diff options
-rw-r--r-- | policy/modules/services/xserver.fc | 2 | ||||
-rw-r--r-- | policy/modules/services/xserver.if | 65 | ||||
-rw-r--r-- | policy/modules/services/xserver.te | 3 |
3 files changed, 68 insertions, 2 deletions
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 5b218c63..389b74fa 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xsession_log_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # @@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <<none>> +/tmp/xses-%{USERNAME} -- gen_context(system_u:object_r:xsession_log_t,s0) # # /usr diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c1d41b5b..59d5821e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -107,6 +107,10 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + # for the .xsession-errors log file + xserver_user_home_dir_filetrans_user_xsession_log($2) + xserver_manage_xsession_log($2) + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; @@ -307,7 +311,7 @@ interface(`xserver_user_client',` userdom_search_user_home_dirs($1) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1) + xserver_rw_xsession_log($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) @@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',` userdom_search_user_home_dirs($2) # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) + xserver_rw_xsession_log($2) xserver_ro_session($2,$3) xserver_use_user_fonts($2) @@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` ######################################## ## <summary> +## Create a .xsession-errors log +## file in the user home directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_user_home_dir_filetrans_user_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") +') + +######################################## +## <summary> ## Read all users fonts, user font configurations, ## and manage all users font caches. ## </summary> @@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',` ######################################## ## <summary> +## Read and write xsession log +## files such as .xsession-errors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_rw_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Manage xsession log files such +## as .xsession-errors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_manage_xsession_log',` + gen_require(` + type xsession_log_t; + ') + + allow $1 xsession_log_t:file manage_file_perms; +') + +######################################## +## <summary> ## Get the attributes of X server logs. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index ba96a780..1956ddb2 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) +type xsession_log_t; +userdom_user_home_content(xsession_log_t) + # Type for the X server log file. type xserver_log_t; logging_log_file(xserver_log_t) |