Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp878293ybp; Fri, 11 Oct 2019 05:55:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqyV5kKgj0TQ4/SWCeUTu3HzeyTzU5OprD8Ga+kux7qdgV/MzVCETPyPOuSrTv4NkdMNsNGQ X-Received: by 2002:a17:906:6a4f:: with SMTP id n15mr13672069ejs.19.1570798516834; Fri, 11 Oct 2019 05:55:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570798516; cv=none; d=google.com; s=arc-20160816; b=hpr29CyhVHybYa5CUKUWBTr0eOzdEGHLxM1yOnMbtqk4uu5LUzDaz8Y7EnmUxuldJy 5i4LxBhBGnO7/P5cqfTwYiOVwj+ewnedzbS1hSjvKPX/DcWMWBlCbzzCaX1YRauLQ2l3 UdqfyEKTrfDZnidZajroCuN+n9OZJdP7Fc2gDgykEia657r8/UKuFjGHEdfL38BXJFBJ /PJDZTBe6oi/rDQ3KkO4LeLf82cRiPo5JKug1gQilSZ5ic8cWG/6fz/pkHX9Qfs3HcnQ kt1KzCVYZ1hX3tBM/ioR2/Wr44rc/lRZjlIpi12ZPv5giu0mwmcYzoFfQ8GVVju/DaGq 6kWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=; b=nOFNGzRGK11bDvXoJSen9V1MjmNc1IofaUg8fH+EYm4StaHSwVel9WTcOIp1QJCx0B Pzgd0zvjUq2ZkEvR2fVjLAvYfZPlBG73QkDKZhVaEyB076Pb092MOseoX7OrJGPCEcXU 5ZT2DN4Ps1UZtxfwXEwdVOVIFqjJrUN4YXjDqMqxbzk3bq9/YhlfEQtqHcq88v0kvTNT mKaC81bBdu4Iw+X9YVSLUjRv7W24Vhz7UwL/c3GPjwytxdyPaRNV6J1qhQYsTvFO9lUX 67hBagqYoF/AX2uE8AYWMMwW8A+jCHWe1ef6vS4vvDbhv8dDhFc3j6jgVFTjnqkJNbDH dPSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XJx9FIBg; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o46si5786218edc.124.2019.10.11.05.55.12; Fri, 11 Oct 2019 05:55:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XJx9FIBg; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727243AbfJKMya (ORCPT + 11 others); Fri, 11 Oct 2019 08:54:30 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:44539 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728033AbfJKMy3 (ORCPT ); Fri, 11 Oct 2019 08:54:29 -0400 Received: by mail-ed1-f66.google.com with SMTP id r16so8556686edq.11 for ; Fri, 11 Oct 2019 05:54:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=; b=XJx9FIBg8P9HFcpalRInuuDHHNgFWjPIVsbZ0Ft9r9407yvAphvTPsM86PzRwLD4T7 pm7vaXKYq6A/ueqarkXCewVeBEn9Ys2HIITBZE5sdfNV4bKtOyZC9HUk6R0TgjNQ8k5x hejDPnBa35F9UefKEZc2x/2D8D9JnQJ0zjfC+jskINVnYYKrF81PyB+gwTYtnGbNUBVZ g2VS4tVY1d0pzw6JkLk3VGk4eG0fsjANqI2Et3vT/EesuiysH9uqoueHLn3MaK9dJkOo 7soTvHsX0g92gsjwnuSlWQqMzWhCtkXf6nNCWAjXh1Biyov0gBbdvXbkdfyaKCi8QSfT n3BQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=; b=ebV9yzw7wxdRvh0qyOcFIlnW1fe6EEOnN+18dy3G04T5GX7P61Z5JwF0NvYPcTTBpa xkmw4JhUfiTmNYOt1v4SK0vC1RamDcaJuvKGw4EcDldE4B601PV0+j/c+cC4vlfHp+T4 4bocRSguFKxJMNoahsdCmN5lm41lnAnmFB9b7pDida2K64o7XDF4tT4yEp7eKRdI5rWo baICYfrJNhlTd7WjWCIfANz3pWjgT6EQUW6RARYUNiFY/mUzB/1qE3SZQ5/bIeTeZHvG gDpDKxZvSGTTShH3FpZiYzJBrkHexSfpUoR3MCEn/pNaMCldWPa9rcjcgENUj+BznEmQ FW/A== X-Gm-Message-State: APjAAAWXCPmUU1dStSf9RxdQl9h3s06woHiHyDBhpVlKj/E/NhzH8dqO trELcbKESMF0S2nJeazDGnTyPUbS X-Received: by 2002:a50:b901:: with SMTP id m1mr13486705ede.203.1570798466269; Fri, 11 Oct 2019 05:54:26 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id s26sm1475722eds.80.2019.10.11.05.54.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Oct 2019 05:54:25 -0700 (PDT) Date: Fri, 11 Oct 2019 14:54:23 +0200 From: Dominick Grift To: Laurent Bigonville Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH 05/10] Allow colord_t to read the color profile stored in ~/.local/share/icc/ Message-ID: <20191011125423.GA279944@brutus.lan> Mail-Followup-To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: <20191011122416.14651-1-bigon@debian.org> <20191011122416.14651-5-bigon@debian.