[selinux-policy: 1134/3172] work on xdm

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:43:03 UTC 2010 

commit dace0b2d9dfd3c33bd83261ba153aafad088070f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jan 20 15:20:34 2006 +0000

    work on xdm

 refpolicy/policy/modules/services/xdm.te     |  100 +++++++++++++------------
 refpolicy/policy/modules/services/xserver.if |    2 +-
 2 files changed, 53 insertions(+), 49 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index 2f33fa7..2df0eb3 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -52,12 +52,33 @@ allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+allow xdm_t xdm_var_run_t:dir setattr;
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctl(xdm_t)
 
+corecmd_exec_shell(xdm_t)
+corecmd_exec_bin(xdm_t)
+corecmd_exec_sbin(xdm_t)
+
+corenet_tcp_connect_all_ports(xdm_t)
+
 dev_read_rand(xdm_t)
 dev_read_urand(xdm_t)
 
+files_read_etc_files(xdm_t)
+files_read_etc_runtime_files(xdm_t)
+files_exec_etc(xdm_t)
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_read_usr_files(xdm_t)
+
 selinux_get_fs_mount(xdm_t)
 selinux_validate_context(xdm_t)
 selinux_compute_access_vector(xdm_t)
@@ -65,13 +86,19 @@ selinux_compute_create_context(xdm_t)
 selinux_compute_relabel_context(xdm_t)
 selinux_compute_user_contexts(xdm_t)
 
-files_read_etc_runtime_files(xdm_t)
+auth_rw_lastlog(xdm_t)
+auth_append_login_records(xdm_t)
 
-ifdef(`targeted_policy',`
-	allow xdm_t self:process { execheap execmem };
-	unconfined_domain_template(xdm_t)
-	unconfined_domtrans(xdm_t)
-',`
+init_rw_utmp(xdm_t)
+# for reboot
+init_write_initctl(xdm_t)
+
+libs_exec_lib(xdm_t)
+
+seutil_read_config(xdm_t)
+seutil_read_default_contexts(xdm_t)
+
+ifdef(`strict_policy',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_filetrans_lock(xdm_t,xdm_lock_t)
 
@@ -90,6 +117,24 @@ ifdef(`targeted_policy',`
 	allow xdm_t xdm_var_lib_t:file create_file_perms;
 	allow xdm_t xdm_var_lib_t:dir create_dir_perms;
 	files_filetrans_var_lib(xdm_t,xdm_var_lib_t)
+
+	allow xdm_t xdm_var_run_t:dir manage_dir_perms;
+	allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
+	files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
+')
+
+ifdef(`targeted_policy',`
+	allow xdm_t self:process { execheap execmem };
+	unconfined_domain_template(xdm_t)
+	unconfined_domtrans(xdm_t)
+')
+
+optional_policy(`hostname',`
+	hostname_exec(xdm_t)
+')
+
+optional_policy(`loadkeys',`
+	loadkeys_exec(xdm_t)
 ')
 
 optional_policy(`locallogin',`
@@ -104,13 +149,7 @@ ifdef(`TODO',`
 # cjp: TODO: integrate strict policy:
 daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
 
-allow xdm_t xdm_var_run_t:dir setattr;
-
-# for xdmctl
-allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
 allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
 
 # NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@@ -118,20 +157,14 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 allow xdm_xserver_t xdm_var_run_t:file { getattr read };
 
-allow xdm_t default_context_t:dir search;
-allow xdm_t default_context_t:{ file lnk_file } { read getattr };
-
 can_network(xdm_t)
-allow xdm_t port_type:tcp_socket name_connect;
 
 allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
 allow xdm_t xdm_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
 allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
 allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
 allow xdm_xserver_t xdm_t:process signal;
-# for reboot
-allow xdm_t initctl_t:fifo_file write;
 
 # init script wants to check if it needs to update windowmanagerlist
 allow initrc_t xdm_rw_etc_t:file { getattr read };
@@ -172,19 +205,10 @@ allow xdm_xserver_t sysadm_t:fd use;
 rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
 allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
 
-# Run helper programs.
-allow xdm_t etc_t:file { getattr read };
-allow xdm_t bin_t:dir { getattr search };
-# lib_t is for running cpp
-can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
-allow xdm_t { bin_t sbin_t }:lnk_file read;
-ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
-ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
 allow xdm_t xdm_xserver_t:process sigkill;
 allow xdm_t xdm_xserver_tmp_t:file unlink;
 
 # Access devices.
-allow xdm_t device_t:dir { read search };
 allow xdm_t console_device_t:chr_file setattr;
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 allow xdm_t framebuf_device_t:chr_file { getattr setattr };
@@ -197,7 +221,6 @@ allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }
 allow xdm_t v4l_device_t:chr_file { setattr getattr };
 allow xdm_t scanner_device_t:chr_file { setattr getattr };
 allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
-allow xdm_t device_t:lnk_file read;
 can_resmgrd_connect(xdm_t)
 
 # Access xdm log files.
@@ -226,13 +249,6 @@ allow xdm_t gpm_t:unix_stream_socket connectto;
 
 allow xdm_t sysfs_t:dir search;
 
-# Update utmp and wtmp.
-allow xdm_t initrc_var_run_t: file { read write lock };
-allow xdm_t wtmp_t:file append;
-
-# Update lastlog.
-allow xdm_t lastlog_t:file rw_file_perms;
-
 # Need to further investigate these permissions and
 # perhaps define derived types.
 allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
@@ -245,13 +261,6 @@ allow xdm_t xfs_tmp_t:sock_file write;
 can_unix_connect(xdm_t, xfs_t)
 ')
 
-allow xdm_t etc_t:lnk_file read;
-
-# wdm has its own config dir /etc/X11/wdm
-# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
 # Signal any user domain.
 allow xdm_t userdomain:process signal_perms;
 
@@ -275,9 +284,6 @@ dontaudit xdm_t devpts_t:dir search;
 dontaudit xdm_t domain:dir r_dir_perms;
 dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
 
-# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
-allow xdm_t usr_t:{ lnk_file file } { getattr read };
-
 # Read fonts
 read_fonts(xdm_t)
 
@@ -396,7 +402,6 @@ domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
 allow xdm_t var_log_t:file { getattr read };
 allow xdm_t wtmp_t:file { getattr read };
 
-domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
 #
 # Poweroff wants to create the /poweroff file when run from xdm
 #
@@ -412,7 +417,6 @@ allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
 ifdef(`crack.te', `
 allow xdm_t crack_db_t:file r_file_perms;
 ')
-r_dir_file(xdm_t, selinux_config_t)
 
 # Run telinit->init to shutdown.
 can_exec(xdm_t, init_exec_t)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index f27d000..3f3da1a 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -283,7 +283,7 @@ template(`xserver_displaymgr_domain_template',`
 	#
 
 	xserver_common_domain_template($1)
-	role system_r types xdm_xserver_t;
+	init_system_domain($1_xserver_t,xserver_exec_t)
 
 	##############################
 	#

More information about the scm-commits mailing list