work on xdm

This commit is contained in:
Chris PeBenito 2006-02-07 21:48:00 +00:00
parent 955019421b
commit 5a975c1e44
3 changed files with 122 additions and 77 deletions

View File

@ -448,6 +448,39 @@ interface(`xserver_stream_connect_xdm',`
allow $1 xdm_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`xserver_read_xdm_rw_config',`
gen_require(`
type xdm_rw_etc_t;
')
files_search_etc($1)
allow $1 xdm_rw_etc_t:dir { getattr read };
')
########################################
## <summary>
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:dir setattr;
')
########################################
## <summary>
## Create a named socket in a XDM
@ -570,3 +603,22 @@ interface(`xserver_dontaudit_write_log',`
dontaudit $1 xserver_log_t:file { append write };
')
########################################
## <summary>
## Do not audit attempts to write the X server
## log files.
## </summary>
## <param name="domain">
## Domain to not audit
## </param>
#
interface(`xserver_delete_log',`
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:dir rw_dir_perms;
allow $1 xserver_log_t:file unlink;
')

View File

@ -1,5 +1,5 @@
policy_module(xserver,1.0.1)
policy_module(xserver,1.0.2)
########################################
#
@ -368,53 +368,53 @@ optional_policy(`xfs',`
# XDM Xserver local policy
#
allow xdm_xserver_t xdm_t:process signal;
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
# Label pid and temporary files with derived types.
allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
# Run xkbcomp.
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
fs_search_auto_mountpoints(xdm_xserver_t)
init_use_fd(xdm_xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
fs_manage_nfs_symlinks(xdm_xserver_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_xserver_t)
fs_manage_cifs_files(xdm_xserver_t)
fs_manage_cifs_symlinks(xdm_xserver_t)
')
ifdef(`strict_policy',`
allow xdm_xserver_t xdm_t:process signal;
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
# Label pid and temporary files with derived types.
allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
# Run xkbcomp.
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
fs_search_auto_mountpoints(xdm_xserver_t)
init_use_fd(xdm_xserver_t)
# FIXME: After per user fonts are properly working
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_user_home_files(xdm_xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
fs_manage_nfs_symlinks(xdm_xserver_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_xserver_t)
fs_manage_cifs_files(xdm_xserver_t)
fs_manage_cifs_symlinks(xdm_xserver_t)
')
ifdef(`TODO',`
# Read all global and per user fonts
read_fonts(xdm_xserver_t, sysadm)
@ -431,14 +431,6 @@ ifdef(`targeted_policy',`
')
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
# init script wants to check if it needs to update windowmanagerlist
allow initrc_t xdm_rw_etc_t:file { getattr read };
ifdef(`distro_suse', `
# set permissions on /tmp/.X11-unix
allow initrc_t xdm_tmp_t:dir setattr;
')
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
can_resmgrd_connect(xdm_t)

View File

@ -1,5 +1,5 @@
policy_module(init,1.2.1)
policy_module(init,1.2.2)
gen_require(`
class passwd rootok;
@ -428,30 +428,46 @@ ifdef(`distro_redhat',`
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
storage_create_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
files_create_boot_flag(initrc_t)
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
storage_create_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
# readahead asks for these
auth_dontaudit_read_shadow(initrc_t)
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
optional_policy(`bind',`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
')
optional_policy(`rpc',`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
')
optional_policy(`sysnetwork',`
sysnet_rw_dhcp_config(initrc_t)
')
optional_policy(`xserver',`
xserver_delete_log(initrc_t)
')
')
ifdef(`distro_suse',`
optional_policy(`xserver',`
# set permissions on /tmp/.X11-unix
xserver_setattr_xdm_tmp_dirs(initrc_t)
')
')
ifdef(`targeted_policy',`
@ -484,12 +500,6 @@ optional_policy(`bind',`
# for chmod in start script
bind_setattr_pid_dirs(initrc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
# Allow init script to cp localtime to named_conf_t
bind_write_config(initrc_t)
')
')
optional_policy(`bluetooth',`
@ -668,10 +678,6 @@ optional_policy(`su',`
')
optional_policy(`sysnetwork',`
ifdef(`distro_redhat',`
sysnet_rw_dhcp_config(initrc_t)
')
sysnet_read_dhcpc_state(initrc_t)
')
@ -682,6 +688,11 @@ optional_policy(`xfs',`
xfs_read_sockets(initrc_t)
')
optional_policy(`xserver',`
# init s cript wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
optional_policy(`zebra',`
zebra_read_config(initrc_t)
')
@ -690,17 +701,7 @@ ifdef(`TODO',`
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
# during boot up initrc needs to do the following
allow initrc_t default_t:dir write;
ifdef(`distro_redhat', `
allow initrc_t device_t:dir create;
ifdef(`xserver.te', `
# wants to cleanup xserver log dir
allow initrc_t xserver_log_t:dir rw_dir_perms;
allow initrc_t xserver_log_t:file unlink;
')
')
') dnl end TODO