Update for the gnome module:
- a new gstreamer_orcexec_t type and file context is introduced
to support the OIL Runtime Compiler (ORC) optimized code
execution (used for example by pulseaudio);
- add support for more permissions needed in gconfd_t and gnome
keyring domains;
- add support for a few needed fs and kernel permissions.
This patch should be applied before applying the pulseaudio patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.fc | 7 ++
policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/gnome.te | 8 +++
3 files changed, 112 insertions(+), 2 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200
@@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
@@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200
@@ -1,4 +1,4 @@
-## <summary>GNU network object model environment.</summary>
+
########################################
## <summary>
@@ -100,9 +100,15 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ userdom_manage_user_home_content_dirs($1_gkeyringd_t)
+ userdom_manage_user_home_content_files($1_gkeyringd_t)
+ userdom_manage_user_home_content_sockets($1_gkeyringd_t)
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ kernel_read_kernel_sysctls($1_gkeyringd_t)
+
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
@@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in gnome gconf home
## directories with a private type.
## </summary>
@@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',`
')
########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+
+########################################
+## <summary>
+## Create objects in the tmp
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_tmp_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
## <summary>
## Read generic gnome keyring home files.
## </summary>
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
@@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+kernel_dontaudit_read_system_state(gconfd_t)
+
+fs_getattr_xattr_fs(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_manage_user_tmp_sockets(gconfd_t)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - a new gstreamer_orcexec_t type and file context is introduced
> to support the OIL Runtime Compiler (ORC) optimized code
> execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
> keyring domains;
> - add support for a few needed fs and kernel permissions.
>
> This patch should be applied before applying the pulseaudio patch.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gnome.fc | 7 ++
> policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++-
> policy/modules/contrib/gnome.te | 8 +++
> 3 files changed, 112 insertions(+), 2 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200
> @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste
> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>
> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
>
> @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
> /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +
> +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +
> +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
these are files so you can be more specific about it:
/var/run/user/[^/]*/orcexec\..* --
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* --
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200
> @@ -1,4 +1,4 @@
> -## <summary>GNU network object model environment.</summary>
> +
>
> ########################################
> ## <summary>
> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
>
> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
>
> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> + userdom_manage_user_home_content_files($1_gkeyringd_t)
> + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
> +
I don't like this, and I dont understand it
> ps_process_pattern($3, $1_gkeyringd_t)
> allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>
> + kernel_read_kernel_sysctls($1_gkeyringd_t)
> +
> corecmd_bin_domtrans($1_gkeyringd_t, $3)
> corecmd_shell_domtrans($1_gkeyringd_t, $3)
>
> @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho
>
> ########################################
> ## <summary>
> +## Create objects in user home
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_home_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Create objects in gnome gconf home
> ## directories with a private type.
> ## </summary>
> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',`
> ')
>
> ########################################
> +## <summary>
> +## Create objects in the user
> +## runtime directories with the
> +## gstreamer orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +
> +########################################
> +## <summary>
> +## Create objects in the tmp
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
If you're not going to support that file in /tmp then this is not needed
> +########################################
> ## <summary>
> ## Read generic gnome keyring home files.
> ## </summary>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200
> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
> type gnome_keyring_tmp_t;
> userdom_user_tmp_file(gnome_keyring_tmp_t)
>
> +type gstreamer_orcexec_t;
> +application_executable_file(gstreamer_orcexec_t)
it is not an applications executable file
> +
> ##############################
> #
> # Common local Policy
> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>
> +kernel_dontaudit_read_system_state(gconfd_t)
> +
> +fs_getattr_xattr_fs(gconfd_t)
> +
> userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> +userdom_manage_user_tmp_sockets(gconfd_t)
What is going on there and why did you choose this?
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/d4f48b93/attachment.bin
Hello Dominick,
thanks for getting back on this.
> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
> wrote:
>
>
> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> > Update for the gnome module:
> >
> > - a new gstreamer_orcexec_t type and file context is introduced
> > to support the OIL Runtime Compiler (ORC) optimized code
> > execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > keyring domains;
> > - add support for a few needed fs and kernel permissions.
> >
> > This patch should be applied before applying the pulseaudio patch.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/gnome.fc | 7 ++
> > policy/modules/contrib/gnome.if | 99
> > +++++++++++++++++++++++++++++++++++++++-
> > policy/modules/contrib/gnome.te | 8 +++
> > 3 files changed, 112 insertions(+), 2 deletions(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13
> > 16:02:14.949814288 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13
> > 16:30:32.175198600 +0200
> > @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste
> > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> > HOME_DIR/\.gnome2/keyrings(/.*)?
> > gen_context(system_u:object_r:gnome_keyring_home_t,s0)
> > HOME_DIR/\.gnome2_private(/.*)?
> > gen_context(system_u:object_r:gnome_home_t,s0)
> > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >
> > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
> >
> > @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
> > /usr/bin/mate-keyring-daemon --
> > gen_context(system_u:object_r:gkeyringd_exec_t,s0)
> >
> > /usr/lib/[^/]*/gconf/gconfd-2 --
> > gen_context(system_u:object_r:gconfd_exec_t,s0)
> > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> > +
> > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> > +
> > +/var/run/user/[^/]*/orcexec\..*
> > gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> > +/var/run/user/%{USERID}/orcexec\..*
> > gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>
> these are files so you can be more specific about it:
>
> /var/run/user/[^/]*/orcexec\..* --
> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> /var/run/user/%{USERID}/orcexec\..* --
> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
Thanks for pointing it out, I have now amended it.
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
> > 16:02:14.950814302 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
> > 00:55:24.980149003 +0200
> > @@ -1,4 +1,4 @@
> > -## <summary>GNU network object model environment.</summary>
> > +
> >
> > ########################################
> > ## <summary>
> > @@ -100,9 +100,15 @@ template(`gnome_role_template',`
> >
> > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
> > manage_sock_file_perms };
> >
> > + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> > + userdom_manage_user_home_content_files($1_gkeyringd_t)
> > + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
> > +
> I don't like this, and I dont understand it
I will double check it. Hopefully, I won't forget about that, with the many
other modules that are being changed...
> > ps_process_pattern($3, $1_gkeyringd_t)
> > allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
> >
> > + kernel_read_kernel_sysctls($1_gkeyringd_t)
> > +
> > corecmd_bin_domtrans($1_gkeyringd_t, $3)
> > corecmd_shell_domtrans($1_gkeyringd_t, $3)
> >
> > @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho
> >
> > ########################################
> > ## <summary>
> > +## Create objects in user home
> > +## directories with the gstreamer
> > +## orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## Class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_home_filetrans_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Create objects in gnome gconf home
> > ## directories with a private type.
> > ## </summary>
> > @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',`
> > ')
> >
> > ########################################
> > +## <summary>
> > +## Create objects in the user
> > +## runtime directories with the
> > +## gstreamer orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## Class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> > +')
> > +
> > +
> > +########################################
> > +## <summary>
> > +## Create objects in the tmp
> > +## directories with the gstreamer
> > +## orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## Class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3)
> > +')
> > +
>
> If you're not going to support that file in /tmp then this is not needed
Removed.
> > +########################################
> > ## <summary>
> > ## Read generic gnome keyring home files.
> > ## </summary>
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13
> > 16:02:14.951814316 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13
> > 13:45:54.704254788 +0200
> > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
> > type gnome_keyring_tmp_t;
> > userdom_user_tmp_file(gnome_keyring_tmp_t)
> >
> > +type gstreamer_orcexec_t;
> > +application_executable_file(gstreamer_orcexec_t)
>
> it is not an applications executable file
It's very similar to it or, in other words, it is equivalent to it. I could find
a better interface to describe it.
But if you have other constructive ideas, please let me know and I will test
them out...
> > +
> > ##############################
> > #
> > # Common local Policy
> > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
> >
> > +kernel_dontaudit_read_system_state(gconfd_t)
> > +
> > +fs_getattr_xattr_fs(gconfd_t)
> > +
> > userdom_manage_user_tmp_dirs(gconfd_t)
> > userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> > +userdom_manage_user_tmp_sockets(gconfd_t)
>
> What is going on there and why did you choose this?
I think it's to support sockets in /tmp/orbit-USER/linc-.*
They are created by ORBit2. It's a library and some gnome components are linked
against it.
I am now working on a new revised version of this patch which introduces
specific support for ORBit temporary files.
> > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> >
> > optional_policy(`
> > _______________________________________________
Best regards,
Guido
On 08/13/2016 10:09 PM, Guido Trentalancia wrote:
> Hello Dominick,
>
> thanks for getting back on this.
>
>> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
>> wrote:
>>
>>
>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>> Update for the gnome module:
>>>
>>> - a new gstreamer_orcexec_t type and file context is introduced
>>> to support the OIL Runtime Compiler (ORC) optimized code
>>> execution (used for example by pulseaudio);
>>> - add support for more permissions needed in gconfd_t and gnome
>>> keyring domains;
>>> - add support for a few needed fs and kernel permissions.
>>>
>>> This patch should be applied before applying the pulseaudio patch.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/gnome.fc | 7 ++
>>> policy/modules/contrib/gnome.if | 99
>>> +++++++++++++++++++++++++++++++++++++++-
>>> policy/modules/contrib/gnome.te | 8 +++
>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13
>>> 16:02:14.949814288 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13
>>> 16:30:32.175198600 +0200
>>> @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste
>>> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>>> HOME_DIR/\.gnome2/keyrings(/.*)?
>>> gen_context(system_u:object_r:gnome_keyring_home_t,s0)
>>> HOME_DIR/\.gnome2_private(/.*)?
>>> gen_context(system_u:object_r:gnome_home_t,s0)
>>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>>
>>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
>>>
>>> @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
>>> /usr/bin/mate-keyring-daemon --
>>> gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>>>
>>> /usr/lib/[^/]*/gconf/gconfd-2 --
>>> gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> +
>>> +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> +
>>> +/var/run/user/[^/]*/orcexec\..*
>>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>> +/var/run/user/%{USERID}/orcexec\..*
>>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>
>> these are files so you can be more specific about it:
>>
>> /var/run/user/[^/]*/orcexec\..* --
>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>> /var/run/user/%{USERID}/orcexec\..* --
>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>
> Thanks for pointing it out, I have now amended it.
>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
>>> 16:02:14.950814302 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
>>> 00:55:24.980149003 +0200
>>> @@ -1,4 +1,4 @@
>>> -## <summary>GNU network object model environment.</summary>
>>> +
>>>
>>> ########################################
>>> ## <summary>
>>> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
>>>
>>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
>>> manage_sock_file_perms };
>>>
>>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
>>> + userdom_manage_user_home_content_files($1_gkeyringd_t)
>>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>>> +
>
>> I don't like this, and I dont understand it
>
> I will double check it. Hopefully, I won't forget about that, with the many
> other modules that are being changed...
>
>>> ps_process_pattern($3, $1_gkeyringd_t)
>>> allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>>>
>>> + kernel_read_kernel_sysctls($1_gkeyringd_t)
>>> +
>>> corecmd_bin_domtrans($1_gkeyringd_t, $3)
>>> corecmd_shell_domtrans($1_gkeyringd_t, $3)
>>>
>>> @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho
>>>
>>> ########################################
>>> ## <summary>
>>> +## Create objects in user home
>>> +## directories with the gstreamer
>>> +## orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +## <summary>
>>> +## Class of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +## <summary>
>>> +## The name of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_home_filetrans_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Create objects in gnome gconf home
>>> ## directories with a private type.
