Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.
type=AVC msg=audit(1563084061.269:2472): avc: denied { execute } for pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/system/fstools.fc | 1 +
policy/modules/system/fstools.te | 2 ++
2 files changed, 3 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
/usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4ad6e65f..4ae0301a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
+# for zfs/zpool
+mount_exec(fsadm_t)
# for /run/mount/utab
mount_getattr_runtime_files(fsadm_t)
# losetup: bind mount_loopback_t files to loop devices
--
2.24.1
From: Jason Zaman <[email protected]>
Udev watches all the fixed_disks and udevadm watches the runtime dir.
udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied
avc: denied { watch } for pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
---
policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
policy/modules/system/udev.te | 3 +++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index c14bb13b..f9dcbaf5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
allow $1 fixed_disk_device_t:blk_file getattr;
')
+########################################
+## <summary>
+## Watch fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_watch_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file watch;
+ allow $1 fixed_disk_device_t:chr_file watch;
+')
+
########################################
## <summary>
## Allow the caller to get the attributes
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ccbcb51..e0e27a9d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
+storage_watch_fixed_disk(udev_t)
+
auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
@@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
+allow udevadm_t udev_runtime_t:dir watch;
list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
policy/modules/services/accountsd.te | 2 ++
policy/modules/system/logging.if | 18 ++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
files_read_mnt_files(accountsd_t)
files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
manage_files_pattern($1, var_log_t, var_log_t)
')
+########################################
+## <summary>
+## Watch generic log dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:dir watch;
+')
+
########################################
## <summary>
## All of the rules required to administrate
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
---
policy/modules/services/cron.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016..dbbd9dbf 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
files_pid_filetrans(crond_t, crond_runtime_t, file)
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;
manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
---
policy/modules/services/colord.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 24eda8a9..44f2b049 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+allow colord_t colord_var_lib_t:dir watch;
kernel_read_crypto_sysctls(colord_t)
kernel_read_device_sysctls(colord_t)
@@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
files_read_usr_files(colord_t)
files_map_usr_files(colord_t)
+files_watch_usr_dirs(colord_t)
fs_getattr_noxattr_fs(colord_t)
fs_getattr_tmpfs(colord_t)
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
policy/modules/services/consolekit.if | 18 ++++++++++++++++++
policy/modules/services/devicekit.te | 1 +
policy/modules/services/policykit.te | 3 +++
3 files changed, 22 insertions(+)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 9aa0dbce..422c19cd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_runtime_t:dir list_dir_perms;
read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
')
+
+########################################
+## <summary>
+## Watch consolekit runtime dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_watch_runtime_dir',`
+ gen_require(`
+ type consolekit_runtime_t;
+ ')
+
+ allow $1 consolekit_runtime_t:dir watch;
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f58a7a19..ed88f10b 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
+files_watch_etc_dirs(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 04e88500..4989157c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+files_watch_etc_dirs(policykit_t)
+files_watch_usr_dirs(policykit_t)
fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
@@ -127,6 +129,7 @@ optional_policy(`
optional_policy(`
consolekit_read_pid_files(policykit_t)
+ consolekit_watch_runtime_dir(policykit_t)
')
optional_policy(`
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
---
policy/modules/services/xserver.if | 11 +-
policy/modules/system/miscfiles.if | 37 ++++++
policy/modules/system/userdomain.if | 5 +
policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++
4 files changed, 250 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c95a6b04..6c22b3c6 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
+ miscfiles_watch_fonts($2)
xserver_common_x_domain_template(user, $2)
xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
+ xdg_watch_all_cache_dirs($2)
xdg_manage_all_config($2)
xdg_relabel_all_config($2)
+ xdg_watch_all_config_dirs($2)
xdg_manage_all_data($2)
xdg_relabel_all_data($2)
+ xdg_watch_all_data_dirs($2)
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
xdg_manage_documents($2)
xdg_relabel_documents($2)
+ xdg_watch_documents_dirs($2)
xdg_manage_downloads($2)
xdg_relabel_downloads($2)
+ xdg_watch_downloads_dirs($2)
xdg_manage_music($2)
xdg_relabel_music($2)
+ xdg_watch_music_dirs($2)
xdg_manage_pictures($2)
xdg_relabel_pictures($2)
+ xdg_watch_pictures_dirs($2)
xdg_manage_videos($2)
xdg_relabel_videos($2)
+ xdg_watch_videos_dirs($2)
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
')
# Read per user fonts
- allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:dir { list_dir_perms watch };
allow $1 user_fonts_t:file { map read_file_perms };
# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 47330a48..f11fee25 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')
+########################################
+## <summary>
+## Watch fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_watch_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ allow $1 fonts_t:dir watch;
+')
