Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp878293ybp;
        Fri, 11 Oct 2019 05:55:16 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyV5kKgj0TQ4/SWCeUTu3HzeyTzU5OprD8Ga+kux7qdgV/MzVCETPyPOuSrTv4NkdMNsNGQ
X-Received: by 2002:a17:906:6a4f:: with SMTP id n15mr13672069ejs.19.1570798516834;
        Fri, 11 Oct 2019 05:55:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570798516; cv=none;
        d=google.com; s=arc-20160816;
        b=hpr29CyhVHybYa5CUKUWBTr0eOzdEGHLxM1yOnMbtqk4uu5LUzDaz8Y7EnmUxuldJy
         5i4LxBhBGnO7/P5cqfTwYiOVwj+ewnedzbS1hSjvKPX/DcWMWBlCbzzCaX1YRauLQ2l3
         UdqfyEKTrfDZnidZajroCuN+n9OZJdP7Fc2gDgykEia657r8/UKuFjGHEdfL38BXJFBJ
         /PJDZTBe6oi/rDQ3KkO4LeLf82cRiPo5JKug1gQilSZ5ic8cWG/6fz/pkHX9Qfs3HcnQ
         kt1KzCVYZ1hX3tBM/ioR2/Wr44rc/lRZjlIpi12ZPv5giu0mwmcYzoFfQ8GVVju/DaGq
         6kWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=;
        b=nOFNGzRGK11bDvXoJSen9V1MjmNc1IofaUg8fH+EYm4StaHSwVel9WTcOIp1QJCx0B
         Pzgd0zvjUq2ZkEvR2fVjLAvYfZPlBG73QkDKZhVaEyB076Pb092MOseoX7OrJGPCEcXU
         5ZT2DN4Ps1UZtxfwXEwdVOVIFqjJrUN4YXjDqMqxbzk3bq9/YhlfEQtqHcq88v0kvTNT
         mKaC81bBdu4Iw+X9YVSLUjRv7W24Vhz7UwL/c3GPjwytxdyPaRNV6J1qhQYsTvFO9lUX
         67hBagqYoF/AX2uE8AYWMMwW8A+jCHWe1ef6vS4vvDbhv8dDhFc3j6jgVFTjnqkJNbDH
         dPSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XJx9FIBg;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o46si5786218edc.124.2019.10.11.05.55.12;
        Fri, 11 Oct 2019 05:55:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XJx9FIBg;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727243AbfJKMya (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Fri, 11 Oct 2019 08:54:30 -0400
Received: from mail-ed1-f66.google.com ([209.85.208.66]:44539 "EHLO
        mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728033AbfJKMy3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 11 Oct 2019 08:54:29 -0400
Received: by mail-ed1-f66.google.com with SMTP id r16so8556686edq.11
        for <selinux-refpolicy@vger.kernel.org>; Fri, 11 Oct 2019 05:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=;
        b=XJx9FIBg8P9HFcpalRInuuDHHNgFWjPIVsbZ0Ft9r9407yvAphvTPsM86PzRwLD4T7
         pm7vaXKYq6A/ueqarkXCewVeBEn9Ys2HIITBZE5sdfNV4bKtOyZC9HUk6R0TgjNQ8k5x
         hejDPnBa35F9UefKEZc2x/2D8D9JnQJ0zjfC+jskINVnYYKrF81PyB+gwTYtnGbNUBVZ
         g2VS4tVY1d0pzw6JkLk3VGk4eG0fsjANqI2Et3vT/EesuiysH9uqoueHLn3MaK9dJkOo
         7soTvHsX0g92gsjwnuSlWQqMzWhCtkXf6nNCWAjXh1Biyov0gBbdvXbkdfyaKCi8QSfT
         n3BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=7DyJdU9/KDoqwP5fEmWfWMGp9pHsD4xsZOEwkJZB7tw=;
        b=ebV9yzw7wxdRvh0qyOcFIlnW1fe6EEOnN+18dy3G04T5GX7P61Z5JwF0NvYPcTTBpa
         xkmw4JhUfiTmNYOt1v4SK0vC1RamDcaJuvKGw4EcDldE4B601PV0+j/c+cC4vlfHp+T4
         4bocRSguFKxJMNoahsdCmN5lm41lnAnmFB9b7pDida2K64o7XDF4tT4yEp7eKRdI5rWo
         baICYfrJNhlTd7WjWCIfANz3pWjgT6EQUW6RARYUNiFY/mUzB/1qE3SZQ5/bIeTeZHvG
         gDpDKxZvSGTTShH3FpZiYzJBrkHexSfpUoR3MCEn/pNaMCldWPa9rcjcgENUj+BznEmQ
         FW/A==
X-Gm-Message-State: APjAAAWXCPmUU1dStSf9RxdQl9h3s06woHiHyDBhpVlKj/E/NhzH8dqO
        trELcbKESMF0S2nJeazDGnTyPUbS
X-Received: by 2002:a50:b901:: with SMTP id m1mr13486705ede.203.1570798466269;
        Fri, 11 Oct 2019 05:54:26 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id s26sm1475722eds.80.2019.10.11.05.54.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Oct 2019 05:54:25 -0700 (PDT)
Date:   Fri, 11 Oct 2019 14:54:23 +0200
From:   Dominick Grift <dac.override@gmail.com>
To:     Laurent Bigonville <bigon@debian.org>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH 05/10] Allow colord_t to read the color profile stored in
 ~/.local/share/icc/
Message-ID: <20191011125423.GA279944@brutus.lan>
Mail-Followup-To: Laurent Bigonville <bigon@debian.org>,
        selinux-refpolicy@vger.kernel.org
References: <20191011122416.14651-1-bigon@debian.org>
 <20191011122416.14651-5-bigon@debian.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o"
Content-Disposition: inline
In-Reply-To: <20191011122416.14651-5-bigon@debian.org>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>=20
> colord reads the color profiles files that are stored in
> ~/.local/share/icc/, The file descriptor to that file is passed over
> D-Bus so it needs to be inherited