>>> ## </summary>
>>> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',`
>>> ')
>>>
>>> ########################################
>>> +## <summary>
>>> +## Create objects in the user
>>> +## runtime directories with the
>>> +## gstreamer orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +## <summary>
>>> +## Class of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +## <summary>
>>> +## The name of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Create objects in the tmp
>>> +## directories with the gstreamer
>>> +## orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +## <summary>
>>> +## Class of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +## <summary>
>>> +## The name of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>
>> If you're not going to support that file in /tmp then this is not needed
>
> Removed.
>
>>> +########################################
>>> ## <summary>
>>> ## Read generic gnome keyring home files.
>>> ## </summary>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13
>>> 16:02:14.951814316 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13
>>> 13:45:54.704254788 +0200
>>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
>>> type gnome_keyring_tmp_t;
>>> userdom_user_tmp_file(gnome_keyring_tmp_t)
>>>
>>> +type gstreamer_orcexec_t;
>>> +application_executable_file(gstreamer_orcexec_t)
>>
>> it is not an applications executable file
>
> It's very similar to it or, in other words, it is equivalent to it. I could find
> a better interface to describe it.
>
> But if you have other constructive ideas, please let me know and I will test
> them out...
It is nothing like an "application executable file". This is a file that
gets mmap'd it does not get "executed", its certainly not an
application, and only liborc clients mmap this file. In my policy this
is just a user temporary file, or alternatively user home content file
(i only support this file in $XDG_RUNTIME_DIR and not in ~, so in my
policy i can just get away with classifying it user tmp(fs) file)
>
>>> +
>>> ##############################
>>> #
>>> # Common local Policy
>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>>>
>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>> +
>>> +fs_getattr_xattr_fs(gconfd_t)
>>> +
>>> userdom_manage_user_tmp_dirs(gconfd_t)
>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>
>> What is going on there and why did you choose this?
>
> I think it's to support sockets in /tmp/orbit-USER/linc-.*
>
> They are created by ORBit2. It's a library and some gnome components are linked
> against it.
>
> I am now working on a new revised version of this patch which introduces
> specific support for ORBit temporary files.
>
I see. for Mate i suppose.
>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>>
>>> optional_policy(`
>>> _______________________________________________
>
> Best regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/279d0f2c/attachment.bin
Hello Dominick.
I have done some further testing and there are some problems...
Please read on...
On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote:
> > On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
[....]
> > > +
> > > ?##############################
> > > ?#
> > > ?# Common local Policy
> > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> > > ?manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> > > ?userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
> > > ?
> > > +kernel_dontaudit_read_system_state(gconfd_t)
> > > +
> > > +fs_getattr_xattr_fs(gconfd_t)
> > > +
> > > ?userdom_manage_user_tmp_dirs(gconfd_t)
> > > ?userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> > > +userdom_manage_user_tmp_sockets(gconfd_t)
> >
> > What is going on there and why did you choose this?
>
> I think it's to support sockets in /tmp/orbit-USER/linc-.*
>
> They are created by ORBit2. It's a library and some gnome components
> are linked
> against it.
>
> I am now working on a new revised version of this patch which
> introduces
> specific support for ORBit temporary files.
I have tested the above but met the following problem: the /tmp/orbit-
USER directory is shared with other applications that run in the
generic user domain !
So, if I change the type of the /tmp/orbit-USER directory to a newly
created gnome_orbit_tmp_t type, then the other applications cannot
access it...
So, perhaps, the previous implementation which leads to
userdom_manage_user_tmp_sockets(gconfd_t)?is the only way.
What do you say ?
Regards,
Guido
On 08/14/2016 07:35 PM, Guido Trentalancia wrote:
> Hello Dominick.
>
> I have done some further testing and there are some problems...
>
> Please read on...
>
> On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote:
>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>
> [....]
>
>>>> +
>>>> ##############################
>>>> #
>>>> # Common local Policy
>>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>>>>
>>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>>> +
>>>> +fs_getattr_xattr_fs(gconfd_t)
>>>> +
>>>> userdom_manage_user_tmp_dirs(gconfd_t)
>>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>>
>>> What is going on there and why did you choose this?
>>
>> I think it's to support sockets in /tmp/orbit-USER/linc-.*
>>
>> They are created by ORBit2. It's a library and some gnome components
>> are linked
>> against it.
>>
>> I am now working on a new revised version of this patch which
>> introduces
>> specific support for ORBit temporary files.
>
> I have tested the above but met the following problem: the /tmp/orbit-
> USER directory is shared with other applications that run in the
> generic user domain !
Yes
>
> So, if I change the type of the /tmp/orbit-USER directory to a newly
> created gnome_orbit_tmp_t type, then the other applications cannot
> access it...
You don't have to change the type of the /tmp/orbit-USER directory
Instead just make gconfd_t create sockets in user_tmp_t dirs with an
automatic type transition to the existing gconfd_tmp_t type:
manage_sock_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, sock_file)
>
> So, perhaps, the previous implementation which leads to
> userdom_manage_user_tmp_sockets(gconfd_t) is the only way.
I doubt that
>
> What do you say ?
>
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/582be4ce/attachment.bin
Hello Dominick !
Finally I am able to clarify one of the two open questions about the gnome
module...
> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
> wrote:
>
>
> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> > Update for the gnome module:
> >
> > - a new gstreamer_orcexec_t type and file context is introduced
> > to support the OIL Runtime Compiler (ORC) optimized code
> > execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > keyring domains;
> > - add support for a few needed fs and kernel permissions.
> >
> > This patch should be applied before applying the pulseaudio patch.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/gnome.fc | 7 ++
> > policy/modules/contrib/gnome.if | 99
> > +++++++++++++++++++++++++++++++++++++++-
> > policy/modules/contrib/gnome.te | 8 +++
> > 3 files changed, 112 insertions(+), 2 deletions(-)
[...]
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
> > 16:02:14.950814302 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
> > 00:55:24.980149003 +0200
> > @@ -1,4 +1,4 @@
> > -## <summary>GNU network object model environment.</summary>
> > +
> >
> > ########################################
> > ## <summary>
> > @@ -100,9 +100,15 @@ template(`gnome_role_template',`
> >
> > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
> > manage_sock_file_perms };
> >
> > + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> > + userdom_manage_user_home_content_files($1_gkeyringd_t)
> > + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
> > +
>
> I don't like this, and I dont understand it
It's needed to write .xsession-errors and the .cache subdirectory in the user
home.
It is quite important, as the latter is used, amongst other things, to store
user credentials: for example, when the user enters the password in the
evolution mail client to retrieve his/her mail, then the password entered is
stored in the cache and the user does not need to enter the password again when
the mail is received again periodically later.
I hope this clarifies the matter.
I am checking the other issue (socket creation in /tmp) by testing the policy
you suggested but unfortunately, I can anticipate that there are issues. Will
let you know more precisely when I have finished testing it.
Regards,
Guido
On 08/14/2016 11:14 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> Finally I am able to clarify one of the two open questions about the gnome
> module...
>
>> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
>> wrote:
>>
>>
>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>> Update for the gnome module:
>>>
>>> - a new gstreamer_orcexec_t type and file context is introduced
>>> to support the OIL Runtime Compiler (ORC) optimized code
>>> execution (used for example by pulseaudio);
>>> - add support for more permissions needed in gconfd_t and gnome
>>> keyring domains;
>>> - add support for a few needed fs and kernel permissions.
>>>
>>> This patch should be applied before applying the pulseaudio patch.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/gnome.fc | 7 ++
>>> policy/modules/contrib/gnome.if | 99
>>> +++++++++++++++++++++++++++++++++++++++-
>>> policy/modules/contrib/gnome.te | 8 +++
>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>
> [...]
>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
>>> 16:02:14.950814302 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
>>> 00:55:24.980149003 +0200
>>> @@ -1,4 +1,4 @@
>>> -## <summary>GNU network object model environment.</summary>
>>> +
>>>
>>> ########################################
>>> ## <summary>
>>> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
>>>
>>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
>>> manage_sock_file_perms };
>>>
>>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
>>> + userdom_manage_user_home_content_files($1_gkeyringd_t)
>>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>>> +
>>
>> I don't like this, and I dont understand it
>
> It's needed to write .xsession-errors and the .cache subdirectory in the user
> home.
>
> It is quite important, as the latter is used, amongst other things, to store
> user credentials: for example, when the user enters the password in the
> evolution mail client to retrieve his/her mail, then the password entered is
> stored in the cache and the user does not need to enter the password again when
> the mail is received again periodically later.
>
And the .xsessions_errors file is not mislabeled? (e.g. is that supposed
to be user_home_t?)
As for ~/.cache issue. Probably best to hold on to that for now as
chances are that refpolicy will soon associate a different type with
that directory. Thus that scenario might change again soon.
You did not clarify the
userdom_manage_user_home_content_sockets($1_gkeyringd_t)
But i am pretty sure that this socket should not be user_home_t.
> I hope this clarifies the matter.
>
> I am checking the other issue (socket creation in /tmp) by testing the policy
> you suggested but unfortunately, I can anticipate that there are issues. Will
> let you know more precisely when I have finished testing it.
>
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/6cf053ca/attachment.bin
Hello Dominick.
> On 08/14/2016 11:14 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > Finally I am able to clarify one of the two open questions about the gnome
> > module...
> >
> >> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
> >> wrote:
> >>
> >>
> >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> >>> Update for the gnome module:
> >>>
> >>> - a new gstreamer_orcexec_t type and file context is introduced
> >>> to support the OIL Runtime Compiler (ORC) optimized code
> >>> execution (used for example by pulseaudio);
> >>> - add support for more permissions needed in gconfd_t and gnome
> >>> keyring domains;
> >>> - add support for a few needed fs and kernel permissions.
> >>>
> >>> This patch should be applied before applying the pulseaudio patch.
> >>>
> >>> Signed-off-by: Guido Trentalancia <[email protected]>
> >>> ---
> >>> policy/modules/contrib/gnome.fc | 7 ++
> >>> policy/modules/contrib/gnome.if | 99
> >>> +++++++++++++++++++++++++++++++++++++++-
> >>> policy/modules/contrib/gnome.te | 8 +++
> >>> 3 files changed, 112 insertions(+), 2 deletions(-)
> >
> > [...]
> >
> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
> >>> 16:02:14.950814302 +0200
> >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
> >>> 00:55:24.980149003 +0200
> >>> @@ -1,4 +1,4 @@
> >>> -## <summary>GNU network object model environment.</summary>
> >>> +
> >>>
> >>> ########################################
> >>> ## <summary>
> >>> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
> >>>
> >>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
> >>> manage_sock_file_perms };
> >>>
> >>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> >>> + userdom_manage_user_home_content_files($1_gkeyringd_t)
> >>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
> >>> +
> >>
> >> I don't like this, and I dont understand it
> >
> > It's needed to write .xsession-errors and the .cache subdirectory in the
> > user
> > home.