+
########################################
## <summary>
## Read fonts.
@@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
+########################################
+## <summary>
+## Watch public files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+ gen_require(`
+ type public_content_rw_t;
+ ')
+
+ allow $1 public_content_rw_t:dir watch;
+')
+
########################################
## <summary>
## Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dd555850..0ffa000f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { user_home_t user_home_dir_t }:dir watch;
+
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
@@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
+ files_watch_etc_dirs($1_t)
+ files_watch_usr_dirs($1_t)
fs_rw_cgroup_files($1_t)
@@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
files_exec_usr_files($1_t)
miscfiles_manage_public_files($1_t)
+ miscfiles_watch_public_dirs($1_t)
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 11fc4306..82304241 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ allow $1 xdg_cache_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ allow $1 xdg_config_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ allow $1 xdg_data_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ allow $1 xdg_documents_t:dir watch;
+')
+
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ allow $1 xdg_downloads_t:dir watch;
+')
+
#########################################
## <summary>
## Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ allow $1 xdg_pictures_t:dir watch;
+')
+
#########################################
## <summary>
## Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ allow $1 xdg_music_t:dir watch;
+')
+
#########################################
## <summary>
## Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ allow $1 xdg_videos_t:dir watch;
+')
+
#########################################
## <summary>
## Read user video content
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
---
policy/modules/services/dbus.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4e395f7f..6f9835c6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+allow session_bus_type dbusd_etc_t:dir watch;
manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
@@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)
files_list_home(session_bus_type)
files_read_usr_files(session_bus_type)
+files_watch_usr_dirs(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
policy/modules/apps/chromium.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 255ef557..0e8cc1e5 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -156,6 +156,7 @@ files_search_home(chromium_t)
files_read_usr_files(chromium_t)
files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
+files_watch_etc_dirs(chromium_t)
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)
--
2.24.1
From: Jason Zaman <[email protected]>
avc: denied { watch } for pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;
manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
--
2.24.1
On 2/16/20 3:54 AM, Jason Zaman wrote:
> From: Jason Zaman <[email protected]>
>
> avc: denied { watch } for pid=12351 comm="gmain"
path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts"
dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain"
path="/home/jason/Desktop" dev="zfs" ino=33153
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12574 comm="gmain"
path="/home/jason/.local/share/icc" dev="zfs" ino=1954514
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11795 comm="gmain"
path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain"
path="/home/jason/downloads/pics" dev="zfs" ino=38173
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
> ---
> policy/modules/services/xserver.if | 11 +-
> policy/modules/system/miscfiles.if | 37 ++++++
> policy/modules/system/userdomain.if | 5 +
> policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++
> 4 files changed, 250 insertions(+), 1 deletion(-)
This patch series is matching signed-off-by.
Comments below. The other patches look mergeable as-is.
