2020-02-16 20:03:37

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 01/10] fstools: add zfs-auto-snapshot

Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc: denied { execute } for pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/system/fstools.fc | 1 +
policy/modules/system/fstools.te | 2 ++
2 files changed, 3 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
/usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4ad6e65f..4ae0301a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

+# for zfs/zpool
+mount_exec(fsadm_t)
# for /run/mount/utab
mount_getattr_runtime_files(fsadm_t)
# losetup: bind mount_loopback_t files to loop devices
--
2.24.1


2020-02-16 20:03:40

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 02/10] udev: Add watch perms

Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc: denied { watch } for pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
policy/modules/system/udev.te | 3 +++
2 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index c14bb13b..f9dcbaf5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
allow $1 fixed_disk_device_t:blk_file getattr;
')

+########################################
+## <summary>
+## Watch fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_watch_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file watch;
+ allow $1 fixed_disk_device_t:chr_file watch;
+')
+
########################################
## <summary>
## Allow the caller to get the attributes
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ccbcb51..e0e27a9d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)

+storage_watch_fixed_disk(udev_t)
+
auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
@@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
+allow udevadm_t udev_runtime_t:dir watch;

list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
--
2.24.1

2020-02-16 20:03:54

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 03/10] accountsd: Add watch perms

avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/accountsd.te | 2 ++
policy/modules/system/logging.if | 18 ++++++++++++++++++
2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)

files_read_mnt_files(accountsd_t)
files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)

fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)

userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
manage_files_pattern($1, var_log_t, var_log_t)
')

+########################################
+## <summary>
+## Watch generic log dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:dir watch;
+')
+
########################################
## <summary>
## All of the rules required to administrate
--
2.24.1

2020-02-16 20:03:57

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 04/10] cron: watch cron spool

avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/cron.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016..dbbd9dbf 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
files_pid_filetrans(crond_t, crond_runtime_t, file)

manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;

manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })

list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;

rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;

manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)

--
2.24.1

2020-02-16 20:04:01

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 05/10] colord: add watch perms

avc: denied { watch } for pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/colord.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 24eda8a9..44f2b049 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+allow colord_t colord_var_lib_t:dir watch;

kernel_read_crypto_sysctls(colord_t)
kernel_read_device_sysctls(colord_t)
@@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
files_read_usr_files(colord_t)
files_map_usr_files(colord_t)
+files_watch_usr_dirs(colord_t)

fs_getattr_noxattr_fs(colord_t)
fs_getattr_tmpfs(colord_t)
--
2.24.1

2020-02-16 20:04:05

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 06/10] policykit devicekit: Add watch perms

avc: denied { watch } for pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/consolekit.if | 18 ++++++++++++++++++
policy/modules/services/devicekit.te | 1 +
policy/modules/services/policykit.te | 3 +++
3 files changed, 22 insertions(+)

diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 9aa0dbce..422c19cd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_runtime_t:dir list_dir_perms;
read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
')
+
+########################################
+## <summary>
+## Watch consolekit runtime dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_watch_runtime_dir',`
+ gen_require(`
+ type consolekit_runtime_t;
+ ')
+
+ allow $1 consolekit_runtime_t:dir watch;
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f58a7a19..ed88f10b 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
+files_watch_etc_dirs(devicekit_disk_t)

fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 04e88500..4989157c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)

files_dontaudit_search_all_mountpoints(policykit_t)
+files_watch_etc_dirs(policykit_t)
+files_watch_usr_dirs(policykit_t)

fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
@@ -127,6 +129,7 @@ optional_policy(`

optional_policy(`
consolekit_read_pid_files(policykit_t)
+ consolekit_watch_runtime_dir(policykit_t)
')

optional_policy(`
--
2.24.1

2020-02-16 20:04:08

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 07/10] userdomain: Add watch on home dirs

avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/xserver.if | 11 +-
policy/modules/system/miscfiles.if | 37 ++++++
policy/modules/system/userdomain.if | 15 +++
policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++
4 files changed, 260 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c95a6b04..99c1a7ea 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
dev_rw_usbfs($2)

miscfiles_read_fonts($2)
+ miscfiles_watch_fonts_dirs($2)

xserver_common_x_domain_template(user, $2)
xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
+ xdg_watch_all_cache_dirs($2)
xdg_manage_all_config($2)
xdg_relabel_all_config($2)
+ xdg_watch_all_config_dirs($2)
xdg_manage_all_data($2)
xdg_relabel_all_data($2)
+ xdg_watch_all_data_dirs($2)

xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`

xdg_manage_documents($2)
xdg_relabel_documents($2)
+ xdg_watch_documents_dirs($2)
xdg_manage_downloads($2)
xdg_relabel_downloads($2)
+ xdg_watch_downloads_dirs($2)
xdg_manage_music($2)
xdg_relabel_music($2)
+ xdg_watch_music_dirs($2)
xdg_manage_pictures($2)
xdg_relabel_pictures($2)
+ xdg_watch_pictures_dirs($2)
xdg_manage_videos($2)
xdg_relabel_videos($2)
+ xdg_watch_videos_dirs($2)

xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
')

# Read per user fonts
- allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:dir { list_dir_perms watch };
allow $1 user_fonts_t:file { map read_file_perms };

# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 47330a48..6fbacc04 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')

+########################################
+## <summary>
+## Watch fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_watch_fonts_dirs',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ allow $1 fonts_t:dir watch;
+')
+
########################################
## <summary>
## Read fonts.
@@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')

+########################################
+## <summary>
+## Watch public files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+ gen_require(`
+ type public_content_rw_t;
+ ')
+
+ allow $1 public_content_rw_t:dir watch;
+')
+
########################################
## <summary>
## Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dd555850..6645c56a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -285,6 +285,12 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)

+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($2)
fs_read_nfs_files($2)
@@ -364,6 +370,12 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };

+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")

@@ -618,6 +630,8 @@ template(`userdom_common_user_template',`
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
+ files_watch_etc_dirs($1_t)
+ files_watch_usr_dirs($1_t)

fs_rw_cgroup_files($1_t)

@@ -1166,6 +1180,7 @@ template(`userdom_unpriv_user_template', `
files_exec_usr_files($1_t)

miscfiles_manage_public_files($1_t)
+ miscfiles_watch_public_dirs($1_t)

tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 11fc4306..82304241 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ allow $1 xdg_cache_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ allow $1 xdg_config_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ allow $1 xdg_data_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ allow $1 xdg_documents_t:dir watch;
+')
+
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ allow $1 xdg_downloads_t:dir watch;
+')
+
#########################################
## <summary>
## Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ allow $1 xdg_pictures_t:dir watch;
+')
+
#########################################
## <summary>
## Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ allow $1 xdg_music_t:dir watch;
+')
+
#########################################
## <summary>
## Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
userdom_search_user_home_dirs($1)
')

+########################################
+## <summary>
+## Watch the xdg video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ allow $1 xdg_videos_t:dir watch;
+')
+
#########################################
## <summary>
## Read user video content
--
2.24.1

2020-02-16 20:04:10

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 08/10] dbus: add watch perms

avc: denied { watch } for pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/dbus.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4e395f7f..6f9835c6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+allow session_bus_type dbusd_etc_t:dir watch;

manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
@@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)

files_list_home(session_bus_type)
files_read_usr_files(session_bus_type)
+files_watch_usr_dirs(session_bus_type)
files_dontaudit_search_var(session_bus_type)

fs_getattr_romfs(session_bus_type)
--
2.24.1

2020-02-16 20:04:13

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 09/10] chromium: watch etc dirs

avc: denied { watch } for pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/apps/chromium.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 255ef557..0e8cc1e5 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -156,6 +156,7 @@ files_search_home(chromium_t)
files_read_usr_files(chromium_t)
files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
+files_watch_etc_dirs(chromium_t)
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)

--
2.24.1

2020-02-16 20:04:21

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 10/10] gpg: add watch perms for agent

avc: denied { watch } for pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;

manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;

manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
--
2.24.1

2020-02-17 18:34:50

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 01/10] fstools: add zfs-auto-snapshot

On 2/16/20 3:03 PM, Jason Zaman wrote:
> Should be in domain fstools_t, and needs to run zpool which is
> mount_exec_t.
>
> type=AVC msg=audit(1563084061.269:2472): avc: denied { execute } for pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563084061.269:2472): cwd="/root"
> type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/system/fstools.fc | 1 +
> policy/modules/system/fstools.te | 2 ++
> 2 files changed, 3 insertions(+)
>
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 8fbd5ce4..d871294e 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -49,6 +49,7 @@
> /usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 4ad6e65f..4ae0301a 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)
>
> miscfiles_read_localization(fsadm_t)
>
> +# for zfs/zpool
> +mount_exec(fsadm_t)
> # for /run/mount/utab
> mount_getattr_runtime_files(fsadm_t)
> # losetup: bind mount_loopback_t files to loop devices

Merged.

