Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
I do apologize for the broken interface in the previous version
of this patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
xdm (currently used by the userdomain module in
the common user template);
- added permission to chat over dbus with colord.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
On Arch Linux, OpenSSH unit files are:
/usr/lib/systemd/system/sshdgenkeys.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
On Debian jessie, the unit files are:
/lib/systemd/system/ssh.service
/lib/systemd/system/ssh@.service
/lib/systemd/system/ssh.socket
On Fedora 22, the unit files are:
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)
Label all these files but sftp-server as bin_t.
On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.
Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details). Therefore label it as xserver_exec_t.
This makes the following AVC appear:
denied { execute_no_trans } for pid=927 comm="X"
path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
scontext=system_u:system_r:xserver_t
tcontext=system_u:object_r:xserver_exec_t tclass=file
Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Guido Trentalancia
cgzones
Chris PeBenito
Laurent Bigonville
Nicolas Iooss
Luis Ressel
Jason Zaman
Sven Vermeulen