LinuxLists.cc - [refpolicy] [PATCH 1/7] consolekit: Add a filetrans on /run/user

2016-05-27 06:24:00

Subject: [refpolicy] [PATCH 1/7] consolekit: Add a filetrans on /run/user

---
consolekit.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/consolekit.te b/consolekit.te
index 050c5c5..79c5f86 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -79,6 +79,7 @@ miscfiles_read_localization(consolekit_t)

userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")

tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
--
2.7.3

2016-05-27 06:24:01

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/7] pulseaudio: fcontext and filetrans for /run/user/ID/pulse/

---
pulseaudio.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pulseaudio.te b/pulseaudio.te
index 169d0bc..bfdf36d 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,9 @@ optional_policy(`
#

allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;

-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;

read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +230,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)

userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_dir_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)

tunable_policy(`use_nfs_home_dirs',`
--
2.7.3

2016-05-27 06:24:02

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 3/7] ftp: Add filetrans from user_runtime_dir

---
ftp.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/ftp.te b/ftp.te
index 774bc9e..6d70878 100644
--- a/ftp.te
+++ b/ftp.te
@@ -318,9 +318,11 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(ftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(ftpd_t, { dir file })
')

tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -457,9 +459,11 @@ tunable_policy(`sftpd_enable_homedirs',`
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(sftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(sftpd_t, { dir file })
')

tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
--
2.7.3

2016-05-27 06:24:03

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 4/7] gnome: Add filetrans from user_runtime_dir

---
gnome.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/gnome.te b/gnome.te
index c4746b6..a2300f9 100644
--- a/gnome.te
+++ b/gnome.te
@@ -89,6 +89,7 @@ userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })

userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_user_runtime_dir_filetrans_user_tmp(gconfd_t, dir)

optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
--
2.7.3

2016-05-27 06:24:04

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 5/7] mplayer: Add filetrans from user_runtime_dir

---
mplayer.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..5d68c06 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -201,6 +201,7 @@ userdom_use_user_terminals(mplayer_t)
userdom_manage_user_tmp_dirs(mplayer_t)
userdom_manage_user_tmp_files(mplayer_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_dir_filetrans_user_tmp(mplayer_t, { dir file })

userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
--
2.7.3

2016-05-27 06:24:05

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 6/7] userhelper: Add filetrans from user_runtime_dir

---
userhelper.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/userhelper.te b/userhelper.te
index 8dadb4b..1ceef0a 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -68,6 +68,7 @@ userdom_use_user_terminals(consolehelper_type)
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_dir_filetrans_user_tmp(consolehelper_type, { dir file })

tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
--
2.7.3

2016-05-27 06:24:06

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 7/7] wm: Add filetrans from user_runtime_dir

---
wm.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/wm.te b/wm.te
index a3861e9..1a3f218 100644
--- a/wm.te
+++ b/wm.te
@@ -40,6 +40,7 @@ miscfiles_read_localization(wm_domain)

userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_dir_filetrans_user_tmp(wm_domain, sock_file)

userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
--
2.7.3

2016-05-27 16:59:29

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/7 v2] consolekit: allow managing user runtime dirs

---
consolekit.te | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/consolekit.te b/consolekit.te
index 050c5c5..92f876b 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#

-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };

@@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)

fs_list_inotifyfs(consolekit_t)
+fs_mount_tmpfs(consolekit_t)
+fs_unmount_tmpfs(consolekit_t)
+fs_relabelfrom_tmpfs(consolekit_t)

mcs_ptrace_all(consolekit_t)

+seutil_libselinux_linked(consolekit_t)
+seutil_read_file_contexts(consolekit_t)
+
term_use_all_terms(consolekit_t)

auth_use_nsswitch(consolekit_t)
@@ -79,6 +85,9 @@ miscfiles_read_localization(consolekit_t)

userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_manage_user_runtime_root_dirs(consolekit_t)
+userdom_mounton_user_runtime_root(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")

tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
--
2.7.3