--
Chris PeBenito

2020-02-17 18:34:53

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 02/10] udev: Add watch perms

On 2/16/20 3:03 PM, Jason Zaman wrote:
> Udev watches all the fixed_disks and udevadm watches the runtime dir.
>
> udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied
>
> avc: denied { watch } for pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
> policy/modules/system/udev.te | 3 +++
> 2 files changed, 23 insertions(+)
>
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index c14bb13b..f9dcbaf5 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
> allow $1 fixed_disk_device_t:blk_file getattr;
> ')
>
> +########################################
> +## <summary>
> +## Watch fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`storage_watch_fixed_disk',`
> + gen_require(`
> + type fixed_disk_device_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 fixed_disk_device_t:blk_file watch;
> + allow $1 fixed_disk_device_t:chr_file watch;
> +')
> +
> ########################################
> ## <summary>
> ## Allow the caller to get the attributes
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 0ccbcb51..e0e27a9d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
> selinux_compute_relabel_context(udev_t)
> selinux_compute_user_contexts(udev_t)
>
> +storage_watch_fixed_disk(udev_t)
> +
> auth_read_pam_console_data(udev_t)
> auth_domtrans_pam_console(udev_t)
> auth_use_nsswitch(udev_t)
> @@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
> delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
> list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
> read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
> +allow udevadm_t udev_runtime_t:dir watch;
>
> list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
> read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)

Merged.

--
Chris PeBenito

2020-02-17 18:34:56

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 03/10] accountsd: Add watch perms

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/accountsd.te | 2 ++
> policy/modules/system/logging.if | 18 ++++++++++++++++++
> 2 files changed, 20 insertions(+)
>
> diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
> index 9bf5962a..2e13e943 100644
> --- a/policy/modules/services/accountsd.te
> +++ b/policy/modules/services/accountsd.te
> @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
>
> files_read_mnt_files(accountsd_t)
> files_read_usr_files(accountsd_t)
> +files_watch_etc_dirs(accountsd_t)
>
> fs_getattr_xattr_fs(accountsd_t)
> fs_list_inotifyfs(accountsd_t)
> @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
> logging_list_logs(accountsd_t)
> logging_send_syslog_msg(accountsd_t)
> logging_set_loginuid(accountsd_t)
> +logging_watch_generic_logs_dir(accountsd_t)
>
> userdom_read_user_tmp_files(accountsd_t)
> userdom_read_user_home_content_files(accountsd_t)
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 9c7a0dba..b2bba984 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
> manage_files_pattern($1, var_log_t, var_log_t)
> ')
>
> +########################################
> +## <summary>
> +## Watch generic log dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_watch_generic_logs_dir',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + allow $1 var_log_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to administrate

Merged.

--
Chris PeBenito

2020-02-17 18:34:59

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 05/10] colord: add watch perms

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/colord.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
> index 24eda8a9..44f2b049 100644
> --- a/policy/modules/services/colord.te
> +++ b/policy/modules/services/colord.te
> @@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
> manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
> +allow colord_t colord_var_lib_t:dir watch;
>
> kernel_read_crypto_sysctls(colord_t)
> kernel_read_device_sysctls(colord_t)
> @@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
> files_list_mnt(colord_t)
> files_read_usr_files(colord_t)
> files_map_usr_files(colord_t)
> +files_watch_usr_dirs(colord_t)
>
> fs_getattr_noxattr_fs(colord_t)
> fs_getattr_tmpfs(colord_t)

Merged.

