Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D11EC282D7 for ; Thu, 31 Jan 2019 02:58:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1766E20B1F for ; Thu, 31 Jan 2019 02:58:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="dCa5N24I" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725771AbfAaC66 (ORCPT ); Wed, 30 Jan 2019 21:58:58 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:33552 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725535AbfAaC66 (ORCPT ); Wed, 30 Jan 2019 21:58:58 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A1B92EBA8 for ; Thu, 31 Jan 2019 13:58:56 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1548903536; bh=F5jCqX8MvTza2kY5rSrleKl2IxO3Vz5Rm3djnxa+dyg=; l=9824; h=Date:From:To:Subject:From; b=dCa5N24IkVXtxwZFMOFN6y6mJUTGoGRDqFmzJllKbO0zaUJmfLn/vtVBDNw1cD3+i DGJVDqIfZf+sg8xgOUE6xqBhj4sa3uPcXl4FzOBqc2qHOan9EQP0IjOs3Q9xiga+oM MnSYl/WRgoYkKBZLFUPDYIdK85RAODtXR/0bSci0= Received: by xev.coker.com.au (Postfix, from userid 1001) id 1318CC8869F; Thu, 31 Jan 2019 13:58:52 +1100 (AEDT) Date: Thu, 31 Jan 2019 13:58:52 +1100 From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] more misc stuff Message-ID: <20190131025852.GA15874@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Here's the latest stuff, most of which is to make staff_t usable as a login domain. Please merge whatever you think is good and skip the rest. Index: refpolicy-2.20180701/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20180701/policy/modules/system/userdomain.if @@ -68,6 +68,8 @@ template(`userdom_base_user_template',` dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_crypto_sysctls($1_t) + kernel_read_vm_overcommit_sysctl($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) @@ -110,11 +112,15 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) + logging_send_syslog_msg($1_t) + miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) sysnet_read_config($1_t) + userdom_write_all_user_runtime_named_sockets($1_t) + # kdeinit wants systemd status init_get_system_status($1_t) @@ -858,6 +864,10 @@ template(`userdom_common_user_template', ') optional_policy(` + udev_read_pid_files($1_t) + ') + + optional_policy(` usernetctl_run($1_t, $1_r) ') @@ -1205,6 +1215,12 @@ template(`userdom_unpriv_user_template', optional_policy(` systemd_dbus_chat_logind($1_t) + systemd_use_logind_fds($1_t) + # kwalletd5 inherits a socket from init + init_rw_inherited_stream_socket($1_t) + init_use_fds($1_t) + # for polkit-kde-auth + init_read_state($1_t) ') ') @@ -3426,6 +3442,25 @@ interface(`userdom_delete_all_user_runti ') ######################################## +## +## write user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:sock_file write; +') + +######################################## ## ## Create objects in the pid directory ## with an automatic type transition to Index: refpolicy-2.20180701/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te +++ refpolicy-2.20180701/policy/modules/roles/staff.te @@ -32,6 +32,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(staff_t) +') + +optional_policy(` postgresql_role(staff_r, staff_t) ') Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te @@ -21,6 +21,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(user_t) +') + +optional_policy(` screen_role_template(user, user_r, user_t) ') Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.fc +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.fc @@ -27,6 +27,7 @@ ifdef(`distro_debian',` /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) Index: refpolicy-2.20180701/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180701/policy/modules/system/systemd.te @@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_ files_manage_all_pid_dirs(systemd_tmpfiles_t) files_delete_usr_files(systemd_tmpfiles_t) files_list_home(systemd_tmpfiles_t) +files_list_locks(systemd_tmpfiles_t) files_manage_generic_tmp_dirs(systemd_tmpfiles_t) files_manage_var_dirs(systemd_tmpfiles_t) files_manage_var_lib_dirs(systemd_tmpfiles_t) @@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfile files_manage_etc_symlinks(systemd_tmpfiles_t) fs_getattr_tmpfs(systemd_tmpfiles_t) -fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) +fs_list_tmpfs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t) Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc @@ -166,6 +166,7 @@ ifdef(`distro_gentoo',` /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -197,6 +198,7 @@ ifdef(`distro_gentoo',` /usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) Index: refpolicy-2.20180701/policy/modules/apps/pulseaudio.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/pulseaudio.te +++ refpolicy-2.20180701/policy/modules/apps/pulseaudio.te @@ -148,7 +148,7 @@ miscfiles_read_localization(pulseaudio_t seutil_read_config(pulseaudio_t) -userdom_read_user_tmpfs_files(pulseaudio_t) +userdom_rw_user_tmpfs_files(pulseaudio_t) userdom_map_user_tmpfs_files(pulseaudio_t) userdom_delete_user_tmpfs_files(pulseaudio_t) userdom_search_user_home_dirs(pulseaudio_t) @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau userdom_manage_user_tmp_dirs(pulseaudio_t) userdom_manage_user_tmp_sockets(pulseaudio_t) +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) tunable_policy(`pulseaudio_execmem',` allow pulseaudio_t self:process execmem; @@ -225,6 +226,13 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_sessions_files(pulseaudio_t) + # for /run/systemd/users/$PID + systemd_read_logind_pids(pulseaudio_t) + # for /run/user/1000/systemd/notify +') + +optional_policy(` udev_read_pid_files(pulseaudio_t) udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) Index: refpolicy-2.20180701/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te +++ refpolicy-2.20180701/policy/modules/services/ssh.te @@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) +miscfiles_read_generic_certs(ssh_t) miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) Index: refpolicy-2.20180701/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/xserver.if +++ refpolicy-2.20180701/policy/modules/services/xserver.if @@ -90,6 +90,9 @@ interface(`xserver_restricted_role',` # open office is looking for the following dev_getattr_agp_dev($2) dev_dontaudit_rw_dri($2) + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') # GNOME checks for usb and other devices: dev_rw_usbfs($2) Index: refpolicy-2.20180701/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te +++ refpolicy-2.20180701/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## gen_tunable(xserver_object_manager, false) +## +##

+## Allow DRI access +##

+##
+gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20180701/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20180701/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` ') optional_policy(` + xserver_link_xdm_keys(local_login_t) xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) xserver_rw_xdm_keys(local_login_t) Index: refpolicy-2.20180701/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20180701/policy/modules/apps/chromium.te @@ -150,6 +150,7 @@ dev_read_sound(chromium_t) dev_write_sound(chromium_t) dev_read_urand(chromium_t) dev_read_rand(chromium_t) +dev_rw_dri(chromium_t) dev_rw_xserver_misc(chromium_t) dev_map_xserver_misc(chromium_t)