[refpolicy] [PATCH 2/6] Add a "prefix" parameter to xserver_role and xserver_restricted_role.

Christopher J. PeBenito cpebenito at tresys.com
Thu Oct 22 08:32:38 CDT 2009


On Tue, 2009-10-13 at 21:28 -0400, Eamon Walsh wrote:
> Add a "prefix" parameter to xserver_role and xserver_restricted_role.

These need to turn into new xserver_role_template and
xserver_restricted_role_template templates, and the current versions
need to stay, but as deprecated, for compatibility.

> This is required to call xserver_object_types_template and
> xserver_common_x_domain_template from within these interfaces.
> 
> Additionally, add a call to xserver_unconfined from within
> xserver_restricted_role.  This causes the default user types to
> be unconfined as far as the X object manager is concerned.  Only
> non-default types such as mozilla_t are now confined.

> Signed-off-by: Eamon Walsh<ewalsh at tycho.nsa.gov>
> ---
>   policy/modules/apps/wm.if           |    2 +-
>   policy/modules/roles/staff.te       |    2 +-
>   policy/modules/roles/sysadm.te      |    2 +-
>   policy/modules/roles/unprivuser.te  |    2 +-
>   policy/modules/services/xserver.if  |  201
> ++++++++++++++--------------------
>   policy/modules/system/userdomain.if |    2 +-
>   6 files changed, 88 insertions(+), 123 deletions(-)
> 
> diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
> index 313f247..11d78d0 100644
> --- a/policy/modules/apps/wm.if
> +++ b/policy/modules/apps/wm.if
> @@ -75,7 +75,7 @@ template(`wm_role_template',`
>         ')
> 
>         optional_policy(`
> -               xserver_role($2, $1_wm_t)
> +               xserver_role($1_wm, $2, $1_wm_t)
>         ')
>   ')
> 
> diff --git a/policy/modules/roles/staff.te
> b/policy/modules/roles/staff.te
> index 7433ca0..07af057 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -166,5 +166,5 @@ optional_policy(`
>   ')
> 
>   optional_policy(`
> -       xserver_role(staff_r, staff_t)
> +       xserver_role(staff, staff_r, staff_t)
>   ')
> diff --git a/policy/modules/roles/sysadm.te
> b/policy/modules/roles/sysadm.te
> index 2ed3c67..374add6 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -444,7 +444,7 @@ optional_policy(`
>   ')
> 
>   optional_policy(`
> -       xserver_role(sysadm_r, sysadm_t)
> +       xserver_role(sysadm, sysadm_r, sysadm_t)
>   ')
> 
>   optional_policy(`
> diff --git a/policy/modules/roles/unprivuser.te
> b/policy/modules/roles/unprivuser.te
> index 2183644..4c974d1 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -151,5 +151,5 @@ optional_policy(`
>   ')
> 
>   optional_policy(`
> -       xserver_role(user_r, user_t)
> +       xserver_role(user, user_r, user_t)
>   ')
> diff --git a/policy/modules/services/xserver.if
> b/policy/modules/services/xserver.if
> index 6a0f5c1..99bddec 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -5,6 +5,12 @@
>   ##    Rules required for using the X Windows server
>   ##    and environment, for restricted users.
>   ##</summary>
> +##<param name="prefix">
> +##     <summary>
> +##     The prefix of the X client domain (e.g., user
> +##     is the prefix for user_t).
> +##     </summary>
> +##</param>
>   ##<param name="role">
>   ##    <summary>
>   ##    Role allowed access.
