Changeset 2708

Timestamp:

06/05/08 22:15:56 (6 months ago)

Author:

cpebenito

Message:

rbacsep: more xserver collapsing.

Files:

• branches/rbacsep/policy/modules/services/xserver.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/xserver.te (modified) (16 diffs)

branches/rbacsep/policy/modules/services/xserver.if

@@ -502 +502 @@
-
-        xserver_common_x_domain_template($1,$1,$2)
+')
+
+interface(`xserver_role',`
+        domtrans_pattern($2, xserver_exec_t, xserver_t)
+        allow xserver_t $2:process signal;
+
+        allow xserver_t $2:shm rw_shm_perms;
+
+        manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+        manage_files_pattern($2, user_fonts_t, user_fonts_t)
+        relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+        relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+        manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+        manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+        relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+        relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+        manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+        manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+        relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+        relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+        stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
+        allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+        # Communicate via System V shared memory.
+        allow xserver_t $2:shm rw_shm_perms;
+        allow $2 xserver_t:shm rw_shm_perms;
+
+        ##############################
+        #
+        # User X object manager local policy
+        #
+
+        # manage: xhost X11:ChangeHosts
+        # freeze: metacity X11:GrabKey
+        # force_cursor: metacity X11:GrabPointer
+        allow $2 xserver_t:x_device { manage freeze force_cursor };
+
+        # gnome-settings-daemon XKEYBOARD:SetControls
+        allow $2 xserver_t:x_server manage;
+
+        # gnome-settings-daemon RANDR:SelectInput
+        allow $2 xserver_t:x_resource write;
+
+        # metacity X11:InstallColormap X11:UninstallColormap
+        allow $2 rootwindow_t:x_colormap { install uninstall };
+
+        # read: gnome-settings-daemon RANDR:GetScreenSizeRange
+        # write: gnome-settings-daemon RANDR:SelectInput
+        # setattr: gnome-settings-daemon X11:GrabKey
+        # manage: metacity X11:ChangeWindowAttributes
+        allow $2 rootwindow_t:x_drawable { read write manage setattr };
+
+        # setattr: metacity X11:InstallColormap
+        allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
+
+        # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
+        allow $2 info_xproperty_t:x_property { create append write };
-')
-

branches/rbacsep/policy/modules/services/xserver.te

@@ -68 +68 @@
-type property_xevent_t, xevent_type;
-type remote_xclient_t;
+type rootwindow_t, rootwindow_type;
-type screensaver_xext_t, xextension_type;
-type security_xext_t, xextension_type;
@@ -138 +139 @@
-type xserver_t, x_server_domain;
-type xserver_exec_t;
-domain_type(xserver
-domain_entry_file
+xserver_common_x_domain_template(xdm,xdm,xdm
+init_system_domain
-
-type xserver_tmp_t;
@@ -153 +154 @@
-type xserver_log_t;
-logging_log_file(xserver_log_t)
-
-xserver_common_domain_template(xdm)
-xserver_common_x_domain_template(xdm,xdm,xdm_t)
-init_system_domain(xdm_xserver_t,xserver_exec_t)
-
-ifdef(`enable_mcs',`
@@ -314 +311 @@
-files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
-
-dm_x
-dm_x
-
-dm_x
-dm_x
+
+
+
+
+
-
-# transition to the xdm xserver
-dm_x
-dm_x
-dm_x
-
-dm_x
+
+
+
+
+
-
-# connect to xdm xserver over stream socket
-dm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_
+server_tmp_t,xserver_tmp_t,
-
-# Remove /tmp/.X11-unix/X0.
-dm_xserver_tmp_t,xdm_
-dm_xserver_tmp_t,xdm_
+server_tmp_t,
+server_tmp_t,
-
-manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t)
@@ -470 +467 @@
-        # FIXME:
-#       xserver_rw_session_template(xdm,unpriv_userdomain)
-dm_x
-dm_x
+
+
-')
-
@@ -510 +507 @@
-
-optional_policy(`
+        resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
-        seutil_sigchld_newrole(xdm_t)
-')
@@ -542 +543 @@
-')
-
-########################################
-#
-# XDM Xserver local policy
-#
-
-allow xdm_xserver_t xdm_t:process { signal getpgid };
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-
-# Label pid and temporary files with derived types.
-manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-manage_lnk_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-manage_sock_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-
-# Run xkbcomp.
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-files_search_var_lib(xdm_xserver_t)
-
-# VNC v4 module in X server
-corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-fs_search_auto_mountpoints(xdm_xserver_t)
-
-init_use_fds(xdm_xserver_t)
-
-# FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
-
-xserver_use_all_users_fonts(xdm_xserver_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-        fs_manage_nfs_dirs(xdm_xserver_t)
-        fs_manage_nfs_files(xdm_xserver_t)
-        fs_manage_nfs_symlinks(xdm_xserver_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-        fs_manage_cifs_dirs(xdm_xserver_t)
-        fs_manage_cifs_files(xdm_xserver_t)
-        fs_manage_cifs_symlinks(xdm_xserver_t)
-')
-
-optional_policy(`
-        resmgr_stream_connect(xdm_t)
-')
-
-optional_policy(`
-        rhgb_rw_shm(xdm_xserver_t)
-        rhgb_rw_tmpfs_files(xdm_xserver_t)
-')
-
-optional_policy(`
-        unconfined_domain_noaudit(xdm_xserver_t)
-        unconfined_domtrans(xdm_xserver_t)
-
-        ifndef(`distro_redhat',`
-                allow xdm_xserver_t self:process { execheap execmem };
-        ')
-
-        ifdef(`distro_rhel4',`
-                allow xdm_xserver_t self:process { execheap execmem };
-        ')
-')
-
-        attribute $1_x_domain;
-        attribute $1_input_xevent_type;
-
-        type $1_rootwindow_t, rootwindow_type;
-
-########################################
@@ -650 +574 @@
-allow xserver_t self:udp_socket create_socket_perms;
-
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file { getattr read };
+
+# Labeling rules for root windows and colormaps
+type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+
+allow xserver_t { rootwindow_t x_domain }:x_drawable send;
+
-manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -655 +588 @@
-files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
-
-dm_x
+
-
-manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -671 +604 @@
-manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xserver_t, xserver_log_t,file)
-
-        # Labeling rules for default windows and colormaps
-        type_transition xserver_t xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
-
-kernel_read_system_state(xserver_t)
@@ -765 +695 @@
-seutil_read_default_contexts(xserver_t)
-
+userdom_search_user_home_dirs($1,xserver_t)
+userdom_use_user_ttys($1,xserver_t)
+userdom_setattr_user_ttys($1,xserver_t)
+userdom_rw_user_tmpfs_files($1,xserver_t)
+
+xserver_use_user_fonts($1,xserver_t)
+
-ifndef(`distro_redhat',`
-        allow xserver_t self:process { execmem execheap execstack };
@@ -773 +710 @@
-')
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-optional_policy(`
@@ -813 +743 @@
-
-optional_policy(`
+        unconfined_domain_noaudit(xserver_t)
+        unconfined_domtrans(xserver_t)
+')
+
+optional_policy(`
+        userhelper_search_config(xserver_t)
+')
+
+optional_policy(`
-        xfs_stream_connect(xserver_t)
-')
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-        ##############################
@@ -867 +817 @@
-
-        # Device rules
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-        xserver_common_x_domain_template($1,$1,$2)
@@ -921 +844 @@
-
-ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-tunable_policy(`allow_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
@@ -947 +856 @@
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO