Make working SELinux sandbox with Wayland. BZ(1474082)

fedora-selinux · Jan 4, 2018 · e269450 · e269450
1 parent 216bcf8
commit e269450
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/sandboxX.if b/sandboxX.if
@@ -116,8 +116,9 @@ template(`sandbox_x_domain_template',`
 	fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
 	# Pulseaudio tmpfs files with different MCS labels
 	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
-	dontaudit $1_t $1_client_tmpfs_t:file { read write };
+	dontaudit $1_t $1_client_tmpfs_t:file { read write map };
 	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+	allow $1_client_t $1_client_tmpfs_t:file { map };
 
 	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
 	allow $1_t sandbox_xserver_t:process signal_perms;

diff --git a/sandboxX.te b/sandboxX.te
@@ -41,6 +41,8 @@ files_type(sandbox_devpts_t)
 #
 allow sandbox_xserver_t self:process { signal_perms execstack };
 
+allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition;
+
 tunable_policy(`deny_execmem',`',`
 	allow sandbox_xserver_t self:process execmem;
 ')
@@ -118,6 +120,22 @@ optional_policy(`
 	')
 ')
 
+########################################
+#
+# sandbox_x_t local policy
+#
+
+allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
+allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_t)
+userdom_map_tmp_files(sandbox_x_t)
+userdom_manage_user_tmp_files(sandbox_x_t)
+
 ########################################
 #
 # sandbox_x_domain local policy
@@ -294,9 +312,6 @@ optional_policy(`
 	networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
 ')
 
-files_search_home(sandbox_x_t)
-userdom_use_user_ptys(sandbox_x_t)
-
 #1103622
 corenet_tcp_connect_xserver_port(sandbox_x_domain)
 xserver_stream_connect(sandbox_x_domain)
@@ -319,6 +334,11 @@ auth_use_nsswitch(sandbox_x_client_t)
 
 logging_send_syslog_msg(sandbox_x_client_t)
 
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_client_t)
+userdom_map_tmp_files(sandbox_x_client_t)
+userdom_manage_user_tmp_files(sandbox_x_client_t)
+
 optional_policy(`
 	avahi_dbus_chat(sandbox_x_client_t)
 ')
@@ -341,12 +361,16 @@ optional_policy(`
 #
 typeattribute sandbox_web_client_t sandbox_web_type;
 
+allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
+
 selinux_get_fs_mount(sandbox_web_client_t)
 
 auth_use_nsswitch(sandbox_web_client_t)
 
 logging_send_syslog_msg(sandbox_web_client_t)
 
+miscfiles_map_generic_certs(sandbox_web_client_t)
+
 allow sandbox_web_type self:capability { setuid setgid };
 allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
 dontaudit sandbox_web_type self:process setrlimit;