> @@ -22,144 +28,97 @@ interface(`xserver_restricted_role',`
>                 type user_fonts_t, user_fonts_cache_t,
> user_fonts_config_t;
>                 type iceauth_t, iceauth_exec_t, iceauth_home_t;
>                 type xauth_t, xauth_exec_t, xauth_home_t;
> -
> -               type info_xproperty_t, rootwindow_t;
> -
> -               class x_drawable all_x_drawable_perms;
> -               class x_screen all_x_screen_perms;
> -               class x_gc all_x_gc_perms;
> -               class x_font all_x_font_perms;
> -               class x_colormap all_x_colormap_perms;
> -               class x_property all_x_property_perms;
> -               class x_selection all_x_selection_perms;
> -               class x_cursor all_x_cursor_perms;
> -               class x_client all_x_client_perms;
> -               class x_device all_x_device_perms;
> -               class x_server all_x_server_perms;
> -               class x_extension all_x_extension_perms;
> -               class x_resource all_x_resource_perms;
> -               class x_event all_x_event_perms;
> -               class x_synthetic_event all_x_synthetic_event_perms;
>         ')
> 
> -       role $1 types { xserver_t xauth_t iceauth_t };
> +       role $2 types { xserver_t xauth_t iceauth_t };
> 
>         # Xserver read/write client shm
> -       allow xserver_t $2:fd use;
> -       allow xserver_t $2:shm rw_shm_perms;
> +       allow xserver_t $3:fd use;
> +       allow xserver_t $3:shm rw_shm_perms;
> 
> -       domtrans_pattern($2, xserver_exec_t, xserver_t)
> -       allow xserver_t $2:process signal;
> +       domtrans_pattern($3, xserver_exec_t, xserver_t)
> +       allow xserver_t $3:process signal;
> 
> -       allow xserver_t $2:shm rw_shm_perms;
> +       allow xserver_t $3:shm rw_shm_perms;
> 
> -       allow $2 user_fonts_t:dir list_dir_perms;
> -       allow $2 user_fonts_t:file read_file_perms;
> +       allow $3 user_fonts_t:dir list_dir_perms;
> +       allow $3 user_fonts_t:file read_file_perms;
> 
> -       allow $2 user_fonts_config_t:dir list_dir_perms;
> -       allow $2 user_fonts_config_t:file read_file_perms;
> +       allow $3 user_fonts_config_t:dir list_dir_perms;
> +       allow $3 user_fonts_config_t:file read_file_perms;
> 
> -       manage_dirs_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> -       manage_files_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> +       manage_dirs_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> +       manage_files_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> 
> -       stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t,
> xserver_t)
> -       files_search_tmp($2)
> +       stream_connect_pattern($3, xserver_tmp_t, xserver_tmp_t,
> xserver_t)
> +       files_search_tmp($3)
> 
>         # Communicate via System V shared memory.
> -       allow $2 xserver_t:shm r_shm_perms;
> -       allow $2 xserver_tmpfs_t:file read_file_perms;
> +       allow $3 xserver_t:shm r_shm_perms;
> +       allow $3 xserver_tmpfs_t:file read_file_perms;
> 
>         # allow ps to show iceauth
> -       ps_process_pattern($2, iceauth_t)
> +       ps_process_pattern($3, iceauth_t)
> 
> -       domtrans_pattern($2, iceauth_exec_t, iceauth_t)
> +       domtrans_pattern($3, iceauth_exec_t, iceauth_t)
> 
> -       allow $2 iceauth_home_t:file read_file_perms;
> +       allow $3 iceauth_home_t:file read_file_perms;
> 
> -       domtrans_pattern($2, xauth_exec_t, xauth_t)
> +       domtrans_pattern($3, xauth_exec_t, xauth_t)
> 
> -       allow $2 xauth_t:process signal;
> +       allow $3 xauth_t:process signal;
> 
>         # allow ps to show xauth
> -       ps_process_pattern($2, xauth_t)
> -       allow $2 xserver_t:process signal;
> +       ps_process_pattern($3, xauth_t)
> +       allow $3 xserver_t:process signal;
> 
> -       allow $2 xauth_home_t:file read_file_perms;
> +       allow $3 xauth_home_t:file read_file_perms;
> 
>         # for when /tmp/.X11-unix is created by the system
> -       allow $2 xdm_t:fd use;
> -       allow $2 xdm_t:fifo_file { getattr read write ioctl };