> >
> > It is quite important, as the latter is used, amongst other things, to store
> > user credentials: for example, when the user enters the password in the
> > evolution mail client to retrieve his/her mail, then the password entered is
> > stored in the cache and the user does not need to enter the password again
> > when
> > the mail is received again periodically later.
> >
>
> And the .xsessions_errors file is not mislabeled? (e.g. is that supposed
> to be user_home_t?)
>
> As for ~/.cache issue. Probably best to hold on to that for now as
> chances are that refpolicy will soon associate a different type with
> that directory. Thus that scenario might change again soon.
>
> You did not clarify the
> userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>
> But i am pretty sure that this socket should not be user_home_t.
Might be sensitive sockets, they are named "control", "pkcs11", "ssh", "gpg" and
are located in .cache/keyring-*/
They are currently labeled user_home_t.
What do you suggest to do ?
> > I hope this clarifies the matter.
> >
> > I am checking the other issue (socket creation in /tmp) by testing the
> > policy
> > you suggested but unfortunately, I can anticipate that there are issues.
> > Will
> > let you know more precisely when I have finished testing it.
Best regards,
Guido
On 08/14/2016 11:33 PM, Guido Trentalancia wrote:
> Hello Dominick.
>
>> On 08/14/2016 11:14 PM, Guido Trentalancia wrote:
>>> Hello Dominick !
>>>
>>> Finally I am able to clarify one of the two open questions about the gnome
>>> module...
>>>
>>>> On the 13th of August 2016 at 16.51 Dominick Grift <[email protected]>
>>>> wrote:
>>>>
>>>>
>>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>>>> Update for the gnome module:
>>>>>
>>>>> - a new gstreamer_orcexec_t type and file context is introduced
>>>>> to support the OIL Runtime Compiler (ORC) optimized code
>>>>> execution (used for example by pulseaudio);
>>>>> - add support for more permissions needed in gconfd_t and gnome
>>>>> keyring domains;
>>>>> - add support for a few needed fs and kernel permissions.
>>>>>
>>>>> This patch should be applied before applying the pulseaudio patch.
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>> ---
>>>>> policy/modules/contrib/gnome.fc | 7 ++
>>>>> policy/modules/contrib/gnome.if | 99
>>>>> +++++++++++++++++++++++++++++++++++++++-
>>>>> policy/modules/contrib/gnome.te | 8 +++
>>>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>>>
>>> [...]
>>>
>>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13
>>>>> 16:02:14.950814302 +0200
>>>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13
>>>>> 00:55:24.980149003 +0200
>>>>> @@ -1,4 +1,4 @@
>>>>> -## <summary>GNU network object model environment.</summary>
>>>>> +
>>>>>
>>>>> ########################################
>>>>> ## <summary>
>>>>> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
>>>>>
>>>>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
>>>>> manage_sock_file_perms };
>>>>>
>>>>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
>>>>> + userdom_manage_user_home_content_files($1_gkeyringd_t)
>>>>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>>>>> +
>>>>
>>>> I don't like this, and I dont understand it
>>>
>>> It's needed to write .xsession-errors and the .cache subdirectory in the
>>> user
>>> home.
>>>
>>> It is quite important, as the latter is used, amongst other things, to store
>>> user credentials: for example, when the user enters the password in the
>>> evolution mail client to retrieve his/her mail, then the password entered is
>>> stored in the cache and the user does not need to enter the password again
>>> when
>>> the mail is received again periodically later.
>>>
>>
>> And the .xsessions_errors file is not mislabeled? (e.g. is that supposed
>> to be user_home_t?)
>>
>> As for ~/.cache issue. Probably best to hold on to that for now as
>> chances are that refpolicy will soon associate a different type with
>> that directory. Thus that scenario might change again soon.
>>
>> You did not clarify the
>> userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>>
>> But i am pretty sure that this socket should not be user_home_t.
>
> Might be sensitive sockets, they are named "control", "pkcs11", "ssh", "gpg" and
> are located in .cache/keyring-*/
>
> They are currently labeled user_home_t.
>
> What do you suggest to do ?
>
I would hold off on this until the XDG spec types are implemented
(~/.cache) then create a private gkeyring_cache_home_t type for
~/.cache/keyring
>>> I hope this clarifies the matter.
>>>
>>> I am checking the other issue (socket creation in /tmp) by testing the
>>> policy
>>> you suggested but unfortunately, I can anticipate that there are issues.
>>> Will
>>> let you know more precisely when I have finished testing it.
>
> Best regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/b2191f47/attachment-0001.bin
Hello Dominick !
> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> > Update for the gnome module:
> >
> > - a new gstreamer_orcexec_t type and file context is introduced
> > to support the OIL Runtime Compiler (ORC) optimized code
> > execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > keyring domains;
> > - add support for a few needed fs and kernel permissions.
> >
> > This patch should be applied before applying the pulseaudio patch.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/gnome.fc | 7 ++
> > policy/modules/contrib/gnome.if | 99
> > +++++++++++++++++++++++++++++++++++++++-
> > policy/modules/contrib/gnome.te | 8 +++
> > 3 files changed, 112 insertions(+), 2 deletions(-)
[...]
> > +
> > ##############################
> > #
> > # Common local Policy
> > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
> >
> > +kernel_dontaudit_read_system_state(gconfd_t)
> > +
> > +fs_getattr_xattr_fs(gconfd_t)
> > +
> > userdom_manage_user_tmp_dirs(gconfd_t)
> > userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> > +userdom_manage_user_tmp_sockets(gconfd_t)
>
> What is going on there and why did you choose this?
Other applications (such as firefox) need to write those sockets, therefore the
policy you suggested in a previous message is not feasible.
In other words those sockets should be created as user_tmp_t and not as a
private gconf_tmp_t.
> > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> >
> > optional_policy(`
Regards,
Guido
On 08/15/2016 12:13 AM, Guido Trentalancia wrote:
> Hello Dominick !
>
>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>> Update for the gnome module:
>>>
>>> - a new gstreamer_orcexec_t type and file context is introduced
>>> to support the OIL Runtime Compiler (ORC) optimized code
>>> execution (used for example by pulseaudio);
>>> - add support for more permissions needed in gconfd_t and gnome
>>> keyring domains;
>>> - add support for a few needed fs and kernel permissions.
>>>
>>> This patch should be applied before applying the pulseaudio patch.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/gnome.fc | 7 ++
>>> policy/modules/contrib/gnome.if | 99
>>> +++++++++++++++++++++++++++++++++++++++-
>>> policy/modules/contrib/gnome.te | 8 +++
>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>
> [...]
>
>>> +
>>> ##############################
>>> #
>>> # Common local Policy
>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>>>
>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>> +
>>> +fs_getattr_xattr_fs(gconfd_t)
>>> +
>>> userdom_manage_user_tmp_dirs(gconfd_t)
>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>
>> What is going on there and why did you choose this?
>
> Other applications (such as firefox) need to write those sockets, therefore the
> policy you suggested in a previous message is not feasible.
>
How do you figure that?
> In other words those sockets should be created as user_tmp_t and not as a
> private gconf_tmp_t.
>
>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>>
>>> optional_policy(`
>
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/fbf3e512/attachment.bin
On 08/15/2016 08:00 AM, Dominick Grift wrote:
> On 08/15/2016 12:13 AM, Guido Trentalancia wrote:
>> Hello Dominick !
>>
>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>>> Update for the gnome module:
>>>>
>>>> - a new gstreamer_orcexec_t type and file context is introduced
>>>> to support the OIL Runtime Compiler (ORC) optimized code
>>>> execution (used for example by pulseaudio);
>>>> - add support for more permissions needed in gconfd_t and gnome
>>>> keyring domains;
>>>> - add support for a few needed fs and kernel permissions.
>>>>
>>>> This patch should be applied before applying the pulseaudio patch.
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>> ---
>>>> policy/modules/contrib/gnome.fc | 7 ++
>>>> policy/modules/contrib/gnome.if | 99
>>>> +++++++++++++++++++++++++++++++++++++++-
>>>> policy/modules/contrib/gnome.te | 8 +++
>>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>>
>> [...]
>>
>>>> +
>>>> ##############################
>>>> #
>>>> # Common local Policy
>>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>>>>
>>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>>> +
>>>> +fs_getattr_xattr_fs(gconfd_t)
>>>> +
>>>> userdom_manage_user_tmp_dirs(gconfd_t)
>>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>>
>>> What is going on there and why did you choose this?
>>
>> Other applications (such as firefox) need to write those sockets, therefore the
>> policy you suggested in a previous message is not feasible.
>>
>
> How do you figure that?
>
Let me just expand on this a little. I might be wrong on some of the
following but i have in the past targeted gnome2 so i do have a little
experience with dealing with orbit
There are many sockets in orbit-USER. Every application that relies on
that functionality maintains its own socket in there. It is the PRE-dbus
way of communications.
gconfd maintains a socket in there. It was in the past decided to target
gconfd. We should now also be consistent and just finish what we started.
Besides even if you leave that socket type user_tmp_t that still will
leave you with the "gconfd_t:unix_stream_socket connectto" since the
gconfd process does have a private type.
If you start saying we will target this part of gconfd but not the other
part of gconfd then you might as well not target it at all. It may not
be as black-and-white as that, but it essentially boils down to that.
Also beware to not let your desire to "make things work" make you forget
about why were doing this in the first place: to enforce integrity.
Things like these are essentially why I can't use refpolicy. Because
there are too many compromises like these in there. Where it was
forgotten what the purpose is of confined user domains, and where the
desire to just produce something that "works" basically blurred our vision.
>> In other words those sockets should be created as user_tmp_t and not as a
>> private gconf_tmp_t.
>>
>>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>>>
>>>> optional_policy(`
>>
>> Regards,
>>
>> Guido
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/ab0b2be7/attachment.bin
Update for the gnome module:
- a new gstreamer_orcexec_t type and file context is introduced
to support the OIL Runtime Compiler (ORC) optimized code
execution (used for example by pulseaudio);
- add support for more permissions needed in gconfd_t and gnome
keyring domains;
- add support for chat over dbus in the gconfd domain;
- add support for a few needed fs and kernel permissions.
Compared to the previous version of this patch, the support for
Gnome2/ORBit-2 has been dropped.
Recent changes to the pulseaudio module depends on this patch !
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.fc | 9 +++
policy/modules/contrib/gnome.if | 100 +++++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/gnome.te | 12 ++++
3 files changed, 118 insertions(+), 3 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-15 17:06:46.933458938 +0200
@@ -4,6 +4,9 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0)
+
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
@@ -13,4 +16,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-15 19:18:12.011401521 +0200
@@ -1,4 +1,4 @@
-## <summary>GNU network object model environment.</summary>
+
########################################
## <summary>
@@ -44,7 +44,7 @@ template(`gnome_role_template',`
gen_require(`
attribute gnomedomain, gkeyringd_domain;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
')
@@ -100,9 +100,23 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ userdom_manage_user_home_content_dirs($1_gkeyringd_t)
+ userdom_manage_user_home_content_files($1_gkeyringd_t)
+
+ manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
+
+ manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control")
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg")
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11")
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh")
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ kernel_read_kernel_sysctls($1_gkeyringd_t)
+
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
@@ -112,6 +126,7 @@ template(`gnome_role_template',`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
')
@@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in gnome gconf home
## directories with a private type.
## </summary>
@@ -604,6 +649,36 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -622,6 +697,27 @@ interface(`gnome_read_keyring_home_files
')
########################################
+## <summary>
+## Send and receive messages from
+## the gconf daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
## <summary>
## Send and receive messages from
## gnome keyring daemon over dbus.
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-15 21:09:21.914336714 +0200
@@ -43,9 +43,15 @@ application_executable_file(gkeyringd_ex
type gnome_keyring_home_t;
userdom_user_home_content(gnome_keyring_home_t)
+type gnome_keyring_cache_home_t;
+userdom_user_home_content(gnome_keyring_cache_home_t)
+
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
@@ -87,6 +93,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+kernel_dontaudit_read_system_state(gconfd_t)
+
+files_search_tmp(gconfd_t)
+
+fs_getattr_xattr_fs(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
Hello Dominick.