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: <20191011122416.14651-5-bigon@debian.org> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote: > From: Laurent Bigonville >=20 > colord reads the color profiles files that are stored in > ~/.local/share/icc/, The file descriptor to that file is passed over > D-Bus so it needs to be inherited This patch is cutting corners a little. It only takes unconfined_t into acc= ount and not the confined users (an alternative would be to call "userdom_u= se_all_users_fds(colord_t)" instead. Which is arguable too broad as well bu= t closest you can get to "common users" without surgery. Secondly xdg_read_data_files() is a little broad. Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is able= to maintain generic xdg data files, which is arguable broad as well. The second and third argument are subject to how far you want to take thing= s, and so I won't object if that is not addressed. The fd use issue, in my view, should be addressed for all login (common) us= ers with colord access. >=20 > ---- > time->Sat Oct 5 11:35:54 2019 > type=3DAVC msg=3Daudit(1570268154.991:223): avc: denied { read } for p= id=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06d= ec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:= system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclass= =3Dfile permissive=3D1 > type=3DAVC msg=3Daudit(1570268154.991:223): avc: denied { use } for pi= d=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06de= c015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:s= ystem_r:colord_t:s0 tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0= :c0.c1023 tclass=3Dfd permissive=3D1 > ---- > time->Sat Oct 5 11:35:55 2019 > type=3DAVC msg=3Daudit(1570268155.007:225): avc: denied { getattr } for= pid=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd2c= c06dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsyste= m_u:system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tcl= ass=3Dfile permissive=3D1 > ---- > time->Sat Oct 5 11:35:55 2019 > type=3DAVC msg=3Daudit(1570268155.007:226): avc: denied { map } for pi= d=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06d= ec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:= system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclass= =3Dfile permissive=3D1 > ---- >=20 > Signed-off-by: Laurent Bigonville > --- > policy/modules/services/colord.te | 7 +++++++ > 1 file changed, 7 insertions(+) >=20 > diff --git a/policy/modules/services/colord.te b/policy/modules/services/= colord.te > index fada3fb8..2fbb1835 100644 > --- a/policy/modules/services/colord.te > +++ b/policy/modules/services/colord.te > @@ -141,6 +141,13 @@ optional_policy(` > udev_read_pid_files(colord_t) > ') > =20 > +# colord reads the color profiles files that are stored in ~/.local/shar= e/icc/, > +# The file descriptor to that file is passed over D-Bus so it needs to b= e inherited > +optional_policy(` > + unconfined_use_fds(colord_t) > + xdg_read_data_files(colord_t) > +') > + > optional_policy(` > xserver_read_xdm_lib_files(colord_t) > xserver_use_xdm_fds(colord_t) > --=20 > 2.23.0 >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2ge3sACgkQJXSOVTf5 R2kYoQv/SaP0PY5L04YMku6l370ElpxMI7uVrvUyKpM2Cf0Qpq0i7WqlO2LLbXg9 tx+MwCoe9F+BV/HzI9pe5co+kVGyTH17JFuGoLdueMDtTQ/oRlG3GMLuM2ditltY S+2wVgoV456kjynLovADPwBrNFzicNEa7BAsVrW6Bk3l8Anjzig2fyggtzIE++oW PxTs2TaQS6Yu4P0hipm9wGgieSvvaPq4Y5OcTLhuk6LXgLbriPGstviAbSRHKfwJ YfDbe+vkgrRlbfvbRB32v5EGgmE3s6Dz3jtvJByzag1nSf8bgl8e8j5q3VsCyu33 fdOO+Fpg+WstTADmx1YYQ3xaQVHie8rePkeeoVgVo0pPba4Ks5k/J/KXesD2BrKl cTJhdQNikNY9iHiqiO27JlO4kCfSidjYQrz2AbeiTSJDdrJZ5s0ey+2HCvHGuRs3 aNxrP4NW7rzcJWRxTfIiZItx+z3vgfmkwwVBZcNZf5rxXg5S7j8HDCLZ8LPGCq3p MsE0YBal =Qt0f -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--