Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2389245ybp; Sat, 12 Oct 2019 09:18:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqxPFr2Nf37JYJMIxTiAuHGd4HuieAycL6azXzY2tqkNrEuM41EG4xIJUc+uCS6kPBLX7ZE4 X-Received: by 2002:a17:906:3488:: with SMTP id g8mr19502394ejb.162.1570897088425; Sat, 12 Oct 2019 09:18:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570897088; cv=none; d=google.com; s=arc-20160816; b=JIxHGgWXN0on4irh/C3DVbJM0qN0jSURvSFkwp4IHzZx8ZXgsU5D+jrVpkzZ++Joiq idyMMt1JaObLYCJ8b6b7fk0s5s0O/f512UwFeITWSr50vaIaUvAtaGls0CG5AMQXfM+S y8R/k5p+vz0sZYGmL6bUGkGsVck9lROXiDFg0qO/YRYm4k7GPkM5sE5aiUzDPABPFIvQ 13DE/kI1jcrVXQ6woKC6bRsnkmjVHQqP4Eqp06op7xb/iZJoVKGsJZEksvDpC0VHrWfB fhf2B+5PZNmywpGuXTlR8qFk4cj0uJQ8Soz1mIcoZI4Kj1Exg4e81A3bqkptcTFmYioz rqmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=zb0DFmeRWgfGcwsb8DNJCCA66ggAKSartBqMapBV77c=; b=n94hYln94Ef7qFjUtUSHVfu0GZSWddXGAxCP9tUjLK4Wp2cnkACx+ehbU2jXGW7PQt rf2EIdW+qr4NUEBYjiwcecg9KT0JsHOGYWlnmH0cCfAtwXZtb8IU5cl7zfJKYnjHkAv+ aYWBVMe1wVkxIFTypoFVEv0A8JA2ZJu4nCSYxe0QmYsTb59r4XB+0FLE4e0Ca0zsDkHA q5x32Kxt5K14GHmIS8XftE9R7Et4T7A/PlpP2aVBKJs6hzsGT7BgTBy4DzFSvBAU/cwM KfAmkbDY9/EYEz+357K5n0uYQazqjyI5FJwcq9qcQuZ/eDG8ZTTi9BBwVtfy3ZCfZNgU WPNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sgRV1ayc; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e5si7651186ejj.70.2019.10.12.09.18.04; Sat, 12 Oct 2019 09:18:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sgRV1ayc; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728111AbfJLQLj (ORCPT + 11 others); Sat, 12 Oct 2019 12:11:39 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:42000 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729220AbfJLQJj (ORCPT ); Sat, 12 Oct 2019 12:09:39 -0400 Received: by mail-ed1-f68.google.com with SMTP id y91so11220908ede.9 for ; Sat, 12 Oct 2019 09:09:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=zb0DFmeRWgfGcwsb8DNJCCA66ggAKSartBqMapBV77c=; b=sgRV1ayc52UF9WC/Q3INj0/YGqnFJMHi3CmartMJyJ1jgc1bi4wWR07suApHx5L12Y sWvJox0JHv7bsB6zDZiOxHXre+KiSBBhnrOiqk5YDDz1Xuhrq8klAnGXT4D7Pn1S9Y2n BJ4DwiGiaohun9uZ7Kx6XhCC5ZvRsOJJu1/JN0mqrSSuJHDXZ1rP1TZeBtGGfQqepBjO hcaRJUwuK2M/lZ/yJhcO40YsdbMz6VZ1mpDKXUpKq+2617NRzgUyDEwbXeaOHAyC2B/5 1mzcNPI+jch6K/LzR/3TwIdOYZJWXeyBOK9/+Z4aIB0XQZrzZN3HhWQlvnH5zARnmPEg 2w2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=zb0DFmeRWgfGcwsb8DNJCCA66ggAKSartBqMapBV77c=; b=h/7Aju0EL3yXd7POKjpB40qEztO2Z3AUtwIoNOanz6e2MTq6WmgcAh83zW3MSfHVlf L0iceKVks+aQ7SFTZ5hqrF1YaAGFpjVQ/LNe33zUjFGUvj9aiTKaZnyTKWOHakmzdOHW 51iRTRFUEX4WE1riCoap00ZFBnyZvtJECjicnAEE7Z8bFhdWS+FCGy0yzgm2zEPxS3Mi vRLfvE0pfhJcZVeOxabKbmYhBvUnwHHzX8alU51ujz2NPuMm7azloE5VDcTdRYWtDGP/ VAztTxI4CCkNWi4ShP2ODce/MGpS/EVXUQeLPUQLevFF/s5ktMwhUypFR1VHCHWFlvIU Vc7w== X-Gm-Message-State: APjAAAWVm2CeCOd5v5uu1XbmorAtY70xWJoNqyJygt85Uy+AdE++x7El o3d6DWUD5gjW5plsC/3be7Dvjqbe X-Received: by 2002:a05:6402:21e8:: with SMTP id ce8mr19636343edb.32.1570896577010; Sat, 12 Oct 2019 09:09:37 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id b6sm1572249ejb.1.2019.10.12.09.09.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Oct 2019 09:09:35 -0700 (PDT) Date: Sat, 12 Oct 2019 18:09:34 +0200 From: Dominick Grift To: Chris PeBenito Cc: Laurent Bigonville , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH 05/10] Allow colord_t to read the color profile stored in ~/.local/share/icc/ Message-ID: <20191012160934.GA3589@brutus.lan> Mail-Followup-To: Chris PeBenito , Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: <20191011122416.14651-1-bigon@debian.org> <20191011122416.14651-5-bigon@debian.org> <20191011125423.GA279944@brutus.lan> <20191012075320.GA716332@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6c2NcOVqGQ03X4Wi" Content-Disposition: inline In-Reply-To: User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 12, 2019 at 11:51:43AM -0400, Chris PeBenito wrote: > On 10/12/19 3:53 AM, Dominick Grift