X and SELinux on PowerPC

Wed Apr 14 08:23:03 UTC 2004

On Tue, 13 Apr 2004 23:12, "W. Michael Petullo" <mike at flyn.org> wrote:
> Has anyone had any luck with Fedora/SELinux on the PowerPC platform?

I guess you're the first to try it!  ;)

I've attached a new xserver_macros.te file, please try it out.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#
# Macros for X server domains.
#

#
# Authors:  Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
#

#################################
#
# xserver_domain(domain_prefix)
#
# Define a derived domain for the X server when executed
# by a user domain (e.g. via startx).  See the xdm_t domain
# in domains/program/xdm.te if using an X Display Manager.
#
# The type declarations for the executable type for this program 
# and the log type are provided separately in domains/program/xserver.te. 
#
# FIXME!  The X server requires far too many privileges.
#
undefine(`xserver_domain')
ifdef(`xserver.te', `

define(`xserver_domain',`
# Derived domain based on the calling user domain and the program.
ifdef(`rpm.te', `
type $1_xserver_t, domain, privlog, privmem, privmodule;
allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
', `
type $1_xserver_t, domain, privlog, privmem;
')

# for SSP
allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };

# Transition from the user domain to this domain.
ifelse($1, xdm, `
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
')
domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
', `
domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
')dnl end ifelse xdm

uses_shlib($1_xserver_t)
can_network($1_xserver_t)
allow $1_xserver_t xserver_port_t:tcp_socket name_bind;

# for access within the domain
general_domain_access($1_xserver_t)

allow $1_xserver_t etc_runtime_t:file { getattr read };

ifelse($1, xdm, `
# The system role is authorised for the xdm and initrc domains
role system_r types xdm_xserver_t;

allow xdm_xserver_t init_t:fd use;

dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search };
', `
# The user role is authorized for this domain.
role $1_r types $1_xserver_t;

allow $1_xserver_t getty_t:fd use;
allow $1_xserver_t local_login_t:fd use;
allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };

can_unix_connect($1_t, $1_xserver_t)

# Access the home directory.
allow $1_xserver_t home_root_t:dir search;
allow $1_xserver_t $1_home_dir_t:dir { getattr search };
ifdef(`allow_xserver_home_fonts', `
r_dir_file($1_xserver_t, $1_home_t)
')
ifdef(`xauth.te', `
allow $1_xserver_t $1_home_xauth_t:file { getattr read };
', `
allow $1_xserver_t $1_home_t:file { getattr read };
')dnl end ifdef xauth
ifdef(`userhelper.te', `
allow $1_xserver_t userhelper_conf_t:dir search;
')dnl end ifdef userhelper
')dnl end ifelse xdm

allow $1_xserver_t fs_t:filesystem getattr;
allow $1_xserver_t proc_t:dir { getattr search };
# XFree86-4 wants to check if kernel is tainted
allow $1_xserver_t { sysctl_t sysctl_kernel_t }:dir search;
allow $1_xserver_t sysctl_kernel_t:file { getattr read };

# Use capabilities.
# allow setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem?  chowning IPC message queues or semaphores?
# admin of APM bios?
# sys_nice is so that the X server can set a negative nice value
allow $1_xserver_t self:capability { dac_override setuid setgid sys_rawio sys_admin sys_nice sys_tty_config };
allow $1_xserver_t self:capability ipc_owner;

# memory_device_t access is needed if not using the frame buffer
#dontaudit $1_xserver_t memory_device_t:chr_file read;
allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
# net_bind_service is needed if you want your X server to allow TCP connections
# from other hosts, EG an XDM serving a network of X terms
# if you want good security you do not want this
# not sure why some people want chown, fsetid, and sys_tty_config.
#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
dontaudit $1_xserver_t self:capability chown;

# for nscd
dontaudit $1_xserver_t var_run_t:dir search;

allow $1_xserver_t mtrr_device_t:file rw_file_perms;
allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
allow $1_xserver_t devtty_t:chr_file rw_file_perms;
allow $1_xserver_t devtty_t:lnk_file read;

# Type for temporary files.
tmp_domain($1_xserver)
file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)

ifelse($1, xdm, `', `
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t $1_xserver_t:process signal;

# Allow the user domain to connect to the X server.
allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file { unlink };
')

# Signal the user domain.
allow $1_xserver_t $1_t:process signal;

# for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
')dnl end ifelse xdm

# Create files in /var/log with the xserver_log_t type.
allow $1_xserver_t var_t:dir search;
file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
allow $1_xserver_t xserver_log_t:dir r_dir_perms;

# Access AGP device.
allow $1_xserver_t agp_device_t:chr_file rw_file_perms;

# for other device nodes such as the NVidia binary-only driver
allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;

# Access /proc/mtrr
allow $1_xserver_t proc_t:file rw_file_perms;

# Access /proc/sys/dev
allow $1_xserver_t sysctl_dev_t:dir search;
allow $1_xserver_t sysctl_dev_t:file { getattr read };

# Create and access /dev/dri devices.
allow $1_xserver_t dri_device_t:dir { setattr rw_dir_perms };
allow $1_xserver_t dri_device_t:chr_file create_file_perms;

allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };

# Run helper programs in $1_xserver_t.
can_exec_any($1_xserver_t)

# Connect to xfs.
ifdef(`xfs.te', `
can_unix_connect($1_xserver_t, xfs_t)
allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;

# Bind to the X server socket in /tmp.
allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
')

read_locale($1_xserver_t)

# Type for tmpfs/shm files.
tmpfs_domain($1_xserver)
ifelse($1, xdm, `', `
allow $1_xserver_t $1_t:shm rw_shm_perms;
allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
')dnl end ifelse xdm
ifdef(`xdm.te', `
allow xdm_xserver_t xdm_t:shm rw_shm_perms;
allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
')

# Use the mouse.
allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;

allow $1_xserver_t var_lib_t:dir search;
rw_dir_create_file($1_xserver_t, var_lib_xkb_t)

# for fonts
r_dir_file($1_xserver_t, fonts_t)
')dnl end macro definition

', `

define(`xserver_domain',`')

')