This patch is cutting corners a little. It only takes unconfined_t into acc=
ount and not the confined users (an alternative would be to call "userdom_u=
se_all_users_fds(colord_t)" instead. Which is arguable too broad as well bu=
t closest you can get to "common users" without surgery.
Secondly xdg_read_data_files() is a little broad.
Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is able=
 to maintain generic xdg data files, which is arguable broad as well.

The second and third argument are subject to how far you want to take thing=
s, and so I won't object if that is not addressed.
The fd use issue, in my view, should be addressed for all login (common) us=
ers with colord access.

>=20
> ----
> time->Sat Oct  5 11:35:54 2019
> type=3DAVC msg=3Daudit(1570268154.991:223): avc:  denied  { read } for  p=
id=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06d=
ec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:=
system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclass=
=3Dfile permissive=3D1
> type=3DAVC msg=3Daudit(1570268154.991:223): avc:  denied  { use } for  pi=
d=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06de=
c015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:s=
ystem_r:colord_t:s0 tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0=
:c0.c1023 tclass=3Dfd permissive=3D1
> ----
> time->Sat Oct  5 11:35:55 2019
> type=3DAVC msg=3Daudit(1570268155.007:225): avc:  denied  { getattr } for=
  pid=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd2c=
c06dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsyste=
m_u:system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tcl=
ass=3Dfile permissive=3D1
> ----
> time->Sat Oct  5 11:35:55 2019
> type=3DAVC msg=3Daudit(1570268155.007:226): avc:  denied  { map } for  pi=
d=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06d=
ec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u:=
system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclass=
=3Dfile permissive=3D1
> ----
>=20
> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
> ---
>  policy/modules/services/colord.te | 7 +++++++
>  1 file changed, 7 insertions(+)
>=20
> diff --git a/policy/modules/services/colord.te b/policy/modules/services/=
colord.te
> index fada3fb8..2fbb1835 100644
> --- a/policy/modules/services/colord.te
> +++ b/policy/modules/services/colord.te
> @@ -141,6 +141,13 @@ optional_policy(`
>  	udev_read_pid_files(colord_t)
>  ')
> =20
> +# colord reads the color profiles files that are stored in ~/.local/shar=
e/icc/,
> +# The file descriptor to that file is passed over D-Bus so it needs to b=
e inherited
> +optional_policy(`
> +	unconfined_use_fds(colord_t)
> +	xdg_read_data_files(colord_t)
> +')
> +
>  optional_policy(`
>  	xserver_read_xdm_lib_files(colord_t)
>  	xserver_use_xdm_fds(colord_t)
> --=20
> 2.23.0
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2ge3sACgkQJXSOVTf5
R2kYoQv/SaP0PY5L04YMku6l370ElpxMI7uVrvUyKpM2Cf0Qpq0i7WqlO2LLbXg9
tx+MwCoe9F+BV/HzI9pe5co+kVGyTH17JFuGoLdueMDtTQ/oRlG3GMLuM2ditltY
S+2wVgoV456kjynLovADPwBrNFzicNEa7BAsVrW6Bk3l8Anjzig2fyggtzIE++oW
PxTs2TaQS6Yu4P0hipm9wGgieSvvaPq4Y5OcTLhuk6LXgLbriPGstviAbSRHKfwJ
YfDbe+vkgrRlbfvbRB32v5EGgmE3s6Dz3jtvJByzag1nSf8bgl8e8j5q3VsCyu33
fdOO+Fpg+WstTADmx1YYQ3xaQVHie8rePkeeoVgVo0pPba4Ks5k/J/KXesD2BrKl
cTJhdQNikNY9iHiqiO27JlO4kCfSidjYQrz2AbeiTSJDdrJZ5s0ey+2HCvHGuRs3
aNxrP4NW7rzcJWRxTfIiZItx+z3vgfmkwwVBZcNZf5rxXg5S7j8HDCLZ8LPGCq3p
MsE0YBal
=Qt0f
-----END PGP SIGNATURE-----

--IS0zKkzwUGydFO0o--