Overview

File xconsole.patch of Package selinux-policy.37503

Basically, /dev/xconsole is a FIFO written to by syslog, and often is
present even when there is no X. Therefore, this should go into the
logging policy.
Patch attached.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
 Nothing prevents happiness like the memory of happiness. --- A. Gide //\
       Die einzige Hoffnung auf Freude liegt in den menschlichen      V_/_
               Beziehungen. --- Antoine de Saint-Exupéry

["xconsole" (xconsole)]

Index: policy/modules/services/xserver.te
===================================================================
--- policy/modules/services/xserver.te.orig
+++ policy/modules/services/xserver.te
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
 userdom_user_tmp_file(xauth_tmp_t)
 
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-dev_associate(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
 type xdm_unconfined_exec_t;
 application_executable_file(xdm_unconfined_exec_t)
 
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 
-allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
 libs_exec_ldconfig(xdm_t)
 
 logging_read_generic_logs(xdm_t)
+logging_setattr_xconsole_pipes(xdm_t)
+
+# allow relabel of /dev/xconsole
+dev_associate(xconsole_device_t)
 
 miscfiles_search_man_pages(xdm_t)
 miscfiles_read_fonts(xdm_t)
Index: policy/modules/services/xserver.fc
===================================================================
--- policy/modules/services/xserver.fc.orig
+++ policy/modules/services/xserver.fc
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
 /root/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 
 #
-# /dev
-#
-/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
 # /etc
 #
 /etc/gdm(3)?/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
 ########################################
 #
 # Auditctl local policy
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
 
+# log to xconsole
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
 kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
@@ -631,11 +640,6 @@ optional_policy(`
 	udev_read_db(syslogd_t)
 ')
 
-optional_policy(`
-	# log to the xconsole
-	xserver_rw_console(syslogd_t)
-')
-
 #####################################################
 #
 # syslog client rules
Index: policy/modules/system/logging.if
===================================================================
--- policy/modules/system/logging.if.orig
+++ policy/modules/system/logging.if
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
 
     logging_log_filetrans($1, var_log_t, dir, "anaconda")
 ')
+
+########################################
+## <summary>
+##	Set the attributes of the xconsole named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_setattr_xconsole_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the xconsole named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_r_xconsole',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+
Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
+logging_setattr_xconsole_pipes(initrc_t)
 
 # slapd needs to read cert files from its initscript
 miscfiles_manage_generic_cert_files(initrc_t)
@@ -1453,9 +1454,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# Set device ownerships/modes.
-	xserver_setattr_console_pipes(initrc_t)
-
 	# init script wants to check if it needs to update windowmanagerlist
 	xserver_read_xdm_rw_config(initrc_t)
 ')
Index: policy/modules/system/logging.fc
===================================================================
--- policy/modules/system/logging.fc.orig
+++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
 
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if.orig
+++ policy/modules/services/xserver.if
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
 
 ########################################
 ## <summary>
-##	Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
-')
-
-########################################
-## <summary>
-##	Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_rw_console',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
 ##	Read XDM state files.
 ## </summary>
 ## <param name="domain">
openSUSE Build Service is sponsored by
Places