Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5022498ybv; Mon, 17 Feb 2020 10:34:56 -0800 (PST) X-Google-Smtp-Source: APXvYqxFTRqp8AElPtN0YEZT4951pZLFwfCP0Yug4gFEsQumM/Z7No7hBm06JODOl2zse85HhlH9 X-Received: by 2002:aca:2419:: with SMTP id n25mr233259oic.13.1581964496813; Mon, 17 Feb 2020 10:34:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581964496; cv=none; d=google.com; s=arc-20160816; b=bWOddLs9tovInRUsd1FWtxZsLNSaeTseSzhNdbRXp2WAOxrHX9rrO7YOCebF5zbfuU yXcwD4mk5CXBa52WJnL1TRCv5Nb5qFoNBXZFByx1G4zFycSANzuiuyM8uysDitD9fpce KB4/ek5vFaYPrqTmMNn2gAcen0brhjjtDQ3LD2BlsdTJzZDuDThzs4esjRZIz7ok7Avh u2hsgA24zlpg7S8+YNGXEgu7lIDbSw+jSEvgrlkLBFGpedSe0iZk96EJHZvIgKwqtBq+ lbZYfGYQQBXkqN03SS4zKM+/ji7uUsNwkTlbgZz2Xt0wFiU4IZ4CJWEOoSN6incooofg zHnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=lwusGDs9ScNzP9P5K8HqhevPNatiTORbS9QgGJJR9l4=; b=Ji1qT5R+ez1K+3wL6q+3oX3XdJ6Vtf7qkLMLbzHI755UZarjBz0gB5j/RhvfqZYxgr I/H2OQcA9hzGmWmsM3OZecl1W5J0cH+bdu7IMDzAd6VFs+f+5VAW6EKNNPLXvbIDU/J7 ltShwq1U1M6bnJ74mqVZOXvjcv+sk4mAVQXwip9zaHyZYbdc6A7gN1qoOm0Lftk7lotx SDQunbe3Bbx2+Yjg6euRiaABLMYnplMlW0sON6XPRfpCp9hVdx0uE//WYmj0dPzhgxek 4fjUZDa3gugufZnckRsK/nLdoxO1RTb+Of9W2g+EuRUVepkOOrRo6+7pvDgLQFgC3q3R 4ThQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="HL4AsS5/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 4si6712478oip.107.2020.02.17.10.34.54; Mon, 17 Feb 2020 10:34:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="HL4AsS5/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728543AbgBQSei (ORCPT + 13 others); Mon, 17 Feb 2020 13:34:38 -0500 Received: from mail-qk1-f194.google.com ([209.85.222.194]:40644 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727179AbgBQSei (ORCPT ); Mon, 17 Feb 2020 13:34:38 -0500 Received: by mail-qk1-f194.google.com with SMTP id b7so17081050qkl.7 for ; Mon, 17 Feb 2020 10:34:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=lwusGDs9ScNzP9P5K8HqhevPNatiTORbS9QgGJJR9l4=; b=HL4AsS5/VJ6xI3/BoEoAPL82kFof6IFPZILf9wmGwkgrriZd13028sEraJDe30CEEU maUAMjmnTFM5+VR1u4q8jIW0LehrKsv5yvrrf4Kv0ttyBT4Pof83/6MsB+TesYLRFd0t qov8KECpPPHRDfYoe3uqB5Cb66pL2aFYBWCmw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=lwusGDs9ScNzP9P5K8HqhevPNatiTORbS9QgGJJR9l4=; b=sp9Kais8SqQtBOHakgFmYXadnHuA+8VsXLTyTS7NFH0LwjTCM1qzG7C8JOtBTEi1ET 1Z8ZqhVSIheu/IafrmKP/w0fexw+FfObCfP7B9g2tGVoTvVE17nv+VAMrsJv0RcumedF Hklu9uy7t5hSrCALToTim7nzI4mGOoGlZ+6SrKZNZ5JpxfwY5o4I96D0x2y0Q8BkRY3x GhspPxZn4FOLjS2HU/viJ1a/j8lUYEb6v349+EXAlGr/DFE6PuaFsMHw2bpmF1l/Pnxp 7d8APoNJIbuR/Eo/jMf211sIWZeQbFjo8lPHRWYsEMAWRaj3mZRegDKDt56YzhpXLNFG /R/w== X-Gm-Message-State: APjAAAWDVr2pz8HfNe8sBw1qhkEoeQIAM5ojOygpYu/R7pB+BXx9CrGZ SHxifr0m/MVWyRuWUyDGoNpYvq+Fses= X-Received: by 2002:a37:b8c2:: with SMTP id i185mr15111529qkf.156.1581964477091; Mon, 17 Feb 2020 10:34:37 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id t26sm627264qkt.17.2020.02.17.10.34.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 Feb 2020 10:34:36 -0800 (PST) Subject: Re: [PATCH 03/10] accountsd: Add watch perms To: Jason Zaman , selinux-refpolicy@vger.kernel.org References: <20200216200319.39337-1-jason@perfinion.com> <20200216200319.39337-3-jason@perfinion.com> From: Chris PeBenito Message-ID: <8d91a6d5-7d65-ab4b-79c3-1dc2bdc627e5@ieee.org> Date: Mon, 17 Feb 2020 13:27:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200216200319.39337-3-jason@perfinion.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/16/20 3:03 PM, Jason Zaman wrote: > avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 > Signed-off-by: Jason Zaman > --- > policy/modules/services/accountsd.te | 2 ++ > policy/modules/system/logging.if | 18 ++++++++++++++++++ > 2 files changed, 20 insertions(+) > > diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te > index 9bf5962a..2e13e943 100644 > --- a/policy/modules/services/accountsd.te > +++ b/policy/modules/services/accountsd.te > @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t) > > files_read_mnt_files(accountsd_t) > files_read_usr_files(accountsd_t) > +files_watch_etc_dirs(accountsd_t) > > fs_getattr_xattr_fs(accountsd_t) > fs_list_inotifyfs(accountsd_t) > @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t) > logging_list_logs(accountsd_t) > logging_send_syslog_msg(accountsd_t) > logging_set_loginuid(accountsd_t) > +logging_watch_generic_logs_dir(accountsd_t) > > userdom_read_user_tmp_files(accountsd_t) > userdom_read_user_home_content_files(accountsd_t) > diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if > index 9c7a0dba..b2bba984 100644 > --- a/policy/modules/system/logging.if > +++ b/policy/modules/system/logging.if > @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',` > manage_files_pattern($1, var_log_t, var_log_t) > ') > > +######################################## > +## > +## Watch generic log dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_watch_generic_logs_dir',` > + gen_require(` > + type var_log_t; > + ') > + > + allow $1 var_log_t:dir watch; > +') > + > ######################################## > ## > ## All of the rules required to administrate Merged. -- Chris PeBenito