--
Chris PeBenito

2020-02-17 18:35:03

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 04/10] cron: watch cron spool

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/cron.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
> index 46b64016..dbbd9dbf 100644
> --- a/policy/modules/services/cron.te
> +++ b/policy/modules/services/cron.te
> @@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
> files_pid_filetrans(crond_t, crond_runtime_t, file)
>
> manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
> +allow crond_t cron_spool_t:dir watch;
>
> manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
> manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
> @@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
>
> list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
> read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
> +allow crond_t system_cron_spool_t:dir watch;
> +allow crond_t system_cron_spool_t:file watch;
>
> rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> +allow crond_t user_cron_spool_t:dir watch;
>
> manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)

Merged.


--
Chris PeBenito

2020-02-17 18:35:06

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 08/10] dbus: add watch perms

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 4e395f7f..6f9835c6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
> allow session_bus_type dbusd_etc_t:dir list_dir_perms;
> read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
> read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
> +allow session_bus_type dbusd_etc_t:dir watch;
>
> manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
> manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
> @@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)
>
> files_list_home(session_bus_type)
> files_read_usr_files(session_bus_type)
> +files_watch_usr_dirs(session_bus_type)
> files_dontaudit_search_var(session_bus_type)
>
> fs_getattr_romfs(session_bus_type)


Merged.


--
Chris PeBenito

2020-02-17 18:35:09

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 06/10] policykit devicekit: Add watch perms

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/consolekit.if | 18 ++++++++++++++++++
> policy/modules/services/devicekit.te | 1 +
> policy/modules/services/policykit.te | 3 +++
> 3 files changed, 22 insertions(+)
>
> diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
> index 9aa0dbce..422c19cd 100644
> --- a/policy/modules/services/consolekit.if
> +++ b/policy/modules/services/consolekit.if
> @@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
> allow $1 consolekit_runtime_t:dir list_dir_perms;
> read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
> ')
> +
> +########################################
> +## <summary>
> +## Watch consolekit runtime dir.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_watch_runtime_dir',`
> + gen_require(`
> + type consolekit_runtime_t;
> + ')
> +
> + allow $1 consolekit_runtime_t:dir watch;
> +')
> diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
> index f58a7a19..ed88f10b 100644
> --- a/policy/modules/services/devicekit.te
> +++ b/policy/modules/services/devicekit.te
> @@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
> files_manage_mnt_dirs(devicekit_disk_t)
> files_read_etc_runtime_files(devicekit_disk_t)
> files_read_usr_files(devicekit_disk_t)
> +files_watch_etc_dirs(devicekit_disk_t)
>
> fs_getattr_all_fs(devicekit_disk_t)
> fs_list_inotifyfs(devicekit_disk_t)
> diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
> index 04e88500..4989157c 100644
> --- a/policy/modules/services/policykit.te
> +++ b/policy/modules/services/policykit.te
> @@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
> domain_read_all_domains_state(policykit_t)
>
> files_dontaudit_search_all_mountpoints(policykit_t)
> +files_watch_etc_dirs(policykit_t)
> +files_watch_usr_dirs(policykit_t)
>
> fs_getattr_xattr_fs(policykit_t)
> fs_list_inotifyfs(policykit_t)
> @@ -127,6 +129,7 @@ optional_policy(`
>
> optional_policy(`
> consolekit_read_pid_files(policykit_t)
> + consolekit_watch_runtime_dir(policykit_t)
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito

2020-02-17 18:35:12

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 07/10] userdomain: Add watch on home dirs

