xpra icon
Bug tracker and wiki

Ticket #1521: selinux-system-proxy-policy.patch

File selinux-system-proxy-policy.patch, 3.0 KB (added by Antoine Martin, 3 years ago)

basic policy for the system proxy server only

  • xpra_socketactivation.fc

     
    1 #/var/run/xpra/system -s gen_context(system_u:object_r:xpra_unit_file_t,s0)
     1/usr/lib/systemd/system/xpra.service -- gen_context(system_u:object_r:xpra_unit_file_t,s0)
     2/usr/lib/systemd/system/xpra.socket -- gen_context(system_u:object_r:xpra_unit_file_t,s0)
     3/usr/bin/xpra.* -- gen_context(system_u:object_r:xpra_exec_t,s0)
     4/run/xpra/system -s gen_context(system_u:object_r:xpra_socket_t,s0)
     5/run/xpra.pid -- gen_context(system_u:object_r:xpra_pid_t,s0)
  • xpra_socketactivation.te

     
    11policy_module(xpra_socketactivation, 2.1)
    22
    33require {
    4         type init_t;
    5         type unconfined_service_t;
    6 #       class sock_file { connect write };
     4        class dbus { send_msg };
     5
     6        type system_dbusd_t;
     7        type sysctl_net_unix_t;
     8        type sysctl_net_t;
     9        type var_run_t;
     10        type system_dbusd_var_run_t;
     11        type shell_exec_t;
     12        type proc_net_t;
     13        type unconfined_t;
     14        type bin_t;
     15        type avahi_t;
    716}
    817
    9 #type xpra_unit_file_t;
    10 #type xpra_port_t;
    11 #corenet_port(xpra_port_t)
    12 #allow init_t xpra_unit_file_t:sock_file { connect write unlink };
     18systemd_domain_template(xpra)
    1319
    14 allow init_t unconfined_service_t:unix_stream_socket { create setopt bind listen };
    15 allow init_t unconfined_service_t:tcp_socket { create setopt bind listen };
     20type xpra_pid_t;
     21files_pid_file(xpra_pid_t)
     22files_pid_filetrans(xpra_t, xpra_pid_t, file)
     23allow xpra_t xpra_pid_t:file manage_file_perms;
    1624
     25type xpra_unit_file_t;
     26systemd_unit_file(xpra_unit_file_t);
     27
     28type xpra_socket_t;
     29type xpra_port_t;
     30corenet_port(xpra_port_t);
     31
     32allow init_t xpra_port_t:tcp_socket name_bind;
     33allow init_t xpra_socket_t:unix_stream_socket name_bind;
     34
     35allow xpra_t self:tcp_socket accept;
     36allow xpra_t xpra_port_t:tcp_socket name_bind;
     37allow daemon xpra_t:unix_stream_socket connectto;
     38
     39allow unconfined_t xpra_exec_t:file { entrypoint getattr ioctl open read };
     40
     41domain_auto_trans(unconfined_t, xpra_exec_t, unconfined_t)
     42domain_auto_trans(xpra_t, bin_t, unconfined_t)
     43
     44#remove pid (should use a different type..)
     45#allow xpra_t var_run_t:dir remove_name;
     46
     47#allow xpra_t admin_home_t:file { getattr open read };
     48allow xpra_t bin_t:file { execute };
     49allow xpra_t proc_net_t:file read;
     50
     51allow xpra_t self:tcp_socket listen;
     52allow xpra_t shell_exec_t:file { execute execute_no_trans };
     53
     54#dbus / mdns:
     55allow xpra_t avahi_t:dbus send_msg;
     56allow avahi_t xpra_t:dbus send_msg;
     57allow xpra_t system_dbusd_t:dbus send_msg;
     58
     59allow xpra_t system_dbusd_var_run_t:sock_file write;
     60allow xpra_t var_run_t:dir { add_name write };
     61allow xpra_t var_run_t:file { create getattr open setattr write };
     62#for looking at /proc values during "xpra info" queries:
     63allow xpra_t sysctl_net_t:dir search;
     64allow xpra_t sysctl_net_t:file read;
     65allow xpra_t sysctl_net_unix_t:dir search;