Late reply to this...
On Mon, 15/08/2016 at 10.29 +0200, Dominick Grift wrote:
> On 08/15/2016 08:00 AM, Dominick Grift wrote:
> > On 08/15/2016 12:13 AM, Guido Trentalancia wrote:
> > > Hello Dominick !
> > >
> > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> > > > > Update for the gnome module:
> > > > >
> > > > > - a new gstreamer_orcexec_t type and file context is
> > > > > introduced
> > > > > ? to support the OIL Runtime Compiler (ORC) optimized code
> > > > > ? execution (used for example by pulseaudio);
> > > > > - add support for more permissions needed in gconfd_t and
> > > > > gnome
> > > > > ? keyring domains;
> > > > > - add support for a few needed fs and kernel permissions.?
> > > > >
> > > > > This patch should be applied before applying the pulseaudio
> > > > > patch.
> > > > >
> > > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > > ---
> > > > > ?policy/modules/contrib/gnome.fc |????7 ++
> > > > > ?policy/modules/contrib/gnome.if |???99
> > > > > +++++++++++++++++++++++++++++++++++++++-
> > > > > ?policy/modules/contrib/gnome.te |????8 +++
> > > > > ?3 files changed, 112 insertions(+), 2 deletions(-)
> > >
> > > [...]
> > >
> > > > > +
> > > > > ?##############################
> > > > > ?#
> > > > > ?# Common local Policy
> > > > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> > > > > ?manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> > > > > ?userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file
> > > > > })
> > > > > ?
> > > > > +kernel_dontaudit_read_system_state(gconfd_t)
> > > > > +
> > > > > +fs_getattr_xattr_fs(gconfd_t)
> > > > > +
> > > > > ?userdom_manage_user_tmp_dirs(gconfd_t)
> > > > > ?userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> > > > > +userdom_manage_user_tmp_sockets(gconfd_t)
> > > >
> > > > What is going on there and why did you choose this?
> > >
> > > Other applications (such as firefox) need to write those sockets,
> > > therefore the
> > > policy you suggested in a previous message is not feasible.
> > >
> >
> > How do you figure that?
> >
>
> Let me just expand on this a little. I might be wrong on some of the
> following but i have in the past targeted gnome2 so i do have a
> little
> experience with dealing with orbit
>
> There are many sockets in orbit-USER. Every application that relies
> on
> that functionality maintains its own socket in there. It is the PRE-
> dbus
> way of communications.
I have now dropped the support for ORBit-2 in the latest version of
this patch. At the end, it is an obsolete library/framework.
Sooner or later, we shall remove any remaining support for GConf and
the rest of the Gnome2 file contexts and stuff. It's pointless and
risky to keep obsolete stuff for long. In general, security goes hand
in hand with keeping software up to date.
> gconfd maintains a socket in there. It was in the past decided to
> target
> gconfd. We should now also be consistent and just finish what we
> started.
>
> Besides even if you leave that socket type user_tmp_t that still will
> leave you with the "gconfd_t:unix_stream_socket connectto" since the
> gconfd process does have a private type.
>
> If you start saying we will target this part of gconfd but not the
> other
> part of gconfd then you might as well not target it at all. It may
> not
> be as black-and-white as that, but it essentially boils down to that.
>
> Also beware to not let your desire to "make things work" make you
> forget
> about why were doing this in the first place: to enforce integrity.
>
> Things like these are essentially why I can't use refpolicy. Because
> there are too many compromises like these in there. Where it was
I am not following you anymore...
What compromises are you talking about ? The system needs to be usable,
at least to a minimum level. Otherwise, the policy itself is useless.
If there are permissions or interfaces that are dangerous from a
security standpoint and removing them does not affect a minimum level
of usability, then we should surely make any effort to remove them from
the policy !
Please be more specific !
If there is something that is of your concern in the actual policy,
please let me know and I will try to test if removing it affects
usability, then we can proceed to get rid of it. This is very
important. We need an updated tight policy that provides a minimum
(eventually tunable) level of usability.
> forgotten what the purpose is of confined user domains, and where the
> desire to just produce something that "works" basically blurred our
> vision.
Well, it needs to work in the first place, otherwise there is no point
of supporting a given module, we can just remove the support instead of
providing a broken one.
Something of my concern, for example, is too much unnecessary freedom
for applications to read or manage the user_home_t files when they can
be assigned their own private types instead (see for example, my recent
pulseaudio patch).
What specifically concerns you most ?
> > > In other words those sockets should be created as user_tmp_t and
> > > not as a
> > > private gconf_tmp_t.
> > >
> > > > > ?userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> > > > > ?
> > > > > ?optional_policy(`
Regards,
Guido
On 08/16/2016 09:26 PM, Guido Trentalancia wrote:
> Hello Dominick.
>
> Late reply to this...
>
> On Mon, 15/08/2016 at 10.29 +0200, Dominick Grift wrote:
>> On 08/15/2016 08:00 AM, Dominick Grift wrote:
>>> On 08/15/2016 12:13 AM, Guido Trentalancia wrote:
>>>> Hello Dominick !
>>>>
>>>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>>>>> Update for the gnome module:
>>>>>>
>>>>>> - a new gstreamer_orcexec_t type and file context is
>>>>>> introduced
>>>>>> to support the OIL Runtime Compiler (ORC) optimized code
>>>>>> execution (used for example by pulseaudio);
>>>>>> - add support for more permissions needed in gconfd_t and
>>>>>> gnome
>>>>>> keyring domains;
>>>>>> - add support for a few needed fs and kernel permissions.
>>>>>>
>>>>>> This patch should be applied before applying the pulseaudio
>>>>>> patch.
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>>>> policy/modules/contrib/gnome.fc | 7 ++
>>>>>> policy/modules/contrib/gnome.if | 99
>>>>>> +++++++++++++++++++++++++++++++++++++++-
>>>>>> policy/modules/contrib/gnome.te | 8 +++
>>>>>> 3 files changed, 112 insertions(+), 2 deletions(-)
>>>>
>>>> [...]
>>>>
>>>>>> +
>>>>>> ##############################
>>>>>> #
>>>>>> # Common local Policy
>>>>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>>>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>>>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file
>>>>>> })
>>>>>>
>>>>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>>>>> +
>>>>>> +fs_getattr_xattr_fs(gconfd_t)
>>>>>> +
>>>>>> userdom_manage_user_tmp_dirs(gconfd_t)
>>>>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>>>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>>>>
>>>>> What is going on there and why did you choose this?
>>>>
>>>> Other applications (such as firefox) need to write those sockets,
>>>> therefore the
>>>> policy you suggested in a previous message is not feasible.
>>>>
>>>
>>> How do you figure that?
>>>
>>
>> Let me just expand on this a little. I might be wrong on some of the
>> following but i have in the past targeted gnome2 so i do have a
>> little
>> experience with dealing with orbit
>>
>> There are many sockets in orbit-USER. Every application that relies
>> on
>> that functionality maintains its own socket in there. It is the PRE-
>> dbus
>> way of communications.
>
> I have now dropped the support for ORBit-2 in the latest version of
> this patch. At the end, it is an obsolete library/framework.
>
> Sooner or later, we shall remove any remaining support for GConf and
> the rest of the Gnome2 file contexts and stuff. It's pointless and
> risky to keep obsolete stuff for long. In general, security goes hand
> in hand with keeping software up to date.
>
>> gconfd maintains a socket in there. It was in the past decided to
>> target
>> gconfd. We should now also be consistent and just finish what we
>> started.
>>
>> Besides even if you leave that socket type user_tmp_t that still will
>> leave you with the "gconfd_t:unix_stream_socket connectto" since the
>> gconfd process does have a private type.
>>
>> If you start saying we will target this part of gconfd but not the
>> other
>> part of gconfd then you might as well not target it at all. It may
>> not
>> be as black-and-white as that, but it essentially boils down to that.
>>
>> Also beware to not let your desire to "make things work" make you
>> forget
>> about why were doing this in the first place: to enforce integrity.
>>
>> Things like these are essentially why I can't use refpolicy. Because
>> there are too many compromises like these in there. Where it was
>
> I am not following you anymore...
>
> What compromises are you talking about ? The system needs to be usable,
> at least to a minimum level. Otherwise, the policy itself is useless.
>
> If there are permissions or interfaces that are dangerous from a
> security standpoint and removing them does not affect a minimum level
> of usability, then we should surely make any effort to remove them from
> the policy !
>
> Please be more specific !
>
> If there is something that is of your concern in the actual policy,
> please let me know and I will try to test if removing it affects
> usability, then we can proceed to get rid of it. This is very
> important. We need an updated tight policy that provides a minimum
> (eventually tunable) level of usability.
>
>> forgotten what the purpose is of confined user domains, and where the
>> desire to just produce something that "works" basically blurred our
>> vision.
>
> Well, it needs to work in the first place, otherwise there is no point
> of supporting a given module, we can just remove the support instead of
> providing a broken one.
>
> Something of my concern, for example, is too much unnecessary freedom
> for applications to read or manage the user_home_t files when they can
> be assigned their own private types instead (see for example, my recent
> pulseaudio patch).
>
> What specifically concerns you most ?
>
I can't be much more specific. I think that allowing a process
associated with type gconfd_t to maintain a socket with type user_tmp_t
is a bad idea.
Anyway's, I will leave this to others to decide.
>>>> In other words those sockets should be created as user_tmp_t and
>>>> not as a
>>>> private gconf_tmp_t.
>>>>
>>>>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>>>>>
>>>>>> optional_policy(`
>
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160816/73f3ff93/attachment.bin
On 08/15/16 17:33, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - a new gstreamer_orcexec_t type and file context is introduced
> to support the OIL Runtime Compiler (ORC) optimized code
> execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
> keyring domains;
> - add support for chat over dbus in the gconfd domain;
> - add support for a few needed fs and kernel permissions.
>
> Compared to the previous version of this patch, the support for
> Gnome2/ORBit-2 has been dropped.
>
> Recent changes to the pulseaudio module depends on this patch !
[...]
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-15 19:18:12.011401521 +0200
> @@ -1,4 +1,4 @@
> -## <summary>GNU network object model environment.</summary>
> +
This was probably a mistake, but please don't remove the XML.
> ########################################
> ## <summary>
> @@ -44,7 +44,7 @@ template(`gnome_role_template',`
> gen_require(`
> attribute gnomedomain, gkeyringd_domain;
> attribute_role gconfd_roles;
> - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
> + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> type gconf_home_t;
> ')
> @@ -100,9 +100,23 @@ template(`gnome_role_template',`
>
> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
>
> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> + userdom_manage_user_home_content_files($1_gkeyringd_t)
This is discussed in another thread, I am concerned about these
permissions for the same reason Dominick is.
> + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
> +
> + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control")
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg")
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11")
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh")
I suspect putting the socket names is unnecessary. It doesn't appear to
create different types of sockets in the same directory.
> ps_process_pattern($3, $1_gkeyringd_t)
> allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>
> + kernel_read_kernel_sysctls($1_gkeyringd_t)
> +
> corecmd_bin_domtrans($1_gkeyringd_t, $3)
> corecmd_shell_domtrans($1_gkeyringd_t, $3)
>
> @@ -112,6 +126,7 @@ template(`gnome_role_template',`
> dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>
> optional_policy(`
> + gnome_dbus_chat_gconfd($3)
> gnome_dbus_chat_gkeyringd($1, $3)
> ')
> ')
> @@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho
>
> ########################################
> ## <summary>
> +## Create objects in user home
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_home_filetrans_gstreamer_orcexec',`
This should be gnome_user_home_dir_filetrans_orcexec() or
gnome_user_home_dir_filetrans_gstreamer() orcexec
[...]
> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
Right naming scheme, but if you drop the "gstreamer" out of the previous
interface name, do the same here.
--
Chris PeBenito
Update for the gnome module:
- target the dconf daemon, the gsettings user application, the
gnome-settings-daemon and the at-spi daemon with all the
needed domain transitions;
- a new gstreamer_orcexec_t type and file context is introduced
to support the OIL Runtime Compiler (ORC) optimized code
execution (used for example by pulseaudio);
- add support for more permissions needed in gconfd_t and gnome
keyring domains;
- add support for chat over dbus in the gconfd domain and in the
new domains (dconf, gsettings, etc);
- add support for a few needed fs and kernel permissions.
- add support for reading the colord related files in the home
directories (such as the ICC EDID profiles): requires the
recent colord patch;
- add support for for reading the colord related files in the home
directories in the common user domain template;
- add support for a new mime_info_t type to be used in the home
directories;
- includes minor modifications to the consolekit, dbus and
policykit modules to support the new targeted gnome daemons
and applications;
- modifies the pulseaudio module to introduce new interfaces to
read and write pulseaudio tmpfs files and to use the pulseaudio
file descriptor.
The support for Gnome2/ORBit-2 (version 2) has been dropped.
This patch depends on the recent colord patch.
Recent changes to the pulseaudio module depends on this patch !
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/colord.if | 41 +++
policy/modules/contrib/colord.te | 4
policy/modules/contrib/consolekit.te | 4
policy/modules/contrib/dbus.te | 9
policy/modules/contrib/gnome.fc | 19 +
policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++-
policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++
policy/modules/contrib/policykit.fc | 2
policy/modules/contrib/policykit.if | 20 +
policy/modules/contrib/policykit.te | 1
policy/modules/contrib/pulseaudio.if | 77 ++++++
policy/modules/contrib/pulseaudio.te | 5
policy/modules/system/userdomain.if | 4
13 files changed, 876 insertions(+), 3 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200
@@ -58,3 +58,44 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+######################################
+## <summary>
+## Read colord home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_read_home_files',`
+ gen_require(`
+ type colord_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ read_files_pattern($1, colord_home_t, colord_home_t)
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## colord home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_manage_home_files',`
+ gen_require(`
+ type colord_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ manage_files_pattern($1, colord_home_t, colord_home_t)
+')
--- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200
@@ -123,6 +136,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_settings_daemon_use_fds(colord_t)
+')
+
+optional_policy(`
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200
@@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_settings_daemon_files(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200
@@ -148,6 +148,15 @@ optional_policy(`
')
optional_policy(`
+ colord_read_home_files(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_read_settings_daemon_files(system_dbusd_t)
+ gnome_settings_daemon_use_fds(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200
@@ -1,16 +1,33 @@
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
+HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0)
+HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0)
+
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0)
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0)
+/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0)
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
+/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
+
+/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200
@@ -43,14 +43,40 @@ interface(`gnome_role',`
template(`gnome_role_template',`
gen_require(`
attribute gnomedomain, gkeyringd_domain;
+ attribute_role dconf_roles;
+ attribute_role at_spi_roles;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ attribute_role gnome_settings_roles;
+ attribute_role gnome_settings_daemon_roles;
+ type dconf_t, dconf_exec_t, dconf_home_t;
+ type at_spi_t, at_spi_exec_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
+ type gnome_settings_t, gnome_settings_exec_t;
+ type gnome_settings_daemon_t, gnome_settings_daemon_exec_t;
+ type gnome_settings_schemas_t;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
+ type mime_info_t;
+ type user_dbusd_t;
+ type dbusd_exec_t;
')
########################################
#
+ # Dconf declarations
+ #
+
+ roleattribute $2 dconf_roles;
+
+ ########################################
+ #
+ # At-spi declarations
+ #
+
+ roleattribute $2 at_spi_roles;
+
+ ########################################
+ #
# Gconf declarations
#
@@ -58,6 +84,20 @@ template(`gnome_role_template',`
########################################
#
+ # Gnome-settings declarations
+ #
+
+ roleattribute $2 gnome_settings_roles;
+
+ ########################################
+ #
+ # Gnome-settings-daemon declarations
+ #
+
+ roleattribute $2 gnome_settings_daemon_roles;
+
+ ########################################
+ #
# Gkeyringd declarations
#
@@ -69,6 +109,70 @@ template(`gnome_role_template',`
########################################
#
+ # Common policy
+ #
+
+ allow $3 dconf_home_t:dir manage_dir_perms;
+ allow $3 dconf_home_t:file manage_file_perms;
+ allow $3 dconf_home_t:lnk_file manage_lnk_file_perms;
+
+ allow $3 gnome_settings_schemas_t:dir list_dir_perms;
+ allow $3 gnome_settings_schemas_t:file read_file_perms;
+ allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+ allow $3 mime_info_t:dir list_dir_perms;
+ allow $3 mime_info_t:file read_file_perms;
+
+ allow at_spi_t user_dbusd_t:process signal;
+
+ allow user_dbusd_t self:process signal;
+
+ allow user_dbusd_t bin_t:file entrypoint;
+
+ allow user_dbusd_t dbusd_exec_t:file exec_file_perms;
+
+ gnome_read_settings_files(user_dbusd_t)
+ gnome_read_settings_daemon_files(user_dbusd_t)
+
+ files_read_usr_files($3)
+
+ kernel_read_system_state(user_dbusd_t)
+
+ optional_policy(`
+ xserver_read_user_xauth(user_dbusd_t)
+ xserver_stream_connect(user_dbusd_t)
+ ')
+
+ ########################################
+ #
+ # Dconf policy
+ #
+
+ allow dconf_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms };
+
+ domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t)
+
+ ########################################
+ #
+ # At-spi policy
+ #
+
+ allow at_spi_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms };
+
+ allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms };
+
+ allow $3 at_spi_t:fd use;
+
+ domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t)
+
+ domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t)
+
+ ########################################
+ #
# Gconf policy
#
@@ -84,6 +188,38 @@ template(`gnome_role_template',`
########################################
#
+ # Gnome-settings policy
+ #
+
+ domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t)
+
+ allow $3 gnome_settings_t:process { ptrace signal_perms };
+ ps_process_pattern($3, gnome_settings_t)
+
+ allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow gnome_settings_t bin_t:file entrypoint;
+ allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms };
+
+ # for dbus-launch
+ corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t)
+
+ domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t)
+
+ ########################################
+ #
+ # Gnome-settings-daemon policy
+ #
+
+ domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t)
+
+ allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow $3 gnome_settings_daemon_t:process { ptrace signal_perms };
+ ps_process_pattern($3, gnome_settings_daemon_t)
+
+ ########################################
+ #
# Gkeyringd policy
#
@@ -100,23 +236,85 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ userdom_manage_user_home_content_dirs($1_gkeyringd_t)
+ userdom_manage_user_home_content_files($1_gkeyringd_t)
+
+ manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
+
+ manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file)
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ kernel_read_kernel_sysctls($1_gkeyringd_t)
+
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
gnome_stream_connect_gkeyringd($1, $3)
optional_policy(`
+ dbus_connect_spec_session_bus(user, dconf_t)
+ dbus_connect_spec_session_bus(user, at_spi_t)
+ dbus_connect_spec_session_bus(user, gnome_settings_daemon_t)
+ dbus_connect_system_bus(gnome_settings_daemon_t)
+ dbus_send_spec_session_bus(user, dconf_t)
+ dbus_send_spec_session_bus(user, at_spi_t)
+ dbus_send_spec_session_bus(user, gnome_settings_daemon_t)
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ gnome_dbus_chat_dconf($3)
+ gnome_dbus_chat_dconf(gnome_settings_t)
+ gnome_dbus_chat_at_spi($3)
+ gnome_dbus_chat_gconfd($3)
+ gnome_dbus_chat_gnome_settings(user_dbusd_t)
+ gnome_dbus_chat_gnome_settings_daemon($3)
+ gnome_dbus_chat_gnome_settings_daemon(at_spi_t)
gnome_dbus_chat_gkeyringd($1, $3)
')
')
')
+#######################################
+## <summary>
+## Read gnome-settings files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_settings_files',`
+ gen_require(`
+ type gnome_settings_t;
+ ')
+
+ read_files_pattern($1, gnome_settings_t, gnome_settings_t)
+')
+
+#######################################
+## <summary>
+## Read gnome-settings-daemon
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_settings_daemon_files',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t)
+')
