Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4035272ybv; Sun, 16 Feb 2020 12:03:54 -0800 (PST) X-Google-Smtp-Source: APXvYqwSzF7SQ5S7WuEAb4Qe+MBkhMj9I20/u1Trgi0zmLQa1/DUcvJXvbPFY5q+pMMkGob7YfhD X-Received: by 2002:a05:6830:1691:: with SMTP id k17mr10151232otr.282.1581883433986; Sun, 16 Feb 2020 12:03:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581883433; cv=none; d=google.com; s=arc-20160816; b=IwHeuXVffCx1k9984M2sFmeYeZoo2aNWDeQzgOkhv/sDqOoQUmtTZzX5xtSs6fotvJ R2RAgPPMrdceY61/+un7WcduoxP+UciVYbFJRLOedbfRn7R1/kKnFLCis1C/8g7bCjFu +AMEg/F/FnrXmDqNmI2X96Mgc4+lixoxXbOmwAPnvFOKUn7xMYV7R5zDH9J+fpBmUDp+ j4H8hppJC96ST3WooTjoWhdA3sRzwcC+uZfbFR4Kd5L1JJKw9nkDB+NH4seyl50tZqh+ 8mIgJevUDMQufPA664j1bytQ5ZFr1PbW2ZiwwNk4hanFVBOyFcAmcwf1UvOS2DPdK2or JMKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=; b=gFF7q6Hl6hQXY6MoZ+JCUsqPMfBBov4GKxq3LVfOdwtWEYVwJVC/tP5xtEyEFTRX8p kOnQ47jcvR0qVMw+SCQl+1FV4l4w6MlEvBfcGfkmzLfDVK5+JaJBBVeppnOVWZD5jhXS kQKXnZHZC4p2vgVYxoJUpzKd/ZMYeL0F2ZqPhsJFDZZRi6QER5YbHa0Rdm8lfC0FNus8 7b9R5Fv1uCmXKPMIhNHkGXoEOTvkAvm3AQF3HTTwc7TS9y9nPzQifPJYr641r5ky5i/S RIBNdOucysQnUE6iHgdLLXy8rVDgFNYiZoUtueuXEokHirAaQH6bryORuQMjn1kQ2rKo I6AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=ZYywouEl; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s22si5287396oij.35.2020.02.16.12.03.51; Sun, 16 Feb 2020 12:03:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=ZYywouEl; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726037AbgBPUDv (ORCPT + 13 others); Sun, 16 Feb 2020 15:03:51 -0500 Received: from mail-pl1-f170.google.com ([209.85.214.170]:39139 "EHLO mail-pl1-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725989AbgBPUDv (ORCPT ); Sun, 16 Feb 2020 15:03:51 -0500 Received: by mail-pl1-f170.google.com with SMTP id g6so5857210plp.6 for ; Sun, 16 Feb 2020 12:03:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=; b=ZYywouElp3PNSwQPTwII/b8GQ5kcoor2K+Ig5NYVI5L8MVM2Ykn19otdhr49A31vEz Xs1Uvngd2DomY0DVMU1HG69yQ8CVRUii41CKFN4A9fs640PmhIjkg/PRK4OMV7xl6Be2 gwjjQ1J6ola4242k6fribjUW10sE9DuK6QfZ/b6BWh9RY1lRqv59SO0CyitL836Pj/JN pZXPC0RNvJYiW7SfcSf9uDHtawRIgdHGtVzZi0Mlthw5zcLXnNjOHPX2cIvCDCsQ9hN0 Ogrzut9QDx50ni4LcySlehkZ2usiopq3eR8LhWtpl2i67rnsELEqzRdeMjsXoAJ6T+OJ F3dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=; b=bwEPoQB4f0N7vgjlmz/NGGMEXqpth3rQyCyK6O7IIv1GSxUtWzpb21RDfR4GtByHbH ZvhO8XK6eBkDTxjcRD7RaIaSZlEOf+EzRNo4La09KeN9uKdptJj52/cAf3mQiE40eprb 3+TqiaB72zo+SLpxo4tMXaLaN5lleLb2z1QRz/mM5cNBR6h5vujxNivKvL1xGVGLyEpN LdGbySLT+v5houkN0Olw7HEaR30xh43HYH5RzaGY4jpUHXoG6ycC8QcAUVGZ2ELLFgiv 6+KRf2kyY2gYaoXfc3fJFkEmHOd2WUCRh1TBYxjiRf1tv9HElvUXmBT3WvC+yUBbETWc vY0w== X-Gm-Message-State: APjAAAUyP2f3Rv4kjhYHupQFss0P/h4nrPupXKvpmd6ZqbTVeR+4xlbx PO5WpMaIm874jPFRpyxWaja0HLbw0UM= X-Received: by 2002:a17:902:524:: with SMTP id 33mr13342777plf.241.1581883430733; Sun, 16 Feb 2020 12:03:50 -0800 (PST) Received: from localhost ([101.127.140.252]) by smtp.gmail.com with ESMTPSA id l21sm14501432pgo.33.2020.02.16.12.03.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2020 12:03:50 -0800 (PST) From: Jason Zaman To: selinux-refpolicy@vger.kernel.org Cc: Jason Zaman Subject: [PATCH 03/10] accountsd: Add watch perms Date: Mon, 17 Feb 2020 04:03:12 +0800 Message-Id: <20200216200319.39337-3-jason@perfinion.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200216200319.39337-1-jason@perfinion.com> References: <20200216200319.39337-1-jason@perfinion.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Signed-off-by: Jason Zaman --- policy/modules/services/accountsd.te | 2 ++ policy/modules/system/logging.if | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te index 9bf5962a..2e13e943 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t) files_read_mnt_files(accountsd_t) files_read_usr_files(accountsd_t) +files_watch_etc_dirs(accountsd_t) fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t) logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) +logging_watch_generic_logs_dir(accountsd_t) userdom_read_user_tmp_files(accountsd_t) userdom_read_user_home_content_files(accountsd_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 9c7a0dba..b2bba984 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',` manage_files_pattern($1, var_log_t, var_log_t) ') +######################################## +## +## Watch generic log dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_watch_generic_logs_dir',` + gen_require(` + type var_log_t; + ') + + allow $1 var_log_t:dir watch; +') + ######################################## ## ## All of the rules required to administrate -- 2.24.1