Setting up security policy for xscreensaver-systemd


(0 comments)

xscreensaver-systemd now belongs to the default installation of xscreensaver since xscreensaver-5.44. It works to lock the screen when the system goes into sleep mode.
However, the security rules for xscreensaver-systemd are not yet common, and we set it up in this article
We first declare the role group xscreensaver_systemd_roles, the type of domain and the type of the binary file

attribute_role xscreensaver_systemd_roles;

type xscreensaver_systemd_t;
type xscreensaver_systemd_exec_t;

Then install the domain xscreensaver_systemd_t with the binary xscreensaver-systemd of type xscreensaver_systemd_exec_t

userdom_user_application_domain(xscreensaver_systemd_t, xscreensaver_systemd_exec_t)

In this step the domain xscreensaver_systemd_t is allowed to have an entry point for xscreensaver_systemd_exec_t.

Next we assign the role group xscreensaver_systemd_roles to the domain xscreensaver_systemd_t

role xscreensaver_systemd_roles types xscreensaver_systemd_t;

The user roles need to be associated to the xscreensaver_systemd_roles group to perform domain transition

roleattribute staff_r xscreensaver_systemd_roles;
roleattribute user_r xscreensaver_systemd_roles;

Finally, the xscreensaver binary running in the xscreensaver_t domain calls xscreensaver-systemd, we transition domain from xscreensaver_t to the xscreensaver_systemd_t

domtrans_pattern(xscreensaver_t, xscreensaver_systemd_exec_t, xscreensaver_systemd_t)

Note that the domtrans_pattern macro is not enough to transition the domain if we have not installed an entry point for xscreensaver_systemd_t in the userdom_user_application_domain macro as above

In addition to security rules, a new file context needs to be added to the policy, in the .fc file

/usr/bin/xscreensaver-systemd		--	gen_context(system_u:object_r:xscreensaver_systemd_exec_t,s0)
Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 9 - 3?

required