[selinux-policy: 1207/3172] implement x_client_domain replacement
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:49:16 UTC 2010
commit 24a63797d771f85f51a75d93a3143bf60982b2f7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Feb 15 16:42:51 2006 +0000
implement x_client_domain replacement
refpolicy/policy/global_tunables | 10 ++-
refpolicy/policy/modules/apps/java.if | 28 ++---
refpolicy/policy/modules/apps/tvtime.if | 15 ++-
refpolicy/policy/modules/services/ssh.if | 39 +++++-
refpolicy/policy/modules/services/xserver.if | 166 +++++++++++++++++++++++++
refpolicy/policy/modules/services/xserver.te | 3 +-
refpolicy/policy/modules/system/userdomain.if | 53 +++++---
7 files changed, 266 insertions(+), 48 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 3199861..b96f390 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -322,7 +322,7 @@ gen_tunable(user_ping,false)
# Strict policy specific
#
-ifdef(`targeted_policy',`',`
+ifdef(`strict_policy',`
## <desc>
## <p>
## Allow gpg executable stack
@@ -346,6 +346,14 @@ gen_tunable(allow_user_mysql_connect,false)
## <desc>
## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+
+## <desc>
+## <p>
## Allow cdrecord to read various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index d32cc95..effd249 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -48,6 +48,9 @@ template(`java_per_userdomain_template',`
type $1_javaplugin_tmp_t;
files_tmp_file($1_javaplugin_tmp_t)
+
+ type $1_javaplugin_tmpfs_t;
+ files_tmpfs_file($1_javaplugin_tmpfs_t)
########################################
#
@@ -67,6 +70,13 @@ template(`java_per_userdomain_template',`
allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
# cjp: rw_dir_perms here doesnt make sense
allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
allow $1_javaplugin_t $1_home_t:file rw_file_perms;
@@ -164,21 +174,7 @@ template(`java_per_userdomain_template',`
nscd_socket_use($1_javaplugin_t)
')
- ifdef(`TODO',`
- # Manipulate the global font cache
- create_dir_file($1, $2_fonts_cache_t)
-
- # Read per user fonts and font config
- r_dir_file($1, $2_fonts_t)
- r_dir_file($1, $2_fonts_config_t)
-
- # There are some fonts in .gnome2
- ifdef(`gnome.te', `
- allow $1 $2_gnome_settings_t:dir { getattr search };
+ optional_policy(`xserver',`
+ xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
-
- allow $1_javaplugin_t $1_xauth_home_t:file { getattr read };
- # Connect to X server
- x_client_domain($1_javaplugin, $2)
- ') dnl end TODO
')
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
index ae2a228..7281785 100644
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ b/refpolicy/policy/modules/apps/tvtime.if
@@ -50,6 +50,9 @@ template(`tvtime_per_userdomain_template',`
type $1_tvtime_tmp_t;
files_tmp_file($1_tvtime_tmp_t)
+
+ type $1_tvtime_tmpfs_t;
+ files_tmpfs_file($1_tvtime_tmpfs_t)
########################################
#
@@ -71,7 +74,13 @@ template(`tvtime_per_userdomain_template',`
allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
- fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file })
+
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Type transition
domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
@@ -133,7 +142,7 @@ template(`tvtime_per_userdomain_template',`
fs_manage_cifs_symlinks($1_tvtime_t)
')
- ifdef(`TODO',`
- x_client_domain($1_tvtime, $1)
+ optional_policy(`xserver',`
+ xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
')
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index d4bfca2..c12cc52 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -59,11 +59,14 @@ template(`ssh_per_userdomain_template',`
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
role $3 types $1_ssh_agent_t;
- type $1_ssh_keysign_t; #, nscd_client_domain;
+ type $1_ssh_keysign_t;
domain_type($1_ssh_keysign_t)
domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
role $3 types $1_ssh_keysign_t;
+ type $1_ssh_tmpfs_t;
+ files_tmpfs_file($1_ssh_tmpfs_t)
+
##############################
#
# $1_ssh_t local policy
@@ -82,6 +85,13 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+ fs_filetrans_tmpfs($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
# Transition from the user domain to the derived domain.
domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
allow $2 $1_ssh_t:fd use;
@@ -211,6 +221,7 @@ template(`ssh_per_userdomain_template',`
')
optional_policy(`xserver',`
+ xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1,$1_ssh_t)
')
@@ -232,15 +243,9 @@ template(`ssh_per_userdomain_template',`
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
- # Inherit and use descriptors from gnome-pty-helper.
- ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)
- # Connect to X server
- x_client_domain($1_ssh, $1)
-
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
@@ -610,6 +615,26 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
+## Connect to SSH daemons over TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:tcp_socket { connectto recvfrom };
+ allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
## Read ssh server keys
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index a2cf69c..49de4bc 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -1,5 +1,17 @@
## <summary>X Windows Server</summary>
+#######################################
+## <summary>
+## Template to create types and rules common to
+## all X server domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
template(`xserver_common_domain_template',`
##############################
@@ -404,6 +416,160 @@ template(`xserver_per_userdomain_template',`
')
')
+#######################################
+## <summary>
+## Template for creating sessions on a
+## prefix X server, with read-only
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_ro_session_template',`
+ gen_require(`
+ type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+ ')
+
+ # Xserver read/write client shm
+ allow $1_xserver_t $2:fd use;
+ allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $1_xserver_t $3:file rw_file_perms;
+
+ # Connect to xserver
+ allow $2 $1_xserver_t:unix_stream_socket connectto;
+ allow $2 $1_xserver_t:process signal;
+
+ # Read /tmp/.X0-lock
+ allow $2 $1_xserver_tmp_t:file { getattr read };
+
+ # Client read xserver shm
+ allow $2 $1_xserver_t:fd use;
+ allow $2 $1_xserver_t:shm r_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Template for creating sessions on a
+## prefix X server, with read and write
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_rw_session_template',`
+ gen_require(`
+ type $1_xserver_t, $1_xserver_tmpfs_t;
+ ')
+
+ xserver_ro_session_template($1,$2,$3)
+ allow $2 $1_xserver_t:shm rw_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Template for creating full client sessions
+## on a user X server.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_user_client_template',`
+
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
+ type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+ allow $2 $1_xauth_home_t:file { getattr read };
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_tmp_t:dir search;
+ allow $2 xdm_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+ files_search_tmp($2)
+
+ miscfiles_read_fonts($2)
+
+ userdom_search_user_home($1,$2)
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_files($1,$2)
+
+ xserver_ro_session_template(xdm,$2,$3)
+ xserver_rw_session_template($1,$2,$3)
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 $1_xserver_t:shm rw_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ ')
+
+ # for X over a ssh tunnel
+ optional_policy(`ssh',`
+ kernel_tcp_recvfrom($2)
+ ssh_tcp_connect($2)
+ ')
+
+ ifdef(`TODO',`
+ # cjp: need to implement the user-specific fonts part
+ read_fonts($2, $1)
+ ')
+')
+
########################################
## <summary>
## Transition to a user Xauthority domain.
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index dacf9aa..248032d 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -276,8 +276,7 @@ ifdef(`strict_policy',`
auth_domtrans_chk_passwd(xdm_t)
auth_domtrans_pam_console(xdm_t)
- # FIXME:
- # xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
+ xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 82c0117..cef0ee7 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -245,7 +245,6 @@ template(`base_user_template',`
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
- miscfiles_read_fonts($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
@@ -440,6 +439,7 @@ template(`base_user_template',`
optional_policy(`xserver',`
dev_rw_xserver_misc($1_t)
+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
@@ -474,27 +474,9 @@ template(`base_user_template',`
can_resmgrd_connect($1_t)
- # Use X
- x_client_domain($1, $1)
-
ifdef(`xdm.te', `
allow $1_t xdm_var_lib_t:file r_file_perms;
')
-
- # start read_fonts()
- # cjp: these types come in from fontconfig
- # Manipulate the global font cache
- create_dir_file($1, $1_fonts_cache_t)
-
- # Read per user fonts and font config
- r_dir_file($1, $1_fonts_t)
- r_dir_file($1, $1_fonts_config_t)
-
- # There are some fonts in .gnome2
- ifdef(`gnome.te', `
- allow $1 $2_gnome_settings_t:dir { getattr search };
- ')
- # end read_fonts()
') dnl endif TODO
')
@@ -1392,6 +1374,39 @@ template(`userdom_dontaudit_read_user_home_files',`
########################################
## <summary>
+## Do not audit attempts to write user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to write user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_write_user_home_files',`
+ gen_require(`
+ type $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:file write;
+')
+
+########################################
+## <summary>
## Read user home subdirectory symbolic links.
## </summary>
## <desc>
More information about the scm-commits
mailing list