file(ice_tmp_t) - -# # locale_t is the type for system localization # type locale_t; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 4865495..defee59 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1635,6 +1635,49 @@ template(`userdom_create_user_home',` ######################################## ## +## Create objects in a user home directory with +## a type transition to a specified type. +## +## +##

+## Create objects in a user home directory with +## a type transition to a specified type. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Domain allowed access. +## +## +## The type of the object to create. If this is +## not specified, the regular home directory +## type is used. +## +## +## The class of the object to be created. If not +## specified, file is used. +## +# +template(`userdom_filetrans_user_home_dir',` + gen_require(` + type $1_home_dir_t, $1_home_t; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir rw_dir_perms; + + type_transition $2 $1_home_dir_t:$4 $3; +') + +######################################## +## ## Write to user temporary named sockets. ## ##