Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add basic SELinux policy #143

Merged
merged 1 commit into from
Jun 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,17 @@ help:
echo "make clean <--- clean all the binary files";\
exit 0;

selinux_policies ::= qubes-gui-daemon.pp

all_targets := gui-daemon/qubes-guid gui-daemon/qubes-guid.1 \
shmoverride/shmoverride.so \
shmoverride/X-wrapper-qubes pulse/pacat-simple-vchan \
screen-layout-handler/watch-screen-layout-changes


all: $(all_targets)
.PHONY: $(all_targets) install tar clean help
all-selinux: selinux/$(selinux_policies)
.PHONY: $(all_targets) all-selinux install tar clean help

gui-daemon/qubes-guid gui-daemon/qubes-guid.1:
$(MAKE) -C gui-daemon qubes-guid qubes-guid.1
Expand All @@ -54,6 +58,9 @@ pulse/pacat-simple-vchan:
screen-layout-handler/watch-screen-layout-changes:
$(MAKE) -C screen-layout-handler watch-screen-layout-changes

selinux/$(selinux_policies):
$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile

install:
install -D gui-daemon/qubes-guid $(DESTDIR)/usr/bin/qubes-guid
install -m 0644 -D gui-daemon/qubes-guid.1 $(DESTDIR)$(MANDIR)/man1/qubes-guid.1
Expand All @@ -69,6 +76,9 @@ install:
install -D -m 0644 screen-layout-handler/qubes-screen-layout-watches.desktop $(DESTDIR)/etc/xdg/autostart/qubes-screen-layout-watches.desktop
$(MAKE) -C window-icon-updater install

install-selinux:
install -D -t $(DESTDIR)/usr/share/selinux/packages selinux/$(selinux_policies)

tar:
git archive --format=tar --prefix=qubes-gui/ HEAD -o qubes-gui.tar

Expand Down
32 changes: 31 additions & 1 deletion rpm_spec/gui-daemon.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Requires: qubes-core-qrexec >= 4.1.5
Requires: python%{python3_pkgversion}-qubesimgconverter >= 4.1.4
Requires: socat
Requires: group(qubes)
Requires: (%{name}-selinux if selinux-policy)

BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
Expand All @@ -63,6 +64,7 @@ BuildRequires: qubes-core-libs
BuildRequires: qubes-gui-common-devel >= 3.2.0
BuildRequires: qubes-libvchan-@BACKEND_VMM@-devel
BuildRequires: qubes-utils-devel >= 4.2.10
BuildRequires: selinux-policy-devel

Source0: %{name}-%{version}.tar.gz

Expand Down Expand Up @@ -110,13 +112,37 @@ Requires: python%{python3_pkgversion}-setuptools
Dom0 files for Qubes AUDIO virtualization. This include core-admin extension,
policy files etc.

%package selinux

BuildRequires: selinux-policy
%{?selinux_requires}

Summary: SELinux policy for qubes-gui-daemon
License: GPLv2+

%description selinux
SELinux policy for qubes-gui-daemon. You need this package to run qubes-guid
on a system where SELinux is in enforcing mode.

%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/qubes-gui-daemon.pp || :

%postun selinux
if [ "$1" -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/qubes-gui-daemon.pp
fi || :

%posttrans selinux
%selinux_relabel_post
exit 0

%prep
%setup -q

%build
%{?set_build_flags}
make clean
make all BACKEND_VMM=@BACKEND_VMM@
make all all-selinux BACKEND_VMM=@BACKEND_VMM@

%py3_build

Expand All @@ -125,6 +151,7 @@ make all BACKEND_VMM=@BACKEND_VMM@
%install
rm -rf $RPM_BUILD_ROOT
%make_install
make install-selinux DESTDIR=$RPM_BUILD_ROOT
%py3_install

%triggerin -- xorg-x11-server-Xorg
Expand Down Expand Up @@ -167,5 +194,8 @@ rm -f %{name}-%{version}
%{python3_sitelib}/qubesguidaemon-*.egg-info
%{python3_sitelib}/qubesguidaemon

%files selinux
%{_datadir}/selinux/packages/qubes-gui-daemon.pp

%changelog
@CHANGELOG@
3 changes: 3 additions & 0 deletions selinux/qubes-gui-daemon.fc
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
/usr/bin/X-wrapper-qubes -- gen_context(system_u:object_r:xserver_exec_t)
/run/qubes/shm\.id\.[0-9]+ -- gen_context(system_u:object_r:qubes_gui_shmid_t)
/var/run/qubes/shm\.id\.[0-9]+ -- gen_context(system_u:object_r:qubes_gui_shmid_t)
21 changes: 21 additions & 0 deletions selinux/qubes-gui-daemon.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
policy_module(qubes-gui-daemon, 0.0.1)

require {
type xserver_t, qubes_var_run_t;
type tmpfs_t;
type unconfined_t;
}

type qubes_gui_shmid_t;

# Allow /run/qubes/shm.id.*
filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.0")
filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.1")
filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.2")
filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.3")
filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.4")
allow xserver_t qubes_gui_shmid_t:file { create lock open read write map unlink getattr setattr };
allow qubes_gui_shmid_t tmpfs_t:filesystem { associate };

# until qubes-guid gets its own type
allow unconfined_t qubes_gui_shmid_t:file mmap_rw_file_perms;