> -       allow $2 xdm_tmp_t:dir search;
> -       allow $2 xdm_tmp_t:sock_file { read write };
> -       dontaudit $2 xdm_t:tcp_socket { read write };
> +       allow $3 xdm_t:fd use;
> +       allow $3 xdm_t:fifo_file { getattr read write ioctl };
> +       allow $3 xdm_tmp_t:dir search;
> +       allow $3 xdm_tmp_t:sock_file { read write };
> +       dontaudit $3 xdm_t:tcp_socket { read write };
> 
>         # Client read xserver shm
> -       allow $2 xserver_t:fd use;
> -       allow $2 xserver_tmpfs_t:file read_file_perms;
> +       allow $3 xserver_t:fd use;
> +       allow $3 xserver_tmpfs_t:file read_file_perms;
> 
>         # Read /tmp/.X0-lock
> -       allow $2 xserver_tmp_t:file { getattr read };
> +       allow $3 xserver_tmp_t:file { getattr read };
> 
> -       dev_rw_xserver_misc($2)
> -       dev_rw_power_management($2)
> -       dev_read_input($2)
> -       dev_read_misc($2)
> -       dev_write_misc($2)
> +       dev_rw_xserver_misc($3)
> +       dev_rw_power_management($3)
> +       dev_read_input($3)
> +       dev_read_misc($3)
> +       dev_write_misc($3)
>         # open office is looking for the following
> -       dev_getattr_agp_dev($2)
> -       dev_dontaudit_rw_dri($2)
> +       dev_getattr_agp_dev($3)
> +       dev_dontaudit_rw_dri($3)
>         # GNOME checks for usb and other devices:
> -       dev_rw_usbfs($2)
> +       dev_rw_usbfs($3)
> 
> -       miscfiles_read_fonts($2)
> +       miscfiles_read_fonts($3)
> 
> -       xserver_common_x_domain_template(user, $2)
> -       xserver_xsession_entry_type($2)
> -       xserver_dontaudit_write_log($2)
> -       xserver_stream_connect_xdm($2)
> +       xserver_object_types_template($1)
> +       xserver_common_x_domain_template($1, $3)
> +       xserver_unconfined($3)
> +       xserver_xsession_entry_type($3)
> +       xserver_dontaudit_write_log($3)
> +       xserver_stream_connect_xdm($3)
>         # certain apps want to read xdm.pid file
> -       xserver_read_xdm_pid($2)
> +       xserver_read_xdm_pid($3)
>         # gnome-session creates socket under /tmp/.ICE-unix/
> -       xserver_create_xdm_tmp_sockets($2)
> +       xserver_create_xdm_tmp_sockets($3)
>         # Needed for escd, remove if we get escd policy
> -       xserver_manage_xdm_tmp_files($2)
> +       xserver_manage_xdm_tmp_files($3)
> 
>         # Client write xserver shm
>         tunable_policy(`allow_write_xshm',`
> -               allow $2 xserver_t:shm rw_shm_perms;
> -               allow $2 xserver_tmpfs_t:file rw_file_perms;
> +               allow $3 xserver_t:shm rw_shm_perms;
> +               allow $3 xserver_tmpfs_t:file rw_file_perms;
>         ')
> -
> -       ##############################
> -       #
> -       # User X object manager local policy
> -       #
> -
> -       # manage: xhost X11:ChangeHosts
> -       # freeze: metacity X11:GrabKey
> -       # force_cursor: metacity X11:GrabPointer
> -       allow $2 xserver_t:x_device { manage freeze force_cursor };
> -
> -       # gnome-settings-daemon XKEYBOARD:SetControls
> -       allow $2 xserver_t:x_server manage;
> -
> -       # gnome-settings-daemon RANDR:SelectInput
> -       allow $2 xserver_t:x_resource write;
> -
> -       # metacity X11:InstallColormap X11:UninstallColormap
> -       allow $2 rootwindow_t:x_colormap { install uninstall };
> -
> -       # read: gnome-settings-daemon RANDR:GetScreenSizeRange
> -       # write: gnome-settings-daemon RANDR:SelectInput
> -       # setattr: gnome-settings-daemon X11:GrabKey
> -       # manage: metacity X11:ChangeWindowAttributes
> -       allow $2 rootwindow_t:x_drawable { read write manage
> setattr };
> -
> -       # setattr: metacity X11:InstallColormap
> -       allow $2 xserver_t:x_screen { saver_getattr saver_setattr
> setattr };
> -
> -       # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
> -       allow $2 info_xproperty_t:x_property { create append write };
>   ')
> 
>   ########################################
> @@ -167,6 +126,12 @@ interface(`xserver_restricted_role',`
>   ##    Rules required for using the X Windows server
>   ##    and environment.