+
########################################
## <summary>
## Execute gconf in the caller domain.
@@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in gnome gconf home
## directories with a private type.
## </summary>
@@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files
########################################
## <summary>
+## Read mime info files in the home
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_mime_info_home_files',`
+ gen_require(`
+ type mime_info_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ read_files_pattern($1, mime_info_t, mime_info_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the dconf daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_dconf',`
+ gen_require(`
+ type dconf_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dconf_t:dbus send_msg;
+ allow dconf_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the at-spi daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_at_spi',`
+ gen_require(`
+ type at_spi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 at_spi_t:dbus send_msg;
+ allow at_spi_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the gconf daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnome-settings over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gnome_settings',`
+ gen_require(`
+ type gnome_settings_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnome_settings_t:dbus send_msg;
+ allow gnome_settings_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the gnome-settings-daemon over
+## dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gnome_settings_daemon',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnome_settings_daemon_t:dbus send_msg;
+ allow gnome_settings_daemon_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
@@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
+
+########################################
+## <summary>
+## Use file descriptors for
+## the gnome settings daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_settings_daemon_use_fds',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ allow $1 gnome_settings_daemon_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for the gnome
+## settings daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_settings_daemon_use_fds',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ dontaudit $1 gnome_settings_daemon_t:fd use;
+')
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200
@@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1)
attribute gkeyringd_domain;
attribute gnomedomain;
+attribute_role dconf_roles;
+attribute_role at_spi_roles;
attribute_role gconfd_roles;
+attribute_role gnome_settings_roles;
+attribute_role gnome_settings_daemon_roles;
+
+type dconf_t;
+type dconf_exec_t;
+userdom_user_application_domain(dconf_t, dconf_exec_t)
+role dconf_roles types dconf_t;
+
+type dconf_home_t;
+userdom_user_home_content(dconf_home_t)
+
+type at_spi_t;
+type at_spi_exec_t;
+userdom_user_application_domain(at_spi_t, at_spi_exec_t)
+role at_spi_roles types at_spi_t;
type gconf_etc_t;
files_config_file(gconf_etc_t)
@@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
+type gnome_settings_t;
+type gnome_settings_exec_t;
+userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t)
+role gnome_settings_roles types gnome_settings_t;
+
+type gnome_settings_daemon_t;
+type gnome_settings_daemon_exec_t;
+userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t)
+role gnome_settings_daemon_roles types gnome_settings_daemon_t;
+
+type gnome_settings_schemas_t;
+files_config_file(gnome_settings_schemas_t)
+
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
@@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex
type gnome_keyring_home_t;
userdom_user_home_content(gnome_keyring_home_t)
+type gnome_keyring_cache_home_t;
+userdom_user_home_content(gnome_keyring_cache_home_t)
+
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type mime_info_t;
+files_config_file(mime_info_t)
+
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
@@ -73,7 +112,62 @@ optional_policy(`
##############################
#
-# Conf daemon local Policy
+# DConf daemon local policy (Gnome3)
+#
+
+allow dconf_t self:process signal;
+
+allow dconf_t dconf_home_t:dir manage_dir_perms;
+allow dconf_t dconf_home_t:file manage_file_perms;
+allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+userdom_search_user_home_content(dconf_t)
+
+fs_getattr_xattr_fs(dconf_t)
+
+kernel_read_system_state(dconf_t)
+
+selinux_getattr_fs(dconf_t)
+
+##############################
+#
+# At-spi local policy
+#
+
+allow at_spi_t self:process signal;
+
+allow at_spi_t dconf_home_t:dir manage_dir_perms;
+allow at_spi_t dconf_home_t:file manage_file_perms;
+allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms;
+allow at_spi_t gnome_settings_schemas_t:file read_file_perms;
+allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t)
+
+corecmd_search_bin(at_spi_t)
+
+files_read_usr_files(at_spi_t)
+
+fs_getattr_xattr_fs(at_spi_t)
+
+kernel_read_system_state(at_spi_t)
+
+selinux_getattr_fs(at_spi_t)
+
+# search in .cache
+userdom_search_user_home_dirs(at_spi_t)
+userdom_search_user_home_content(at_spi_t)
+
+optional_policy(`
+ xserver_read_user_xauth(at_spi_t)
+ xserver_stream_connect(at_spi_t)
+')
+
+##############################
+#
+# GConf daemon local Policy (Gnome2)
#
allow gconfd_t gconf_etc_t:dir list_dir_perms;
@@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+kernel_dontaudit_read_system_state(gconfd_t)
+
+files_search_tmp(gconfd_t)
+
+fs_getattr_xattr_fs(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
@@ -102,6 +202,171 @@ optional_policy(`
')
##############################
+#
+# Gnome-settings local policy
+#
+
+allow gnome_settings_t self:dir list_dir_perms;
+allow gnome_settings_t self:file rw_file_perms;
+allow gnome_settings_t self:process { fork sigchld };
+allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gnome_settings_t dconf_home_t:dir manage_dir_perms;
+allow gnome_settings_t dconf_home_t:file manage_file_perms;
+allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms;
+allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms;
+allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_t gnome_settings_exec_t:file entrypoint;
+
+rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t)
+
+corecmd_exec_bin(gnome_settings_t)
+corecmd_search_bin(gnome_settings_t)
+
+dev_dontaudit_search_sysfs(gnome_settings_t)
+dev_list_all_dev_nodes(gnome_settings_t)
+dev_rw_null(gnome_settings_t)
+dev_search_sysfs(gnome_settings_t)
+
+files_list_root(gnome_settings_t)
+files_read_etc_files(gnome_settings_t)
+files_read_usr_files(gnome_settings_t)
+files_search_pids(gnome_settings_t)
+
+fs_getattr_xattr_fs(gnome_settings_t)
+
+init_sigchld(gnome_settings_t)
+
+kernel_read_system_state(gnome_settings_t)
+
+libs_use_ld_so(gnome_settings_t)
+libs_use_shared_libs(gnome_settings_t)
+
+miscfiles_read_localization(gnome_settings_t)
+
+selinux_getattr_fs(gnome_settings_t)
+selinux_dontaudit_search_fs(gnome_settings_t)
+
+### should create an xserver interface for writing .xsession-errors
+userdom_dontaudit_write_user_home_content_files(gnome_settings_t)
+
+# search in .cache
+userdom_search_user_home_dirs(gnome_settings_t)
+userdom_search_user_home_content(gnome_settings_t)
+
+optional_policy(`
+ dbus_read_lib_files(gnome_settings_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gnome_settings_t)
+')
+
+##############################
+#
+# Gnome-settings-daemon local policy
+#
+
+allow gnome_settings_daemon_t self:dir list_dir_perms;
+allow gnome_settings_daemon_t self:file rw_file_perms;
+allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_daemon_t self:process { fork sigchld signal };
+allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms;
+allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms;
+allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms;
+allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms;
+allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms;
+allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms };
+
+rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t)
+
+read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t)
+
+cups_read_config(gnome_settings_daemon_t)
+cups_stream_connect(gnome_settings_daemon_t)
+
+dev_dontaudit_search_sysfs(gnome_settings_daemon_t)
+dev_read_urand(gnome_settings_daemon_t)
+dev_read_sysfs(gnome_settings_daemon_t)
+dev_rw_null(gnome_settings_daemon_t)
+
+files_list_root(gnome_settings_daemon_t)
+files_list_tmp(gnome_settings_daemon_t)
+files_read_etc_files(gnome_settings_daemon_t)
+files_read_usr_files(gnome_settings_daemon_t)
+files_search_tmp(gnome_settings_daemon_t)
+
+fs_getattr_tmpfs(gnome_settings_daemon_t)
+fs_getattr_xattr_fs(gnome_settings_daemon_t)
+fs_list_tmpfs(gnome_settings_daemon_t)
+fs_rw_tmpfs_files(gnome_settings_daemon_t)
+
+init_sigchld(gnome_settings_daemon_t)
+
+kernel_read_system_state(gnome_settings_daemon_t)
+
+libs_use_ld_so(gnome_settings_daemon_t)
+libs_use_shared_libs(gnome_settings_daemon_t)
+
+logging_search_logs(gnome_settings_daemon_t)
+
+miscfiles_read_fonts(gnome_settings_daemon_t)
+miscfiles_read_generic_certs(gnome_settings_daemon_t)
+miscfiles_read_localization(gnome_settings_daemon_t)
+
+selinux_getattr_fs(gnome_settings_daemon_t)
+selinux_dontaudit_search_fs(gnome_settings_daemon_t)
+
+### should create an xserver interface for writing .xsession-errors
+userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t)
+
+userdom_list_user_home_dirs(gnome_settings_daemon_t)
+userdom_list_user_tmp(gnome_settings_daemon_t)
+userdom_search_user_home_dirs(gnome_settings_daemon_t)
+userdom_search_user_home_content(gnome_settings_daemon_t)
+
+optional_policy(`
+ colord_dbus_chat(gnome_settings_daemon_t)
+ colord_manage_home_files(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnome_settings_daemon_t)
+ policykit_domtrans(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ pulseaudio_read_home(gnome_settings_daemon_t)
+ pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t)
+ pulseaudio_signull(gnome_settings_daemon_t)
+ pulseaudio_stream_connect(gnome_settings_daemon_t)
+ pulseaudio_use_fds(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ xserver_read_user_xauth(gnome_settings_daemon_t)
+ xserver_stream_connect(gnome_settings_daemon_t)
+')
+
+##############################
#
# Keyring-daemon local policy
#
--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200
@@ -1,3 +1,5 @@
+/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200
@@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',`
########################################
## <summary>
+## Execute a domain transition to
+## run polkit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans',`
+ gen_require(`
+ type policykit_t, policykit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, policykit_exec_t, policykit_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run polkit_auth.
## </summary>
## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200
@@ -117,6 +118,7 @@ optional_policy(`
optional_policy(`
gnome_read_generic_home_content(policykit_t)
+ gnome_read_settings_daemon_files(policykit_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200
@@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',`
typeattribute $1 pulseaudio_tmpfsfile;
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
--- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200
@@ -193,6 +193,11 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200
@@ -593,6 +593,10 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ colord_manage_home_files($1_t)
+ ')
+
+ optional_policy(`
dbus_system_bus_client($1_t)
optional_policy(`
On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote:
> Update for the gnome module:
>
> - target the dconf daemon, the gsettings user application, the
> gnome-settings-daemon and the at-spi daemon with all the
> needed domain transitions;
> - a new gstreamer_orcexec_t type and file context is introduced
> to support the OIL Runtime Compiler (ORC) optimized code
> execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
> keyring domains;
> - add support for chat over dbus in the gconfd domain and in the
> new domains (dconf, gsettings, etc);
> - add support for a few needed fs and kernel permissions.
> - add support for reading the colord related files in the home
> directories (such as the ICC EDID profiles): requires the
> recent colord patch;
> - add support for for reading the colord related files in the home
> directories in the common user domain template;
> - add support for a new mime_info_t type to be used in the home
> directories;
> - includes minor modifications to the consolekit, dbus and
> policykit modules to support the new targeted gnome daemons
> and applications;
> - modifies the pulseaudio module to introduce new interfaces to
> read and write pulseaudio tmpfs files and to use the pulseaudio
> file descriptor.
>
> The support for Gnome2/ORBit-2 (version 2) has been dropped.
if you want me to review this then you have to split this patch into
smaller patches
>
> This patch depends on the recent colord patch.
>
> Recent changes to the pulseaudio module depends on this patch !
