Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:yukoff:openSUSE:Leap:42.1:Backports
selinux-policy
xconsole.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xconsole.patch of Package selinux-policy
Basically, /dev/xconsole is a FIFO written to by syslog, and often is present even when there is no X. Therefore, this should go into the logging policy. Patch attached. best regards, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ Nothing prevents happiness like the memory of happiness. --- A. Gide //\ Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_ Beziehungen. --- Antoine de Saint-Exupéry ["xconsole" (xconsole)] Index: policy/modules/services/xserver.te =================================================================== --- policy/modules/services/xserver.te.orig +++ policy/modules/services/xserver.te @@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) -# this is not actually a device, its a pipe -type xconsole_device_t; -files_type(xconsole_device_t) -dev_associate(xconsole_device_t) -fs_associate_tmpfs(xconsole_device_t) -files_associate_tmp(xconsole_device_t) - type xdm_unconfined_exec_t; application_executable_file(xdm_unconfined_exec_t) @@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t) libs_exec_ldconfig(xdm_t) logging_read_generic_logs(xdm_t) +logging_setattr_xconsole_pipes(xdm_t) + +# allow relabel of /dev/xconsole +dev_associate(xconsole_device_t) miscfiles_search_man_pages(xdm_t) miscfiles_read_fonts(xdm_t) Index: policy/modules/services/xserver.fc =================================================================== --- policy/modules/services/xserver.fc.orig +++ policy/modules/services/xserver.fc @@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) # -# /dev -# -/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) - -# # /etc # /etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) Index: policy/modules/system/logging.te =================================================================== --- policy/modules/system/logging.te.orig +++ policy/modules/system/logging.te @@ -110,6 +110,12 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') +# this is not actually a device, its a pipe +type xconsole_device_t; +files_type(xconsole_device_t) +fs_associate_tmpfs(xconsole_device_t) +files_associate_tmp(xconsole_device_t) + ######################################## # # Auditctl local policy @@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) +# log to xconsole +allow syslogd_t xconsole_device_t:fifo_file rw_file_perms; + kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app @@ -631,11 +640,6 @@ optional_policy(` udev_read_db(syslogd_t) ') -optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) -') - ##################################################### # # syslog client rules Index: policy/modules/system/logging.if =================================================================== --- policy/modules/system/logging.if.orig +++ policy/modules/system/logging.if @@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte logging_log_filetrans($1, var_log_t, dir, "anaconda") ') + +######################################## +## <summary> +## Set the attributes of the xconsole named pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_setattr_xconsole_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file setattr; +') + +######################################## +## <summary> +## Read the xconsole named pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_r_xconsole',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file { getattr read }; +') + Index: policy/modules/system/init.te =================================================================== --- policy/modules/system/init.te.orig +++ policy/modules/system/init.te @@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) +logging_setattr_xconsole_pipes(initrc_t) # slapd needs to read cert files from its initscript miscfiles_manage_generic_cert_files(initrc_t) @@ -1453,9 +1454,6 @@ optional_policy(` ') optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) - # init script wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') Index: policy/modules/system/logging.fc =================================================================== --- policy/modules/system/logging.fc.orig +++ policy/modules/system/logging.fc @@ -1,4 +1,5 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) Index: policy/modules/services/xserver.if =================================================================== --- policy/modules/services/xserver.if.orig +++ policy/modules/services/xserver.if @@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',` ######################################## ## <summary> -## Set the attributes of the X windows console named pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xserver_setattr_console_pipes',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write the X windows console named pipe. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xserver_rw_console',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> ## Read XDM state files. ## </summary> ## <param name="domain">
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor