diff options
| author | corentin.labbe <corentin.labbe@geomatys.fr> | 2009-09-11 14:21:59 +0200 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-15 08:46:28 -0400 |
| commit | 31f9c109c1e9579d11421a03fdb96179bd52924e (patch) | |
| tree | 6ae08baa0c9b265e0a8b38940135a46657c510ba | |
| parent | c141d835f16dc3d1d052ea814a64d6a241f7cb0e (diff) | |
SELinux xscreensaver policy support
Hello
This a patch for adding xscreensaver policy.
I think it need a specific policy because of the auth_domtrans_chk_passwd.
cordially
Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
| -rw-r--r-- | policy/modules/apps/xscreensaver.fc | 1 | ||||
| -rw-r--r-- | policy/modules/apps/xscreensaver.if | 34 | ||||
| -rw-r--r-- | policy/modules/apps/xscreensaver.te | 52 |
3 files changed, 87 insertions, 0 deletions
diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc new file mode 100644 index 00000000..64cd5fc2 --- /dev/null +++ b/policy/modules/apps/xscreensaver.fc @@ -0,0 +1 @@ +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if new file mode 100644 index 00000000..5a1c63c7 --- /dev/null +++ b/policy/modules/apps/xscreensaver.if @@ -0,0 +1,34 @@ +## <summary>xscreensaver policy interface</summary> + +######################################## +## <summary> +## Role access for xscreensaver +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`xscreensaver_role',` + gen_require(` + type xscreensaver_t, xscreensaver_exec_t; + ') + + role $1 types xscreensaver_t; + + domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) + + allow xscreensaver_t $2:fd use; + + # Allow the user domain to signal/ps. + ps_process_pattern($2, xscreensaver_t) + allow $2 xscreensaver_t:process signal_perms; + allow xscreensaver_t $2:process sigchld; + +') diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te new file mode 100644 index 00000000..f4f8b005 --- /dev/null +++ b/policy/modules/apps/xscreensaver.te @@ -0,0 +1,52 @@ +policy_module(xscreensaver, 1.0.0) + +######################################## +# +# Declarations +# + +type xscreensaver_t; +type xscreensaver_exec_t; +application_domain(xscreensaver_t, xscreensaver_exec_t) + +type xscreensaver_tmpfs_t; +files_tmpfs_file(xscreensaver_tmpfs_t) +ubac_constrained(xscreensaver_tmpfs_t) + +######################################## +# +# Local policy +# +auth_use_nsswitch(xscreensaver_t) + +logging_send_audit_msgs(xscreensaver_t) +logging_send_syslog_msg(xscreensaver_t) +miscfiles_read_localization(xscreensaver_t) + +allow xscreensaver_t self:fifo_file rw_fifo_file_perms; +allow xscreensaver_t self:process signal; + +#access to .icons and ~/.xscreensaver +userdom_read_user_home_content_files(xscreensaver_t) + +userdom_use_user_ptys(xscreensaver_t) + +files_read_usr_files(xscreensaver_t) + +auth_domtrans_chk_passwd(xscreensaver_t) + +#/var/run/utmp +init_read_utmp(xscreensaver_t) + +######################################## +# +# X Serveur and co +# +xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) + +######################################## +# +# process, kernel and /proc /dev /sys +# + +kernel_read_system_state(xscreensaver_t) |