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/colord.if | 41 +++
> policy/modules/contrib/colord.te | 4
> policy/modules/contrib/consolekit.te | 4
> policy/modules/contrib/dbus.te | 9
> policy/modules/contrib/gnome.fc | 19 +
> policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++-
> policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++
> policy/modules/contrib/policykit.fc | 2
> policy/modules/contrib/policykit.if | 20 +
> policy/modules/contrib/policykit.te | 1
> policy/modules/contrib/pulseaudio.if | 77 ++++++
> policy/modules/contrib/pulseaudio.te | 5
> policy/modules/system/userdomain.if | 4
> 13 files changed, 876 insertions(+), 3 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200
> @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',`
> files_search_var_lib($1)
> read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
> ')
> +
> +######################################
> +## <summary>
> +## Read colord home files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`colord_read_home_files',`
> + gen_require(`
> + type colord_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + userdom_list_user_home_content($1)
> + read_files_pattern($1, colord_home_t, colord_home_t)
> +')
> +
> +######################################
> +## <summary>
> +## Create, read, write, and delete
> +## colord home content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`colord_manage_home_files',`
> + gen_require(`
> + type colord_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + userdom_list_user_home_content($1)
> + manage_files_pattern($1, colord_home_t, colord_home_t)
> +')
> --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200
> @@ -123,6 +136,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gnome_settings_daemon_use_fds(colord_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(colord_t)
> policykit_domtrans_auth(colord_t)
> policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200
> @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + gnome_read_settings_daemon_files(consolekit_t)
> +')
> +
> +optional_policy(`
> dbus_read_lib_files(consolekit_t)
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200
> @@ -148,6 +148,15 @@ optional_policy(`
> ')
>
> optional_policy(`
> + colord_read_home_files(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + gnome_read_settings_daemon_files(system_dbusd_t)
> + gnome_settings_daemon_use_fds(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_read_lib(system_dbusd_t)
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200
> @@ -1,16 +1,33 @@
> +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
> +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0)
> +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
> HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
> HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
> HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
> +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0)
> +
> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>
> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
>
> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
>
> /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
> +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0)
> /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>
> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +
> +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0)
> +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0)
> +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
> +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
> +
> +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0)
> +
> +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200
> @@ -43,14 +43,40 @@ interface(`gnome_role',`
> template(`gnome_role_template',`
> gen_require(`
> attribute gnomedomain, gkeyringd_domain;
> + attribute_role dconf_roles;
> + attribute_role at_spi_roles;
> attribute_role gconfd_roles;
> - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
> + attribute_role gnome_settings_roles;
> + attribute_role gnome_settings_daemon_roles;
> + type dconf_t, dconf_exec_t, dconf_home_t;
> + type at_spi_t, at_spi_exec_t;
> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> type gconf_home_t;
> + type gnome_settings_t, gnome_settings_exec_t;
> + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t;
> + type gnome_settings_schemas_t;
> + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> + type mime_info_t;
> + type user_dbusd_t;
> + type dbusd_exec_t;
> ')
>
> ########################################
> #
> + # Dconf declarations
> + #
> +
> + roleattribute $2 dconf_roles;
> +
> + ########################################
> + #
> + # At-spi declarations
> + #
> +
> + roleattribute $2 at_spi_roles;
> +
> + ########################################
> + #
> # Gconf declarations
> #
>
> @@ -58,6 +84,20 @@ template(`gnome_role_template',`
>
> ########################################
> #
> + # Gnome-settings declarations
> + #
> +
> + roleattribute $2 gnome_settings_roles;
> +
> + ########################################
> + #
> + # Gnome-settings-daemon declarations
> + #
> +
> + roleattribute $2 gnome_settings_daemon_roles;
> +
> + ########################################
> + #
> # Gkeyringd declarations
> #
>
> @@ -69,6 +109,70 @@ template(`gnome_role_template',`
>
> ########################################
> #
> + # Common policy
> + #
> +
> + allow $3 dconf_home_t:dir manage_dir_perms;
> + allow $3 dconf_home_t:file manage_file_perms;
> + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms;
> +
> + allow $3 gnome_settings_schemas_t:dir list_dir_perms;
> + allow $3 gnome_settings_schemas_t:file read_file_perms;
> + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
> +
> + allow $3 mime_info_t:dir list_dir_perms;
> + allow $3 mime_info_t:file read_file_perms;
> +
> + allow at_spi_t user_dbusd_t:process signal;
> +
> + allow user_dbusd_t self:process signal;
> +
> + allow user_dbusd_t bin_t:file entrypoint;
> +
> + allow user_dbusd_t dbusd_exec_t:file exec_file_perms;
> +
> + gnome_read_settings_files(user_dbusd_t)
> + gnome_read_settings_daemon_files(user_dbusd_t)
> +
> + files_read_usr_files($3)
> +
> + kernel_read_system_state(user_dbusd_t)
> +
> + optional_policy(`
> + xserver_read_user_xauth(user_dbusd_t)
> + xserver_stream_connect(user_dbusd_t)
> + ')
> +
> + ########################################
> + #
> + # Dconf policy
> + #
> +
> + allow dconf_t user_dbusd_t:unix_stream_socket connectto;
> +
> + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms };
> +
> + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t)
> +
> + ########################################
> + #
> + # At-spi policy
> + #
> +
> + allow at_spi_t user_dbusd_t:unix_stream_socket connectto;
> +
> + allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms };
> +
> + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms };
> +
> + allow $3 at_spi_t:fd use;
> +
> + domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t)
> +
> + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t)
> +
> + ########################################
> + #
> # Gconf policy
> #
>
> @@ -84,6 +188,38 @@ template(`gnome_role_template',`
>
> ########################################
> #
> + # Gnome-settings policy
> + #
> +
> + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t)
> +
> + allow $3 gnome_settings_t:process { ptrace signal_perms };
> + ps_process_pattern($3, gnome_settings_t)
> +
> + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto;
> +
> + allow gnome_settings_t bin_t:file entrypoint;
> + allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms };
> +
> + # for dbus-launch
> + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t)
> +
> + domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t)
> +
> + ########################################
> + #
> + # Gnome-settings-daemon policy
> + #
> +
> + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t)
> +
> + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto;
> +
> + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms };
> + ps_process_pattern($3, gnome_settings_daemon_t)
> +
> + ########################################
> + #
> # Gkeyringd policy
> #
>
> @@ -100,23 +236,85 @@ template(`gnome_role_template',`
>
> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
>
> + userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> + userdom_manage_user_home_content_files($1_gkeyringd_t)
> +
> + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
> +
> + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file)
> +
> ps_process_pattern($3, $1_gkeyringd_t)
> allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>
> + kernel_read_kernel_sysctls($1_gkeyringd_t)
> +
> corecmd_bin_domtrans($1_gkeyringd_t, $3)
> corecmd_shell_domtrans($1_gkeyringd_t, $3)
>
> gnome_stream_connect_gkeyringd($1, $3)
>
> optional_policy(`
> + dbus_connect_spec_session_bus(user, dconf_t)
> + dbus_connect_spec_session_bus(user, at_spi_t)
> + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t)
> + dbus_connect_system_bus(gnome_settings_daemon_t)
> + dbus_send_spec_session_bus(user, dconf_t)
> + dbus_send_spec_session_bus(user, at_spi_t)
> + dbus_send_spec_session_bus(user, gnome_settings_daemon_t)
> dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>
> optional_policy(`
> + gnome_dbus_chat_dconf($3)
> + gnome_dbus_chat_dconf(gnome_settings_t)
> + gnome_dbus_chat_at_spi($3)
> + gnome_dbus_chat_gconfd($3)
> + gnome_dbus_chat_gnome_settings(user_dbusd_t)
> + gnome_dbus_chat_gnome_settings_daemon($3)
> + gnome_dbus_chat_gnome_settings_daemon(at_spi_t)
> gnome_dbus_chat_gkeyringd($1, $3)
> ')
> ')
> ')
>
> +#######################################
> +## <summary>
> +## Read gnome-settings files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_read_settings_files',`
> + gen_require(`
> + type gnome_settings_t;
> + ')
> +
> + read_files_pattern($1, gnome_settings_t, gnome_settings_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Read gnome-settings-daemon
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_read_settings_daemon_files',`
> + gen_require(`
> + type gnome_settings_daemon_t;
> + ')
> +
> + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t)
> +')
> +
> ########################################
> ## <summary>
> ## Execute gconf in the caller domain.
> @@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho
>
> ########################################
> ## <summary>
> +## Create objects in user home
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Create objects in gnome gconf home
> ## directories with a private type.
> ## </summary>
> @@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',`
>
> ########################################
> ## <summary>
> +## Create objects in the user
> +## runtime directories with the
> +## gstreamer orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read generic gnome keyring home files.
> ## </summary>
> ## <param name="domain">
> @@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files
>
> ########################################
> ## <summary>
> +## Read mime info files in the home
> +## directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_read_mime_info_home_files',`
> + gen_require(`
> + type mime_info_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + userdom_list_user_home_content($1)
> + read_files_pattern($1, mime_info_t, mime_info_t)
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the dconf daemon over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dbus_chat_dconf',`
> + gen_require(`
> + type dconf_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 dconf_t:dbus send_msg;
> + allow dconf_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the at-spi daemon over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dbus_chat_at_spi',`
> + gen_require(`
> + type at_spi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 at_spi_t:dbus send_msg;
> + allow at_spi_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the gconf daemon over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dbus_chat_gconfd',`
> + gen_require(`
> + type gconfd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 gconfd_t:dbus send_msg;
> + allow gconfd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## gnome-settings over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dbus_chat_gnome_settings',`
> + gen_require(`
> + type gnome_settings_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 gnome_settings_t:dbus send_msg;
> + allow gnome_settings_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the gnome-settings-daemon over
> +## dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dbus_chat_gnome_settings_daemon',`
> + gen_require(`
> + type gnome_settings_daemon_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 gnome_settings_daemon_t:dbus send_msg;
> + allow gnome_settings_daemon_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## gnome keyring daemon over dbus.