>   ##</summary>
> +##<param name="prefix">
> +##     <summary>
> +##     The prefix of the X client domain (e.g., user
> +##     is the prefix for user_t).
> +##     </summary>
> +##</param>
>   ##<param name="role">
>   ##    <summary>
>   ##    Role allowed access.
> @@ -184,32 +149,32 @@ interface(`xserver_role',`
>                 type user_fonts_t, user_fonts_cache_t,
> user_fonts_config_t;
>         ')
> 
> -       xserver_restricted_role($1, $2)
> +       xserver_restricted_role($1, $2, $3)
> 
>         # Communicate via System V shared memory.
> -       allow $2 xserver_t:shm rw_shm_perms;
> -       allow $2 xserver_tmpfs_t:file rw_file_perms;
> +       allow $3 xserver_t:shm rw_shm_perms;
> +       allow $3 xserver_tmpfs_t:file rw_file_perms;
> 
> -       allow $2 iceauth_home_t:file manage_file_perms;
> -       allow $2 iceauth_home_t:file { relabelfrom relabelto };
> +       allow $3 iceauth_home_t:file manage_file_perms;
> +       allow $3 iceauth_home_t:file { relabelfrom relabelto };
> 
> -       allow $2 xauth_home_t:file manage_file_perms;
> -       allow $2 xauth_home_t:file { relabelfrom relabelto };
> +       allow $3 xauth_home_t:file manage_file_perms;
> +       allow $3 xauth_home_t:file { relabelfrom relabelto };
> 
> -       manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
> -       manage_files_pattern($2, user_fonts_t, user_fonts_t)
> -       relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
> -       relabel_files_pattern($2, user_fonts_t, user_fonts_t)
> +       manage_dirs_pattern($3, user_fonts_t, user_fonts_t)
> +       manage_files_pattern($3, user_fonts_t, user_fonts_t)
> +       relabel_dirs_pattern($3, user_fonts_t, user_fonts_t)
> +       relabel_files_pattern($3, user_fonts_t, user_fonts_t)
> 
> -       manage_dirs_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> -       manage_files_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> -       relabel_dirs_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> -       relabel_files_pattern($2, user_fonts_cache_t,
> user_fonts_cache_t)
> +       manage_dirs_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> +       manage_files_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> +       relabel_dirs_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> +       relabel_files_pattern($3, user_fonts_cache_t,
> user_fonts_cache_t)
> 
> -       manage_dirs_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> -       manage_files_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> -       relabel_dirs_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> -       relabel_files_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> +       manage_dirs_pattern($3, user_fonts_config_t,
> user_fonts_config_t)
> +       manage_files_pattern($3, user_fonts_config_t,
> user_fonts_config_t)
> +       relabel_dirs_pattern($3, user_fonts_config_t,
> user_fonts_config_t)
> +       relabel_files_pattern($3, user_fonts_config_t,
> user_fonts_config_t)
> 
>   ')
> 
> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if
> index f209ccf..b9bea7b 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -885,7 +885,7 @@
> template(`userdom_restricted_xwindows_user_template',`
>         logging_send_audit_msgs($1_t)
>         selinux_get_enforce_mode($1_t)
> 
> -       xserver_restricted_role($1_r, $1_t)
> +       xserver_restricted_role($1, $1_r, $1_t)
> 
>         optional_policy(`
>                 alsa_read_rw_config($1_t)
> --
> 1.6.5.rc2
> 
> 
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list