Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1132004pxb; Wed, 6 Apr 2022 09:26:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxQB0M0Jo6DmZq1ah74DbN13IcUppLmDGxSUCmjm+Kw6JKFq13gV1A4EM8EMsMW2oSeHU2y X-Received: by 2002:a05:6a00:2450:b0:4f7:bf07:c063 with SMTP id d16-20020a056a00245000b004f7bf07c063mr9734657pfj.51.1649262405442; Wed, 06 Apr 2022 09:26:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649262405; cv=none; d=google.com; s=arc-20160816; b=Q64nn3ci1Sw89pLvTBCsh6M7wXAU/89GFx2WhsTavwyOw8yk/VnGNOGjFoOcXJq5kp 70rNNMr+mzLEuOk39CHT+DeiJrrVVHRWYBdPhHmbE8uSQo9RgkZ/5HqxtxuXUeJ2nW5V vb0mASVgt7IVTdMehsoHjTdDW9b4FV5JJJ8nKD5BM/K3LwiNNt0pmu2oJF22EFQWVg/u ovDURZPCBzehWyjcsIKI/TNeij2g/64cKEOEGod6QMt4mUaPfMqnbom34pMrq9AXS9MS NIOy4ud2nE7oYpe0+QFAWwelGzLyiucuNnWq2K8IjPE/TfFPpS21B1mIUGNQroJhyMz6 9cYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=/GBYIbzhofa21p1cBQ/n0pXiqx3J+pfO8eO4QVzoZ1U=; b=zlntnFTuZrlj94voGH1Izd9uiWSWn9J3rwji3zUU78fX/bDzNwkMdHdXS7D4/Ri/mr vivN5ooZJNxIYNGh9x/QqwlsnJa0EhqnJ6vPGqvD64uHQDAIxriCjMyS1ZHLU8ka7dne JMnapeNo5idGBiT9baILT9kPjcyC2bOyq1wuUD/QeixU+s/K/RmSS4vs98YWSn68WiVC U+Lgj0ggSaIe3S+Y//MfXVTRMc5Ixb6x+r3+uRJThAVnie2GM1lP90hp9zptyei9wsRg Oti2+d9cV5KfGH/cgVgu7d+B6yFmINzp8uEose2auSpS4vnw8I/dBGECFZ5subgmxOjI 1M1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="Xf/QMc5L"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id m4-20020a170902db0400b00153b2d1645bsi17287602plx.99.2022.04.06.09.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 09:26:45 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="Xf/QMc5L"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8038F1B72CA; Wed, 6 Apr 2022 08:31:14 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236668AbiDFPdL (ORCPT + 22 others); Wed, 6 Apr 2022 11:33:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235821AbiDFPbn (ORCPT ); Wed, 6 Apr 2022 11:31:43 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37BAC251F04 for ; Wed, 6 Apr 2022 05:40:11 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 269E0150D2 for ; Wed, 6 Apr 2022 22:36:29 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1649248589; bh=/GBYIbzhofa21p1cBQ/n0pXiqx3J+pfO8eO4QVzoZ1U=; l=12346; h=Date:From:To:Subject:From; b=Xf/QMc5LWBGQI7pAvsiTqIPCdaGxH6orNbO1dpjaPEM2ccQkoQkox0YlwXyKu2df9 v3WRpKkyZATEtUgN1glBdzrBNbGRMCqbSGnZqeuxpgU3HnivUAHBC+VEKLawp+W22X rUilaK5WQUz5ZiW+CYuVs3uyURWOiw/2OIjGEDE4= Received: by xev.coker.com.au (Postfix, from userid 1001) id 9A3D517CA4E8; Wed, 6 Apr 2022 22:36:24 +1000 (AEST) Date: Wed, 6 Apr 2022 22:36:24 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] wm domains and sddm fixes Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org These patches make a sddm login with the $1_wm_t domain work. Most of this is for X11 but there is a bit for Wayland too. Signed-off-by: Russell Coker Index: refpolicy-2.20220322/policy/modules/apps/wm.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/apps/wm.if +++ refpolicy-2.20220322/policy/modules/apps/wm.if @@ -61,6 +61,8 @@ template(`wm_role_template',` allow $3 $1_wm_t:process { ptrace signal_perms }; ps_process_pattern($3, $1_wm_t) + kernel_read_kernel_sysctls($1_wm_t) + allow $1_wm_t $3:process { signull sigkill }; domtrans_pattern($3, wm_exec_t, $1_wm_t) @@ -81,6 +83,10 @@ template(`wm_role_template',` wm_write_pipes($1, $3) + tunable_policy(`wm_write_xdg_data', ` + xdg_manage_data($1_wm_t) + ') + optional_policy(` dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) @@ -115,6 +121,17 @@ template(`wm_role_template',` optional_policy(` xdg_watch_config_files($1_wm_t) ') + + optional_policy(` + systemd_dbus_chat_logind($1_wm_t) + ') + + optional_policy(` + xdg_read_data_files($1_wm_t) + xdg_manage_cache($1_wm_t) + xdg_manage_config($1_wm_t) + xdg_watch_data_files($1_wm_t) + ') ') ######################################## Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc @@ -256,6 +256,7 @@ ifdef(`distro_gentoo',` /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_debian',` /usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) Index: refpolicy-2.20220322/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20220322/policy/modules/system/unconfined.if @@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',` allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon }; allow $1 self:fifo_file manage_fifo_file_perms; + allow $1 self:system status; # Manage most namespace capabilities allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; Index: refpolicy-2.20220322/policy/modules/apps/gnome.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if +++ refpolicy-2.20220322/policy/modules/apps/gnome.if @@ -112,6 +112,10 @@ template(`gnome_role_template',` ') optional_policy(` + systemd_dbus_chat_logind($1_gkeyringd_t) + ') + + optional_policy(` wm_dbus_chat($1, $1_gkeyringd_t) ') ') @@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec' allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms; ') + +######################################## +## +## watch gnome_xdg_config_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_watch_xdg_config_dirs',` + gen_require(` + type gnome_xdg_config_t; + ') + + allow $1 gnome_xdg_config_t:dir watch; +') Index: refpolicy-2.20220322/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/services/xserver.if +++ refpolicy-2.20220322/policy/modules/services/xserver.if @@ -213,7 +213,7 @@ template(`xserver_role',` xserver_read_xkb_libs($2) - allow $2 xdm_t:unix_stream_socket accept; + allow $2 xdm_t:unix_stream_socket { getattr accept }; optional_policy(` systemd_user_app_status($1, xserver_t) Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if +++ refpolicy-2.20220322/policy/modules/system/miscfiles.if @@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization' type locale_t; ') + allow $1 locale_t:dir watch; allow $1 locale_t:file watch; ') Index: refpolicy-2.20220322/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20220322/policy/modules/system/userdomain.if @@ -121,6 +121,8 @@ template(`userdom_base_user_template',` miscfiles_read_generic_certs($1_t) miscfiles_watch_fonts_dirs($1_t) + userdom_write_user_runtime_sockets($1_t) + sysnet_read_config($1_t) # kdeinit wants systemd status @@ -960,6 +962,7 @@ template(`userdom_login_user_template', userdom_exec_user_tmp_files($1_t) userdom_exec_user_home_content_files($1_t) + userdom_execmod_user_tmpfs_files($1_t) userdom_map_user_tmpfs_files($1_t) userdom_change_password_template($1) @@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template', corenet_tcp_bind_xserver_port($1_t) files_exec_usr_files($1_t) + files_watch_etc_symlinks($1_t) miscfiles_manage_public_files($1_t) + miscfiles_watch_localization($1_t) miscfiles_watch_public_dirs($1_t) tunable_policy(`user_dmesg',` @@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template', tunable_policy(`user_tcp_server',` corenet_tcp_bind_generic_node($1_t) corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ') # Allow users to run UDP servers (bind to ports and accept connection from @@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template', tunable_policy(`user_udp_server',` corenet_udp_bind_generic_node($1_t) corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_all_unreserved_ports($1_t) ') optional_policy(` @@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',` xdg_manage_all_data($1_t) xdg_relabel_all_data($1_t) xdg_watch_all_data_dirs($1_t) + xdg_watch_all_data_files($1_t) + xdg_exec_data($1_t) xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache") xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config") @@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f ######################################## ## +## write user runtime sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_user_runtime_sockets',` + gen_require(` + type user_runtime_t; + ') + + allow $1 user_runtime_t:sock_file write; +') + +######################################## +## ## Search users runtime directories. ## ## @@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil ') ######################################## +## +## execute and execmod user tmpfs files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_execmod_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + allow $1 user_tmpfs_t:file { execute execmod }; +') + +######################################## ## ## Get the attributes of a user domain tty. ## Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te =================================================================== --- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te +++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te @@ -222,6 +222,7 @@ optional_policy(` systemd_read_logind_sessions_files(pulseaudio_t) # for /run/systemd/users/$PID systemd_read_logind_runtime_files(pulseaudio_t) + systemd_watch_logind_sessions_dirs(pulseaudio_t) ') optional_policy(` Index: refpolicy-2.20220322/policy/modules/system/xdg.if =================================================================== --- refpolicy-2.20220322.orig/policy/modules/system/xdg.if +++ refpolicy-2.20220322/policy/modules/system/xdg.if @@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',` ######################################## ## +## Watch the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_watch_data_files',` + gen_require(` + type xdg_data_t; + ') + + allow $1 xdg_data_t:file watch; +') + +######################################## +## ## Watch all the xdg data home directories ## ## @@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',` ######################################## ## +## Watch all the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_watch_all_data_files',` + gen_require(` + attribute xdg_data_type; + ') + + allow $1 xdg_data_type:file watch; +') + +######################################## +## ## Read the xdg data home files ## ## @@ -914,6 +950,24 @@ interface(`xdg_relabel_data',` ') ######################################## +## +## Allow domain to execute xdg_data_t, for some application config in kde +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_exec_data',` + gen_require(` + type xdg_data_t; + ') + + can_exec($1, xdg_data_t) +') + +######################################## ## ## Allow relabeling the xdg data home files, regardless of their type ## Index: refpolicy-2.20220322/policy/modules/apps/wm.te =================================================================== --- refpolicy-2.20220322.orig/policy/modules/apps/wm.te +++ refpolicy-2.20220322/policy/modules/apps/wm.te @@ -7,6 +7,14 @@ policy_module(wm) attribute wm_domain; + +## +##

+## Grant the window manager domains write access to xdg data +##

+##
+gen_tunable(`wm_write_xdg_data', false) + type wm_exec_t; corecmd_executable_file(wm_exec_t) Index: refpolicy-2.20220322/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20220322/policy/modules/apps/chromium.te @@ -275,6 +275,7 @@ optional_policy(` optional_policy(` gnome_dbus_chat_all_gkeyringd(chromium_t) + gnome_watch_xdg_config_dirs(chromium_t) ') optional_policy(` Index: refpolicy-2.20220322/policy/modules/services/xserver.fc =================================================================== --- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc +++ refpolicy-2.20220322/policy/modules/services/xserver.fc @@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) +/etc/sddm/wayland-session -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)