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/xserver.if | 11 +-
> policy/modules/system/miscfiles.if | 37 ++++++
> policy/modules/system/userdomain.if | 15 +++
> policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++
> 4 files changed, 260 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index c95a6b04..99c1a7ea 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
> dev_rw_usbfs($2)
>
> miscfiles_read_fonts($2)
> + miscfiles_watch_fonts_dirs($2)
>
> xserver_common_x_domain_template(user, $2)
> xserver_domtrans($2)
> @@ -186,10 +187,13 @@ interface(`xserver_role',`
> optional_policy(`
> xdg_manage_all_cache($2)
> xdg_relabel_all_cache($2)
> + xdg_watch_all_cache_dirs($2)
> xdg_manage_all_config($2)
> xdg_relabel_all_config($2)
> + xdg_watch_all_config_dirs($2)
> xdg_manage_all_data($2)
> xdg_relabel_all_data($2)
> + xdg_watch_all_data_dirs($2)
>
> xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
> xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> @@ -203,14 +207,19 @@ interface(`xserver_role',`
>
> xdg_manage_documents($2)
> xdg_relabel_documents($2)
> + xdg_watch_documents_dirs($2)
> xdg_manage_downloads($2)
> xdg_relabel_downloads($2)
> + xdg_watch_downloads_dirs($2)
> xdg_manage_music($2)
> xdg_relabel_music($2)
> + xdg_watch_music_dirs($2)
> xdg_manage_pictures($2)
> xdg_relabel_pictures($2)
> + xdg_watch_pictures_dirs($2)
> xdg_manage_videos($2)
> xdg_relabel_videos($2)
> + xdg_watch_videos_dirs($2)
>
> xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
> ')
> @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
> ')
>
> # Read per user fonts
> - allow $1 user_fonts_t:dir list_dir_perms;
> + allow $1 user_fonts_t:dir { list_dir_perms watch };
> allow $1 user_fonts_t:file { map read_file_perms };
>
> # Manipulate the global font cache
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 47330a48..6fbacc04 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
> read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> ')
>
> +########################################
> +## <summary>
> +## Watch fonts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_watch_fonts_dirs',`
> + gen_require(`
> + type fonts_t;
> + ')
> +
> + allow $1 fonts_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read fonts.
> @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
> manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
> ')
>
> +########################################
> +## <summary>
> +## Watch public files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_watch_public_dirs',`
> + gen_require(`
> + type public_content_rw_t;
> + ')
> +
> + allow $1 public_content_rw_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read TeX data
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index dd555850..6645c56a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -285,6 +285,12 @@ interface(`userdom_ro_home_role',`
> read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
> files_list_home($2)
>
> + allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_list_nfs($2)
> fs_read_nfs_files($2)
> @@ -364,6 +370,12 @@ interface(`userdom_manage_home_role',`
> # cjp: this should probably be removed:
> allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>
> + allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> + allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +

This hunk and the one above are overspecified. There shouldn't be any
user_home_dir_t files/lnk_files/sock_files/fifo_files.



> userdom_manage_user_certs($2)
> userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
>
> @@ -618,6 +630,8 @@ template(`userdom_common_user_template',`
> files_read_var_lib_files($1_t)
> # Stat lost+found.
> files_getattr_lost_found_dirs($1_t)
> + files_watch_etc_dirs($1_t)
> + files_watch_usr_dirs($1_t)
>
> fs_rw_cgroup_files($1_t)
>
> @@ -1166,6 +1180,7 @@ template(`userdom_unpriv_user_template', `
> files_exec_usr_files($1_t)
>
> miscfiles_manage_public_files($1_t)
> + miscfiles_watch_public_dirs($1_t)
>
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 11fc4306..82304241 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_cache_dirs',`
> + gen_require(`
> + type xdg_cache_t;
> + ')
> +
> + allow $1 xdg_cache_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_cache_dirs',`
> + gen_require(`
> + attribute xdg_cache_type;
> + ')
> +
> + allow $1 xdg_cache_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg cache home files
> @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_config_dirs',`
> + gen_require(`
> + type xdg_config_t;
> + ')
> +
> + allow $1 xdg_config_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_config_dirs',`
> + gen_require(`
> + attribute xdg_config_type;
> + ')
> +
> + allow $1 xdg_config_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg config home files
> @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_dirs',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + allow $1 xdg_data_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_dirs',`
> + gen_require(`
> + attribute xdg_data_type;
> + ')
> +
> + allow $1 xdg_data_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg data home files
> @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg documents home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_documents_dirs',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + allow $1 xdg_documents_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Create objects in the user home dir with an automatic type transition to
> @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg downloads home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_downloads_dirs',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + allow $1 xdg_downloads_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read downloaded content
> @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg pictures home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_pictures_dirs',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + allow $1 xdg_pictures_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user pictures content
> @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg music home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_music_dirs',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + allow $1 xdg_music_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user music content
> @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
> userdom_search_user_home_dirs($1)
> ')
>
> +########################################
> +## <summary>
> +## Watch the xdg video content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_videos_dirs',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + allow $1 xdg_videos_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user video content
>


--
Chris PeBenito