> diff --git a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
> index c95a6b04..6c22b3c6 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
> dev_rw_usbfs($2)
> miscfiles_read_fonts($2)
> + miscfiles_watch_fonts($2)
> xserver_common_x_domain_template(user, $2)
> xserver_domtrans($2)
> @@ -186,10 +187,13 @@ interface(`xserver_role',`
> optional_policy(`
> xdg_manage_all_cache($2)
> xdg_relabel_all_cache($2)
> + xdg_watch_all_cache_dirs($2)
> xdg_manage_all_config($2)
> xdg_relabel_all_config($2)
> + xdg_watch_all_config_dirs($2)
> xdg_manage_all_data($2)
> xdg_relabel_all_data($2)
> + xdg_watch_all_data_dirs($2)
> xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
> xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> @@ -203,14 +207,19 @@ interface(`xserver_role',`
> xdg_manage_documents($2)
> xdg_relabel_documents($2)
> + xdg_watch_documents_dirs($2)
> xdg_manage_downloads($2)
> xdg_relabel_downloads($2)
> + xdg_watch_downloads_dirs($2)
> xdg_manage_music($2)
> xdg_relabel_music($2)
> + xdg_watch_music_dirs($2)
> xdg_manage_pictures($2)
> xdg_relabel_pictures($2)
> + xdg_watch_pictures_dirs($2)
> xdg_manage_videos($2)
> xdg_relabel_videos($2)
> + xdg_watch_videos_dirs($2)
> xdg_cache_filetrans($2, mesa_shader_cache_t, dir,
"mesa_shader_cache")
> ')
> @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
> ')
> # Read per user fonts
> - allow $1 user_fonts_t:dir list_dir_perms;
> + allow $1 user_fonts_t:dir { list_dir_perms watch };
> allow $1 user_fonts_t:file { map read_file_perms };
> # Manipulate the global font cache
> diff --git a/policy/modules/system/miscfiles.if
b/policy/modules/system/miscfiles.if
> index 47330a48..f11fee25 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -252,6 +252,25 @@
interface(`miscfiles_manage_generic_tls_privkey_files',`
> read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> ')
> +########################################
> +## <summary>
> +## Watch fonts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_watch_fonts',`
miscfiles_watch_fonts_dirs
> + gen_require(`
> + type fonts_t;
> + ')
> +
> + allow $1 fonts_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read fonts.
> @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
> manage_lnk_files_pattern($1, public_content_rw_t,
public_content_rw_t)
> ')
> +########################################
> +## <summary>
> +## Watch public files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_watch_public_dirs',`
> + gen_require(`
> + type public_content_rw_t;
> + ')
> +
> + allow $1 public_content_rw_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read TeX data
> diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
> index dd555850..0ffa000f 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
> # cjp: this should probably be removed:
> allow $2 user_home_dir_t:dir { manage_dir_perms
relabel_dir_perms };
> + allow $2 { user_home_t user_home_dir_t }:dir watch;
The user_home_t access should probably be increased to all the
non-device file classes and probably should apply to all user content
too. I don't have a problem with a userdomain watching anything in
their home dir.
Please add similar access to the ro home role too. While it might be ro
to the user, it could be changed by other means.
> userdom_manage_user_certs($2)
> userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
> @@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
> files_read_var_lib_files($1_t)
> # Stat lost+found.
> files_getattr_lost_found_dirs($1_t)
> + files_watch_etc_dirs($1_t)
> + files_watch_usr_dirs($1_t)
> fs_rw_cgroup_files($1_t)
> @@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
> files_exec_usr_files($1_t)
> miscfiles_manage_public_files($1_t)
> + miscfiles_watch_public_dirs($1_t)
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 11fc4306..82304241 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_cache_dirs',`
> + gen_require(`
> + type xdg_cache_t;
> + ')
> +
> + allow $1 xdg_cache_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_cache_dirs',`
> + gen_require(`
> + attribute xdg_cache_type;
> + ')
> +
> + allow $1 xdg_cache_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg cache home files
> @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_config_dirs',`
> + gen_require(`
> + type xdg_config_t;
> + ')
> +
> + allow $1 xdg_config_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_config_dirs',`
> + gen_require(`
> + attribute xdg_config_type;
> + ')
> +
> + allow $1 xdg_config_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg config home files
> @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_dirs',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + allow $1 xdg_data_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_dirs',`
> + gen_require(`
> + attribute xdg_data_type;
> + ')
> +
> + allow $1 xdg_data_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg data home files
> @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg documents home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_documents_dirs',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + allow $1 xdg_documents_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Create objects in the user home dir with an automatic type
transition to
> @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg downloads home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_downloads_dirs',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + allow $1 xdg_downloads_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read downloaded content
> @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg pictures home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_pictures_dirs',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + allow $1 xdg_pictures_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user pictures content
> @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg music home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_music_dirs',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + allow $1 xdg_music_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user music content
> @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg video content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_videos_dirs',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + allow $1 xdg_videos_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user video content
>
--
Chris PeBenito
--
Chris PeBenito