From 87d4a650599b7f663a759fb7f398842e45711685 Mon Sep 17 00:00:00 2001 From: David Sugar Date: Fri, 8 Dec 2017 12:43:47 +0000 Subject: [PATCH] Create interfaces to write to inherited xserver log files. Updated based on feedback Signed-off-by: Dave Sugar --- policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++ policy/support/obj_perm_sets.spt | 1 + 2 files changed, 40 insertions(+) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index e70046db6..b60957fb9 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1056,6 +1056,26 @@ interface(`xserver_xsession_spec_domtrans',` domain_transition_pattern($1, xsession_exec_t, $2) ') +######################################## +## +## Write to inherited xsession log +## files such as .xsession-errors. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_inherited_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file write_inherited_file_perms; +') + + ######################################## ## ## Read and write xsession log @@ -1094,6 +1114,25 @@ interface(`xserver_manage_xsession_log',` allow $1 xsession_log_t:file manage_file_perms; ') +######################################## +## +## Write to inherited X server log +## files like /var/log/lightdm/lightdm.log +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_inherited_log',` + gen_require(` + type xserver_log_t; + ') + + allow $1 xserver_log_t:file write_inherited_file_perms; +') + ######################################## ## ## Get the attributes of X server logs. diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 655767729..eb021bc04 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -157,6 +157,7 @@ define(`read_file_perms',`{ getattr open read lock ioctl }') define(`mmap_file_perms',`{ getattr open map read execute ioctl }') define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') define(`rw_file_perms',`{ open rw_inherited_file_perms }')