forked from pool/selinux-policy
232 lines
6.8 KiB
Diff
232 lines
6.8 KiB
Diff
Basically, /dev/xconsole is a FIFO written to by syslog, and often is
|
|
present even when there is no X. Therefore, this should go into the
|
|
logging policy.
|
|
Patch attached.
|
|
|
|
best regards,
|
|
Erich Schubert
|
|
--
|
|
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
|
|
Nothing prevents happiness like the memory of happiness. --- A. Gide //\
|
|
Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_
|
|
Beziehungen. --- Antoine de Saint-Exupéry
|
|
|
|
["xconsole" (xconsole)]
|
|
|
|
Index: policy/modules/services/xserver.te
|
|
===================================================================
|
|
--- policy/modules/services/xserver.te.orig
|
|
+++ policy/modules/services/xserver.te
|
|
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
|
|
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
|
|
userdom_user_tmp_file(xauth_tmp_t)
|
|
|
|
-# this is not actually a device, its a pipe
|
|
-type xconsole_device_t;
|
|
-files_type(xconsole_device_t)
|
|
-dev_associate(xconsole_device_t)
|
|
-fs_associate_tmpfs(xconsole_device_t)
|
|
-files_associate_tmp(xconsole_device_t)
|
|
-
|
|
type xdm_unconfined_exec_t;
|
|
application_executable_file(xdm_unconfined_exec_t)
|
|
|
|
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
|
|
|
|
allow xdm_t xauth_home_t:file manage_file_perms;
|
|
|
|
-allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
|
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
|
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
|
|
|
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
|
|
libs_exec_ldconfig(xdm_t)
|
|
|
|
logging_read_generic_logs(xdm_t)
|
|
+logging_setattr_xconsole_pipes(xdm_t)
|
|
+
|
|
+# allow relabel of /dev/xconsole
|
|
+dev_associate(xconsole_device_t)
|
|
|
|
miscfiles_search_man_pages(xdm_t)
|
|
miscfiles_read_fonts(xdm_t)
|
|
Index: policy/modules/services/xserver.fc
|
|
===================================================================
|
|
--- policy/modules/services/xserver.fc.orig
|
|
+++ policy/modules/services/xserver.fc
|
|
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
|
|
/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
|
|
|
#
|
|
-# /dev
|
|
-#
|
|
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
|
|
-
|
|
-#
|
|
# /etc
|
|
#
|
|
/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
|
|
Index: policy/modules/system/logging.te
|
|
===================================================================
|
|
--- policy/modules/system/logging.te.orig
|
|
+++ policy/modules/system/logging.te
|
|
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
|
')
|
|
|
|
+# this is not actually a device, its a pipe
|
|
+type xconsole_device_t;
|
|
+files_type(xconsole_device_t)
|
|
+fs_associate_tmpfs(xconsole_device_t)
|
|
+files_associate_tmp(xconsole_device_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Auditctl local policy
|
|
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
|
|
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
|
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|
|
|
|
+# log to xconsole
|
|
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
|
|
+
|
|
kernel_read_kernel_sysctls(auditd_t)
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
# Probably want a transition, and a new auditd_helper app
|
|
@@ -631,11 +640,6 @@ optional_policy(`
|
|
udev_read_db(syslogd_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- # log to the xconsole
|
|
- xserver_rw_console(syslogd_t)
|
|
-')
|
|
-
|
|
#####################################################
|
|
#
|
|
# syslog client rules
|
|
Index: policy/modules/system/logging.if
|
|
===================================================================
|
|
--- policy/modules/system/logging.if.orig
|
|
+++ policy/modules/system/logging.if
|
|
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
|
|
|
|
logging_log_filetrans($1, var_log_t, dir, "anaconda")
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Set the attributes of the xconsole named pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`logging_setattr_xconsole_pipes',`
|
|
+ gen_require(`
|
|
+ type xconsole_device_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 xconsole_device_t:fifo_file setattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read the xconsole named pipe.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`logging_r_xconsole',`
|
|
+ gen_require(`
|
|
+ type xconsole_device_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 xconsole_device_t:fifo_file { getattr read };
|
|
+')
|
|
+
|
|
Index: policy/modules/system/init.te
|
|
===================================================================
|
|
--- policy/modules/system/init.te.orig
|
|
+++ policy/modules/system/init.te
|
|
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
|
|
logging_read_all_logs(initrc_t)
|
|
logging_append_all_logs(initrc_t)
|
|
logging_read_audit_config(initrc_t)
|
|
+logging_setattr_xconsole_pipes(initrc_t)
|
|
|
|
# slapd needs to read cert files from its initscript
|
|
miscfiles_manage_generic_cert_files(initrc_t)
|
|
@@ -1453,9 +1454,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- # Set device ownerships/modes.
|
|
- xserver_setattr_console_pipes(initrc_t)
|
|
-
|
|
# init script wants to check if it needs to update windowmanagerlist
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
')
|
|
Index: policy/modules/system/logging.fc
|
|
===================================================================
|
|
--- policy/modules/system/logging.fc.orig
|
|
+++ policy/modules/system/logging.fc
|
|
@@ -1,4 +1,5 @@
|
|
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
|
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
|
|
|
|
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
|
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
|
Index: policy/modules/services/xserver.if
|
|
===================================================================
|
|
--- policy/modules/services/xserver.if.orig
|
|
+++ policy/modules/services/xserver.if
|
|
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set the attributes of the X windows console named pipes.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`xserver_setattr_console_pipes',`
|
|
- gen_require(`
|
|
- type xconsole_device_t;
|
|
- ')
|
|
-
|
|
- allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Read and write the X windows console named pipe.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`xserver_rw_console',`
|
|
- gen_require(`
|
|
- type xconsole_device_t;
|
|
- ')
|
|
-
|
|
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
## Read XDM state files.
|
|
## </summary>
|
|
## <param name="domain">
|