The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Interface fs_register_binary_executable_type allow registering
interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In
order to access this filesystem, the process needs to search every
parent directory of the mountpoint.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight@.service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
I do apologize for the broken interface in the previous version
of this patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The udev daemon should be able to load kernel modules not only on
systems using systemd but also on systems using former versions of
the udev daemon.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the udev module so that the udev domain can manage tmpfs files
and directories.
Thanks to Christian Göttsche for pointing out that this only applies
to systems not using systemd (v2).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
Since the window managers are not limited by gnome-shell, the
userdomain module is modified by this patch in order to use
separate optional conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.
THIS IS THE BASE POLICY PART.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>From the package description: "IP Tables State displays states being kept
by iptables in a top-like format". The netutils_t permission set fits it
snugly.
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains. Allowing access
by other domains to the new socket security classes is left to future
commits.
The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The kernel_read_unix_sysctls() and kernel_rw_unix_sysctls() currenly
don't allow listing the /proc/sys/net/unix directory, contrary to the
other sysctl interfaces.
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.