wrote: > > On Fri, Oct 11, 2019 at 02:54:23PM +0200, Dominick Grift wrote: > > > On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote: > > > > From: Laurent Bigonville > > > >=20 > > > > colord reads the color profiles files that are stored in > > > > ~/.local/share/icc/, The file descriptor to that file is passed over > > > > D-Bus so it needs to be inherited > > >=20 > > > This patch is cutting corners a little. It only takes unconfined_t in= to account and not the confined users (an alternative would be to call "use= rdom_use_all_users_fds(colord_t)" instead. Which is arguable too broad as w= ell but closest you can get to "common users" without surgery. > > > Secondly xdg_read_data_files() is a little broad. > > > Also if this patch implies that whatever maintains XDG_DATA_DIR/icc i= s able to maintain generic xdg data files, which is arguable broad as well. > > >=20 > > > The second and third argument are subject to how far you want to take= things, and so I won't object if that is not addressed. > > > The fd use issue, in my view, should be addressed for all login (comm= on) users with colord access. > >=20 > > Actually, I take this review back. I am not sure how to best deal with = this fd. >=20 > It seems that going to a colord_role() would be the way to go. There > already is a colord_dbus_chat($1_t) in userdomain.if, so you could put th= ose > dbus rules plus the rules to address the fds together. >=20 > I agree the xdg_read_data_files() is somewhat broad, but it seems like > xdg_data_t files aren't sensitive. Maybe that's just how it is on system? > I don't feel strongly on this. Yes it depends i guess. The thing is that like /usr theres really all kinds= of things below ~/.local, like bin, lib, doc etc (pip for example install= s to ~/.local/{bin,lib}). So I would surely at least consider that beforehand ls -aZ ~/.local/ wheel.id:wheel.role:users.generic_home_data.home_data_file:s0 . = wheel.id:wheel.role:users.home_libraries.home_file:s0 lib wheel.id:wheel.role:users.home_dir.file:s0 .. wheel.id= :wheel.role:users.generic_home_data.home_data_file:s0 share wheel.id:wheel.role:users.home_commands.home_file:s0 bin There's also other gotchas, take for example your personal libvirt pool in = ~/.local, this content may potentially also be need to be accessible by the= qemu user. I guess what i am saying is that not everything below /usr is always just "= data" I dont have enough experience with colord to give advice, looking at my pol= icy there's also a colord --user instance, it seems also heavily integrated= with gnome-settings-daemon. I think this patch is probably alright as is for now (maybe its best to jus= t ignore confined users in this stage) as for further partitioning ~/.local= , i suppose we can alway's revisit these changes later as this only applies= to ~/.local/share/icc anyway. If this change is one of the few controversial changes that are needed to m= ake gnome work on debian with unconfined, then i think it might be worth it= to just accept this and make a note about it to address this properly when= someone wants to work on the confined support for this aspect. >=20 > --=20 > Chris PeBenito --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --6c2NcOVqGQ03X4Wi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2h+rkACgkQJXSOVTf5 R2nPXwv+Kkt0dHBySx84Ani1pzcEs0KYF5dUEyms2+eLFgJ8eyYztGQjlI5kpTUi NeGb8YGiGefyEFOJnrCRsESZlRpCH+8Lj3Fln4x2GMxA3Uab1uBXuzyzlrL7dVgf 3Lz8HM0OQ+EtmmDbnCOVapuKdOMNdDCjxfNUy0VLdI5NKfN8lk/M0VoMxnmKqCNH 8rLbgSVdFi4d3PPKP8+KZqUhxYiWATYnxL59zJ/rD3uAyIqmARqH9vPkRB/vZaVa ucX/SfKHAZtn1BdIhNynz+GEVNUN6bdMNR9QiaWdnzXn5Fo5LtMy+Tzp0ptII9gN us88OqZcjJkios8c2hVQJbzfkmel7NHJls536SKFGUWYDYHSpJ4VDiJWgFknTBZ+ 9bOCaA0X+ia6ksc3e3aa5ctnRjB4RVvt13Z1x7qAQjjSveA48oReU8GeI4UACyuq d3IYKC1FpAotH0mCfl7rhKYfKFXjHNUwfusiCR2LSPvwDi7Y0KXcD2TIGYU54lXs aA4MkYqT =4Imb -----END PGP SIGNATURE----- --6c2NcOVqGQ03X4Wi--