Received: by 2002:a05:6a10:5594:0:0:0:0 with SMTP id ee20csp231703pxb; Mon, 25 Apr 2022 09:01:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyz2SP1DY3VsWcCUa6ffcrLD0a6zDysKZ/kPPqXcf25bWUpgw7NJoXZVpwhgqTQuVCG0WDE X-Received: by 2002:aa7:8896:0:b0:50d:45e8:e07e with SMTP id z22-20020aa78896000000b0050d45e8e07emr3329460pfe.62.1650902488219; Mon, 25 Apr 2022 09:01:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650902488; cv=none; d=google.com; s=arc-20160816; b=FEHfU2kVyPtwn3+o0zGK8Zllpqby1vSb79n/6HoNFTXTc6VF+1Ra1nrwnf8otQ6B/w LJQVgB412iyhXO3ETUA8Bf9BOTSIHXvrqBIMuv6KG3aSsDBCvjNJuxbGTjGrJJvxX5WV 62Wesw8FakTw3RaV5VnIX/m85UrOzfntPbwT27VS4GWRbCNSK6ubI0ijzmR6bj8zWXtO VuLTgnLcUxNmFiufDZYrFOM19PipRrkwQpjBmgTZrJC0XOoCjiG1w/aRUN+zH2q75U9A 8EqugrahZh00QFWiG0gv/1OIQdyrOGe1cSDIrky+QoHc3JQtv42DT7oGzUF10yMXKgDi E4Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=0hfcwSImTw+2TJOWFfZtHHVvNy+Ux5d5+psAvPUf6SQ=; b=Ntv854N3wxmfZbZlt6s8liAJj39E9u1foHyHHWZMvlsjXVjQIov/DVeZ8GRo0WzGum Wz9ucjM++4xUqUYUXh61ANn3r8+UKIQDbkylaJFg/wU3SgVH+6/v+w9eXdR5noNKrULB bei20ZWSntVWJ0IsdWFVnSnoSmiZn9J+ZuvtLAdC+Bx47cLxrJ3BiM+dclO0Arn5ovlI qv9Ow/YrYHiExb3npGkWrQ8PNotgHRtmwnWXQNkJkcd91snO1o8EHS4E+IMsNayF30ui KKqUX1IZ8g5ADyxMxlxb5Z9eaXRlaGjNB/EkVLufPHiuI2vi7J84oMn9plMoQlfPBYlK 4ZhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=HIRNLt0l; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l8-20020a17090270c800b001586f3a7475si14693909plt.466.2022.04.25.09.01.20; Mon, 25 Apr 2022 09:01:28 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=HIRNLt0l; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240259AbiDYNeW (ORCPT + 22 others); Mon, 25 Apr 2022 09:34:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242053AbiDYNeO (ORCPT ); Mon, 25 Apr 2022 09:34:14 -0400 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85236186 for ; Mon, 25 Apr 2022 06:31:06 -0700 (PDT) Received: by mail-qk1-x72f.google.com with SMTP id d198so10708753qkc.12 for ; Mon, 25 Apr 2022 06:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=0hfcwSImTw+2TJOWFfZtHHVvNy+Ux5d5+psAvPUf6SQ=; b=HIRNLt0lw/N8DXqfG4chtSk7d4fFhhuWcNHDmcUFjLvwnvyKQd6OVW6U+RlSBGlrE9 defRsR6+Gt60aKtF0bAOKJquoqvlXs3PKbipgzhdUdTKYUsg4OXYvTLQhAPWGcWrqJXA 3kr5kYHPcWGr9PL8LnjxsN6LCKberfxbVB8LY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=0hfcwSImTw+2TJOWFfZtHHVvNy+Ux5d5+psAvPUf6SQ=; b=TEbes5jMNQCpkgb5vxndy8+WHs0ZCL9bZPYKt1E6cR5gjhPrZqC/EMpB+a0NCDa5EV WDTb7b7vmLeRV4XZVKOZM11UHLcI/UrmPW+Bh1e7SxdJcgHTurz0tGiAM4h77cQ3OSbP f0nviw9uJAC0zTshgOMUIYEYVci5+jAb/FKYfEqjhFlIiHczRsWFZEhdte+V6TxFeiEp xgXdaeJULINvfYgkVl9QGFnufhIKFIEmFPHBHA7uaPayvzaFEoVNe34DGXx1BM6l/boI qs90oVDbpV+eRXhb6A1mN83kFDObhkn2BS+h5xWI3IMSUtLq6bJv0MYCaPY8lZCb/jyq tMKg== X-Gm-Message-State: AOAM531yk6KZwfLMu+cOvi0JF1zh+OeWoohthbSv6tWgGSyrHImF1JQ1 mHMdzdFfXJns1OPpTAP7QhUyAyOlsUqjxyN/ X-Received: by 2002:a37:66d0:0:b0:69d:d242:b1cc with SMTP id a199-20020a3766d0000000b0069dd242b1ccmr10205819qkc.339.1650893465553; Mon, 25 Apr 2022 06:31:05 -0700 (PDT) Received: from [192.168.1.242] (pool-68-134-25-67.bltmmd.fios.verizon.net. [68.134.25.67]) by smtp.gmail.com with ESMTPSA id y189-20020a37afc6000000b0069ede17247csm5088268qke.86.2022.04.25.06.31.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Apr 2022 06:31:04 -0700 (PDT) Message-ID: <9eaf8204-0462-9ebf-b0b7-66099cca81a6@ieee.org> Date: Mon, 25 Apr 2022 09:31:03 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH] wm domains and sddm fixes Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/6/22 08:36, Russell Coker wrote: > These patches make a sddm login with the $1_wm_t domain work. Most of this > is for X11 but there is a bit for Wayland too. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220322/policy/modules/apps/wm.