SELinux: xscreensaver-demo: Transitioning the file type


(0 comments)

SELinux not only ensures the system securely against unauthorized access, but along with security policies also fixes software bugs, leads them in the right way in using resources and avoids conflicts. Xscreensaver-demo is a graphical tool used to set parameters for XScreenSaver. It creates ~/.xscreensaver configuration file and writes information into it

By default, xscreensaver-demo runs in the user domain because there is no specific domain for it. Therefore it will create ~/.xscreensaver file whose default type in the user's home directory, ie user_home_t. This is the wrong type and the correct type must be xscreensaver_config_t. XScreenSaver's programs include the xscreensaver daemon itself and helper programs that have been set up rules to work with xscreensaver_config_t, not user_home_t. One allowed the user domain to relabel the file but no type transiton is performed. Using restorecond is not effective and not a good way. If we add a file type transition rule in the user domain so that ~/.xscreensaver has the type xscreensaver_config_t, then it conflicts with the file type transition rule has been set for home directory files to the type user_home_t as mentioned above, and no results. Actually user_home_t is not the default file type. The default type of the file is the type of its parent directory, user_home_dir_t, and then the type is applied by the original rule to transition to user_home_t. This detail will be mentioned specifically below.

The solution is to transition the file type in a separate domain for xscreensaver-demo, called xscreensaver_demo_t. First we set up the domain xscreensaver_demo_t as usual (see Setting up security policy for xscreensaver-systemd)

attribute_role xscreensaver_demo_roles;
type xscreensaver_demo_t;
type xscreensaver_demo_exec_t;
userdom_user_application_domain(xscreensaver_demo_t, xscreensaver_demo_exec_t)
role xscreensaver_demo_roles types xscreensaver_demo_t;
roleattribute staff_r xscreensaver_demo_roles;
roleattribute user_r xscreensaver_demo_roles;

Use a user domain pty

userdom_use_user_ptys(xscreensaver_demo_t)

The user domain has lots of permissions with many programs running on it and can cause xscreensaver-demo to stray into an insecure way. In contrast, other programs do not need and should not use the rules for xscreensaver-demo. We transition domain from the user domains to xscreensaver_demo_t

domtrans_pattern(staff_t, xscreensaver_demo_exec_t, xscreensaver_demo_t)
domtrans_pattern(user_t, xscreensaver_demo_exec_t, xscreensaver_demo_t)

Allow xscreensaver_demo_t to read system state information in /proc

kernel_read_system_state(xscreensaver_demo_t)

Allow xscreensaver_demo_t to change to bin directories (to run some program)

corecmd_search_bin(xscreensaver_demo_t)

Allow xscreensaver_demo_t to read generic files in /etc

files_read_etc_files(xscreensaver_demo_t)

Allow xscreensaver_demo_t to read generic files in /usr

files_read_usr_files(xscreensaver_demo_t)

Map generic files in /usr

files_map_usr_files(xscreensaver_demo_t)

This rule is required to display fonts in the configuration dialog

miscfiles_read_fonts(xscreensaver_demo_t)

Set the attributes on a fonts cache directory

miscfiles_setattr_fonts_cache_dirs(xscreensaver_demo_t)

Read localization information

miscfiles_read_localization(xscreensaver_demo_t)

Connect to xserver

xserver_stream_connect(xscreensaver_demo_t)

Get the attributes of persistent filesystems which have extended attributes

fs_getattr_xattr_fs(xscreensaver_demo_t)

Use nscd service (name service cache daemon). For example, getting a username that matches a numerical id, from the database is the /etc/passwd file which to be cached. Note that the /etc/passwd file is just a regular file, does not belong to the security file type and does not contain user password information (however it contains the user's full name, phone numbers if applicable, etc.) . The file containing the password (encrypted) is /etc/shadow, its SELinux type is shadow_t. All user domains (even sysadm_t domain of root user) and most other domains (including xscreensaver_demo_t, of course) are not allowed to read shadow_t. Only a few domains which to be in charge of password such as domains of programs passwd, useradd, userdel, usermod, groupadd, groupdel, groupdmod, pwconv, grpconv (shadow package), unix_update, unix_chkpwd (Linux-PAM package) are allowed to read shadow_t

nscd_use(xscreensaver_demo_t)

Read fifo file

allow xscreensaver_demo_t self:fifo_file read_fifo_file_perms;

Allow xscreensaver_demo_t to modify scheduling information of its process and review the process

allow xscreensaver_demo_t self:process { setsched signull };

Manage SysV shared memory

allow xscreensaver_demo_t self:shm create_shm_perms;

Read user temporary files

userdom_read_user_tmp_files(xscreensaver_demo_t)

Allow to change to the xdg configuration directories

xdg_search_config_dirs(xscreensaver_demo_t)

Manage the xdg cache home files

xdg_manage_cache(xscreensaver_demo_t)

Read the xdg data home files

xdg_read_data_files(xscreensaver_demo_t)

Read user fonts, user font configuration, and manage the user font cache

xserver_use_user_fonts(xscreensaver_demo_t)

Read user home files

userdom_read_user_home_content_files(xscreensaver_demo_t)

Transition the type of the ~/.xscreensaver configuration file to xscreensaver_config_t. The user's home directory has type of user_home_dir_t. xscreensaver_demo_t needs read and write permission to this directory to create the .xscreensaver file in the home directory. By default, the .xscreensaver will have type like the parent directory, user_home_dir_t. But the type_transition statement transitions it to xscreensaver_config_t. xscreensaver_demo_t also needs permission to manage the .xscreensaver file in the new type

allow xscreensaver_demo_t user_home_dir_t:dir rw_dir_perms;
allow xscreensaver_demo_t xscreensaver_config_t:file manage_file_perms;

type_transition xscreensaver_demo_t user_home_dir_t:file xscreensaver_config_t;

When xscreensaver-demo runs graphics hack programs, we transition domain to xscreensaver_helper_t. Thus there is no need to add rules to run the graphics hacks that has been set up for the domain xscreensaver_helper_t

corecmd_search_bin(xscreensaver_demo_t)
domtrans_pattern(xscreensaver_demo_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)

When xscreensaver-demo being terminated, it also terminates the last graphics hack

allow xscreensaver_demo_t xscreensaver_helper_t:process { signal signull };

Finally, we allow the user to see the process xscreensaver_demo_t via the ps command

ps_process_pattern(staff_t, xscreensaver_demo_t)

Similar to xscreensaver_systemd_exec_t, we add a new type xscreensaver_demo_exec_t for the xscreensaver-demo binary in *.fc file

/usr/bin/xscreensaver-demo	--	gen_context(system_u:object_r:xscreensaver_demo_exec_t,s0)

The above is the full content of an additional security policy module, which makes XScreenSaver run smoothly. In addition, a conflict was found that the xscreensaver-gl-helper conflicts with gdm-x-session when both using the DRI (Direct Rendering Infrastructure) device at the same time. And we easily prevent this from using SELinux.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 5 - 3?

required