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/apps/wm.if > +++ refpolicy-2.20220322/policy/modules/apps/wm.if > @@ -61,6 +61,8 @@ template(`wm_role_template',` > allow $3 $1_wm_t:process { ptrace signal_perms }; > ps_process_pattern($3, $1_wm_t) > > + kernel_read_kernel_sysctls($1_wm_t) > + > allow $1_wm_t $3:process { signull sigkill }; > > domtrans_pattern($3, wm_exec_t, $1_wm_t) > @@ -81,6 +83,10 @@ template(`wm_role_template',` > > wm_write_pipes($1, $3) > > + tunable_policy(`wm_write_xdg_data', ` > + xdg_manage_data($1_wm_t) > + ') > + > optional_policy(` > dbus_connect_spec_session_bus($1, $1_wm_t) > dbus_spec_session_bus_client($1, $1_wm_t) > @@ -115,6 +121,17 @@ template(`wm_role_template',` > optional_policy(` > xdg_watch_config_files($1_wm_t) > ') > + > + optional_policy(` > + systemd_dbus_chat_logind($1_wm_t) > + ') > + > + optional_policy(` > + xdg_read_data_files($1_wm_t) > + xdg_manage_cache($1_wm_t) > + xdg_manage_config($1_wm_t) > + xdg_watch_data_files($1_wm_t) > + ') > ') Please merge all the xdg calls into a single optional block. The added tunable should be in this optional too. > ######################################## > Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc > @@ -256,6 +256,7 @@ ifdef(`distro_gentoo',` > /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) > > ifdef(`distro_debian',` > /usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > Index: refpolicy-2.20220322/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20220322/policy/modules/system/unconfined.if > @@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',` > allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; > allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon }; > allow $1 self:fifo_file manage_fifo_file_perms; > + allow $1 self:system status; > > # Manage most namespace capabilities > allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; > Index: refpolicy-2.20220322/policy/modules/apps/gnome.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if > +++ refpolicy-2.20220322/policy/modules/apps/gnome.if > @@ -112,6 +112,10 @@ template(`gnome_role_template',` > ') > > optional_policy(` > + systemd_dbus_chat_logind($1_gkeyringd_t) > + ') > + > + optional_policy(` > wm_dbus_chat($1, $1_gkeyringd_t) > ') > ') > @@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec' > > allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms; > ') > + > +######################################## > +## > +## watch gnome_xdg_config_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_watch_xdg_config_dirs',` > + gen_require(` > + type gnome_xdg_config_t; > + ') > + > + allow $1 gnome_xdg_config_t:dir watch; > +') > Index: refpolicy-2.20220322/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20220322/policy/modules/services/xserver.if > @@ -213,7 +213,7 @@ template(`xserver_role',` > > xserver_read_xkb_libs($2) > > - allow $2 xdm_t:unix_stream_socket accept; > + allow $2 xdm_t:unix_stream_socket { getattr accept }; > > optional_policy(` > systemd_user_app_status($1, xserver_t) > Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if > +++ refpolicy-2.20220322/policy/modules/system/miscfiles.if > @@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization' > type locale_t; > ') > > + allow $1 locale_t:dir watch; > allow $1 locale_t:file watch; > ') > > Index: refpolicy-2.20220322/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20220322/policy/modules/system/userdomain.if > @@ -121,6 +121,8 @@ template(`userdom_base_user_template',` > miscfiles_read_generic_certs($1_t) > miscfiles_watch_fonts_dirs($1_t) > > + userdom_write_user_runtime_sockets($1_t) > + > sysnet_read_config($1_t) > > # kdeinit wants systemd status > @@ -960,6 +962,7 @@ template(`userdom_login_user_template', > userdom_exec_user_tmp_files($1_t) > userdom_exec_user_home_content_files($1_t) > > + userdom_execmod_user_tmpfs_files($1_t) > userdom_map_user_tmpfs_files($1_t) > > userdom_change_password_template($1) > @@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template', > corenet_tcp_bind_xserver_port($1_t) > > files_exec_usr_files($1_t) > + files_watch_etc_symlinks($1_t) > > miscfiles_manage_public_files($1_t) > + miscfiles_watch_localization($1_t) > miscfiles_watch_public_dirs($1_t) > > tunable_policy(`user_dmesg',` > @@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template', > tunable_policy(`user_tcp_server',` > corenet_tcp_bind_generic_node($1_t) > corenet_tcp_bind_generic_port($1_t) > + corenet_tcp_bind_all_unreserved_ports($1_t) > ') > > # Allow users to run UDP servers (bind to ports and accept connection from > @@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template', > tunable_policy(`user_udp_server',` > corenet_udp_bind_generic_node($1_t) > corenet_udp_bind_generic_port($1_t) > + corenet_udp_bind_all_unreserved_ports($1_t) > ') > > optional_policy(` > @@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',` > xdg_manage_all_data($1_t) > xdg_relabel_all_data($1_t) > xdg_watch_all_data_dirs($1_t) > + xdg_watch_all_data_files($1_t) > + xdg_exec_data($1_t) > > xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache") > xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config") > @@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f > > ######################################## > ## > +## write user runtime sockets > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_user_runtime_sockets',` > + gen_require(` > + type user_runtime_t; > + ') > + > + allow $1 user_runtime_t:sock_file write; No associated unix socket access? > +') > + > +######################################## > +## > ## Search users runtime directories. > ## > ## > @@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil > ') > > ######################################## > +## > +## execute and execmod user tmpfs files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_execmod_user_tmpfs_files',` > + gen_require(` > + type user_tmpfs_t; > + ') > + > + allow $1 user_tmpfs_t:file { execute execmod }; > +') > + > +######################################## > ## > ## Get the attributes of a user domain tty. > ## > Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te > +++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te > @@ -222,6 +222,7 @@ optional_policy(` > systemd_read_logind_sessions_files(pulseaudio_t) > # for /run/systemd/users/$PID > systemd_read_logind_runtime_files(pulseaudio_t) > + systemd_watch_logind_sessions_dirs(pulseaudio_t) > ') > > optional_policy(` > Index: refpolicy-2.20220322/policy/modules/system/xdg.if > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/system/xdg.if > +++ refpolicy-2.20220322/policy/modules/system/xdg.if > @@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',` > > ######################################## > ## > +## Watch the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_data_files',` > + gen_require(` > + type xdg_data_t; > + ') > + > + allow $1 xdg_data_t:file watch; > +') > + > +######################################## > +## > ## Watch all the xdg data home directories > ## > ## > @@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',` > > ######################################## > ## > +## Watch all the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_all_data_files',` > + gen_require(` > + attribute xdg_data_type; > + ') > + > + allow $1 xdg_data_type:file watch; > +') > + > +######################################## > +## > ## Read the xdg data home files > ## > ## > @@ -914,6 +950,24 @@ interface(`xdg_relabel_data',` > ') > > ######################################## > +## > +## Allow domain to execute xdg_data_t, for some application config in kde > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_exec_data',` > + gen_require(` > + type xdg_data_t; > + ') > + > + can_exec($1, xdg_data_t) > +') > + > +######################################## > ## > ## Allow relabeling the xdg data home files, regardless of their type > ## > Index: refpolicy-2.20220322/policy/modules/apps/wm.te > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/apps/wm.te > +++ refpolicy-2.20220322/policy/modules/apps/wm.te > @@ -7,6 +7,14 @@ policy_module(wm) > > attribute wm_domain; > > + > +## > +##

> +## Grant the window manager domains write access to xdg data > +##

> +## > +gen_tunable(`wm_write_xdg_data', false) > + > type wm_exec_t; > corecmd_executable_file(wm_exec_t) > > Index: refpolicy-2.20220322/policy/modules/apps/chromium.te > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te > +++ refpolicy-2.20220322/policy/modules/apps/chromium.te > @@ -275,6 +275,7 @@ optional_policy(` > > optional_policy(` > gnome_dbus_chat_all_gkeyringd(chromium_t) > + gnome_watch_xdg_config_dirs(chromium_t) > ') > > optional_policy(` > Index: refpolicy-2.20220322/policy/modules/services/xserver.fc > =================================================================== > --- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc > +++ refpolicy-2.20220322/policy/modules/services/xserver.fc > @@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) > > /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) > +/etc/sddm/wayland-session -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > > /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -- Chris PeBenito