> ## </summary>
> @@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey
> files_search_tmp($1)
> stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
> ')
> +
> +########################################
> +## <summary>
> +## Use file descriptors for
> +## the gnome settings daemon.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_settings_daemon_use_fds',`
> + gen_require(`
> + type gnome_settings_daemon_t;
> + ')
> +
> + allow $1 gnome_settings_daemon_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to use the
> +## file descriptors for the gnome
> +## settings daemon.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_dontaudit_settings_daemon_use_fds',`
> + gen_require(`
> + type gnome_settings_daemon_t;
> + ')
> +
> + dontaudit $1 gnome_settings_daemon_t:fd use;
> +')
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200
> @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1)
>
> attribute gkeyringd_domain;
> attribute gnomedomain;
> +attribute_role dconf_roles;
> +attribute_role at_spi_roles;
> attribute_role gconfd_roles;
> +attribute_role gnome_settings_roles;
> +attribute_role gnome_settings_daemon_roles;
> +
> +type dconf_t;
> +type dconf_exec_t;
> +userdom_user_application_domain(dconf_t, dconf_exec_t)
> +role dconf_roles types dconf_t;
> +
> +type dconf_home_t;
> +userdom_user_home_content(dconf_home_t)
> +
> +type at_spi_t;
> +type at_spi_exec_t;
> +userdom_user_application_domain(at_spi_t, at_spi_exec_t)
> +role at_spi_roles types at_spi_t;
>
> type gconf_etc_t;
> files_config_file(gconf_etc_t)
> @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon
> userdom_user_application_domain(gconfd_t, gconfd_exec_t)
> role gconfd_roles types gconfd_t;
>
> +type gnome_settings_t;
> +type gnome_settings_exec_t;
> +userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t)
> +role gnome_settings_roles types gnome_settings_t;
> +
> +type gnome_settings_daemon_t;
> +type gnome_settings_daemon_exec_t;
> +userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t)
> +role gnome_settings_daemon_roles types gnome_settings_daemon_t;
> +
> +type gnome_settings_schemas_t;
> +files_config_file(gnome_settings_schemas_t)
> +
> type gnome_home_t;
> typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
> typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
> @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex
> type gnome_keyring_home_t;
> userdom_user_home_content(gnome_keyring_home_t)
>
> +type gnome_keyring_cache_home_t;
> +userdom_user_home_content(gnome_keyring_cache_home_t)
> +
> type gnome_keyring_tmp_t;
> userdom_user_tmp_file(gnome_keyring_tmp_t)
>
> +type mime_info_t;
> +files_config_file(mime_info_t)
> +
> +type gstreamer_orcexec_t;
> +application_executable_file(gstreamer_orcexec_t)
> +
> ##############################
> #
> # Common local Policy
> @@ -73,7 +112,62 @@ optional_policy(`
>
> ##############################
> #
> -# Conf daemon local Policy
> +# DConf daemon local policy (Gnome3)
> +#
> +
> +allow dconf_t self:process signal;
> +
> +allow dconf_t dconf_home_t:dir manage_dir_perms;
> +allow dconf_t dconf_home_t:file manage_file_perms;
> +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms;
> +
> +userdom_search_user_home_content(dconf_t)
> +
> +fs_getattr_xattr_fs(dconf_t)
> +
> +kernel_read_system_state(dconf_t)
> +
> +selinux_getattr_fs(dconf_t)
> +
> +##############################
> +#
> +# At-spi local policy
> +#
> +
> +allow at_spi_t self:process signal;
> +
> +allow at_spi_t dconf_home_t:dir manage_dir_perms;
> +allow at_spi_t dconf_home_t:file manage_file_perms;
> +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms;
> +
> +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms;
> +allow at_spi_t gnome_settings_schemas_t:file read_file_perms;
> +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
> +
> +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t)
> +
> +corecmd_search_bin(at_spi_t)
> +
> +files_read_usr_files(at_spi_t)
> +
> +fs_getattr_xattr_fs(at_spi_t)
> +
> +kernel_read_system_state(at_spi_t)
> +
> +selinux_getattr_fs(at_spi_t)
> +
> +# search in .cache
> +userdom_search_user_home_dirs(at_spi_t)
> +userdom_search_user_home_content(at_spi_t)
> +
> +optional_policy(`
> + xserver_read_user_xauth(at_spi_t)
> + xserver_stream_connect(at_spi_t)
> +')
> +
> +##############################
> +#
> +# GConf daemon local Policy (Gnome2)
> #
>
> allow gconfd_t gconf_etc_t:dir list_dir_perms;
> @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>
> +kernel_dontaudit_read_system_state(gconfd_t)
> +
> +files_search_tmp(gconfd_t)
> +
> +fs_getattr_xattr_fs(gconfd_t)
> +
> userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> @@ -102,6 +202,171 @@ optional_policy(`
> ')
>
> ##############################
> +#
> +# Gnome-settings local policy
> +#
> +
> +allow gnome_settings_t self:dir list_dir_perms;
> +allow gnome_settings_t self:file rw_file_perms;
> +allow gnome_settings_t self:process { fork sigchld };
> +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow gnome_settings_t dconf_home_t:dir manage_dir_perms;
> +allow gnome_settings_t dconf_home_t:file manage_file_perms;
> +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms;
> +
> +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms;
> +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms;
> +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
> +
> +allow gnome_settings_t gnome_settings_exec_t:file entrypoint;
> +
> +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t)
> +
> +corecmd_exec_bin(gnome_settings_t)
> +corecmd_search_bin(gnome_settings_t)
> +
> +dev_dontaudit_search_sysfs(gnome_settings_t)
> +dev_list_all_dev_nodes(gnome_settings_t)
> +dev_rw_null(gnome_settings_t)
> +dev_search_sysfs(gnome_settings_t)
> +
> +files_list_root(gnome_settings_t)
> +files_read_etc_files(gnome_settings_t)
> +files_read_usr_files(gnome_settings_t)
> +files_search_pids(gnome_settings_t)
> +
> +fs_getattr_xattr_fs(gnome_settings_t)
> +
> +init_sigchld(gnome_settings_t)
> +
> +kernel_read_system_state(gnome_settings_t)
> +
> +libs_use_ld_so(gnome_settings_t)
> +libs_use_shared_libs(gnome_settings_t)
> +
> +miscfiles_read_localization(gnome_settings_t)
> +
> +selinux_getattr_fs(gnome_settings_t)
> +selinux_dontaudit_search_fs(gnome_settings_t)
> +
> +### should create an xserver interface for writing .xsession-errors
> +userdom_dontaudit_write_user_home_content_files(gnome_settings_t)
> +
> +# search in .cache
> +userdom_search_user_home_dirs(gnome_settings_t)
> +userdom_search_user_home_content(gnome_settings_t)
> +
> +optional_policy(`
> + dbus_read_lib_files(gnome_settings_t)
> +')
> +
> +optional_policy(`
> + xserver_use_xdm_fds(gnome_settings_t)
> +')
> +
> +##############################
> +#
> +# Gnome-settings-daemon local policy
> +#
> +
> +allow gnome_settings_daemon_t self:dir list_dir_perms;
> +allow gnome_settings_daemon_t self:file rw_file_perms;
> +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms;
> +
> +allow gnome_settings_daemon_t self:process { fork sigchld signal };
> +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms;
> +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms;
> +
> +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms;
> +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms;
> +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms;
> +
> +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms;
> +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms;
> +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
> +
> +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms };
> +
> +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t)
> +
> +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t)
> +
> +cups_read_config(gnome_settings_daemon_t)
> +cups_stream_connect(gnome_settings_daemon_t)
> +
> +dev_dontaudit_search_sysfs(gnome_settings_daemon_t)
> +dev_read_urand(gnome_settings_daemon_t)
> +dev_read_sysfs(gnome_settings_daemon_t)
> +dev_rw_null(gnome_settings_daemon_t)
> +
> +files_list_root(gnome_settings_daemon_t)
> +files_list_tmp(gnome_settings_daemon_t)
> +files_read_etc_files(gnome_settings_daemon_t)
> +files_read_usr_files(gnome_settings_daemon_t)
> +files_search_tmp(gnome_settings_daemon_t)
> +
> +fs_getattr_tmpfs(gnome_settings_daemon_t)
> +fs_getattr_xattr_fs(gnome_settings_daemon_t)
> +fs_list_tmpfs(gnome_settings_daemon_t)
> +fs_rw_tmpfs_files(gnome_settings_daemon_t)
> +
> +init_sigchld(gnome_settings_daemon_t)
> +
> +kernel_read_system_state(gnome_settings_daemon_t)
> +
> +libs_use_ld_so(gnome_settings_daemon_t)
> +libs_use_shared_libs(gnome_settings_daemon_t)
> +
> +logging_search_logs(gnome_settings_daemon_t)
> +
> +miscfiles_read_fonts(gnome_settings_daemon_t)
> +miscfiles_read_generic_certs(gnome_settings_daemon_t)
> +miscfiles_read_localization(gnome_settings_daemon_t)
> +
> +selinux_getattr_fs(gnome_settings_daemon_t)
> +selinux_dontaudit_search_fs(gnome_settings_daemon_t)
> +
> +### should create an xserver interface for writing .xsession-errors
> +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t)
> +
> +userdom_list_user_home_dirs(gnome_settings_daemon_t)
> +userdom_list_user_tmp(gnome_settings_daemon_t)
> +userdom_search_user_home_dirs(gnome_settings_daemon_t)
> +userdom_search_user_home_content(gnome_settings_daemon_t)
> +
> +optional_policy(`
> + colord_dbus_chat(gnome_settings_daemon_t)
> + colord_manage_home_files(gnome_settings_daemon_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(gnome_settings_daemon_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_chat_power(gnome_settings_daemon_t)
> +')
> +
> +optional_policy(`
> + policykit_dbus_chat(gnome_settings_daemon_t)
> + policykit_domtrans(gnome_settings_daemon_t)
> +')
> +
> +optional_policy(`
> + pulseaudio_read_home(gnome_settings_daemon_t)
> + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t)
> + pulseaudio_signull(gnome_settings_daemon_t)
> + pulseaudio_stream_connect(gnome_settings_daemon_t)
> + pulseaudio_use_fds(gnome_settings_daemon_t)
> +')
> +
> +optional_policy(`
> + xserver_read_user_xauth(gnome_settings_daemon_t)
> + xserver_stream_connect(gnome_settings_daemon_t)
> +')
> +
> +##############################
> #
> # Keyring-daemon local policy
> #
> --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200
> @@ -1,3 +1,5 @@
> +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0)
> +
> /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
> /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200
> @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',`
>
> ########################################
> ## <summary>
> +## Execute a domain transition to
> +## run polkit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`policykit_domtrans',`
> + gen_require(`
> + type policykit_t, policykit_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, policykit_exec_t, policykit_t)
> +')
> +
> +########################################
> +## <summary>
> ## Execute a domain transition to run polkit_auth.
> ## </summary>
> ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200
> @@ -117,6 +118,7 @@ optional_policy(`
>
> optional_policy(`
> gnome_read_generic_home_content(policykit_t)
> + gnome_read_settings_daemon_files(policykit_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200
> @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',`
>
> typeattribute $1 pulseaudio_tmpfsfile;
> ')
> +
> +#######################################
> +## <summary>
> +## Read pulseaudio tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`pulseaudio_read_tmpfs_files',`
> + gen_require(`
> + type pulseaudio_tmpfs_t;
> + ')
> +
> + fs_search_tmpfs($1)
> + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Read and write pulseaudio tmpfs
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`pulseaudio_rw_tmpfs_files',`
> + gen_require(`
> + type pulseaudio_tmpfs_t;
> + ')
> +
> + fs_search_tmpfs($1)
> + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> +')
> +
> +########################################
> +## <summary>
> +## Use file descriptors for
> +## pulseaudio.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`pulseaudio_use_fds',`
> + gen_require(`
> + type pulseaudio_t;
> + ')
> +
> + allow $1 pulseaudio_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to use the
> +## file descriptors for pulseaudio.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`pulseaudio_dontaudit_use_fds',`
> + gen_require(`
> + type pulseaudio_t;
> + ')
> +
> + dontaudit $1 pulseaudio_t:fd use;
> +')
> --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200
> @@ -193,6 +193,11 @@ optional_policy(`
>
> optional_policy(`
> gnome_stream_connect_gconf(pulseaudio_t)
> +
> + # OIL Runtime Compiler (ORC) optimized code execution
> + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
> + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
> ')
>
> optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200
> @@ -593,6 +593,10 @@ template(`userdom_common_user_template',
> ')
>
> optional_policy(`
> + colord_manage_home_files($1_t)
> + ')
> +
> + optional_policy(`
> dbus_system_bus_client($1_t)
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/4d08999f/attachment-0001.bin
Hello.
On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy wrote:
> On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote:
> >
> > Update for the gnome module:
> >
> > - target the dconf daemon, the gsettings user application, the
> > ? gnome-settings-daemon and the at-spi daemon with all the
> > ? needed domain transitions;
> > - a new gstreamer_orcexec_t type and file context is introduced
> > ? to support the OIL Runtime Compiler (ORC) optimized code
> > ? execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > ? keyring domains;
> > - add support for chat over dbus in the gconfd domain and in the
> > ? new domains (dconf, gsettings, etc);
> > - add support for a few needed fs and kernel permissions.
> > - add support for reading the colord related files in the home
> > ? directories (such as the ICC EDID profiles): requires the
> > ? recent colord patch;
> > - add support for for reading the colord related files in the home
> > ? directories in the common user domain template;
> > - add support for a new mime_info_t type to be used in the home
> > ? directories;
> > - includes minor modifications to the consolekit, dbus and
> > ? policykit modules to support the new targeted gnome daemons
> > ? and applications;
> > - modifies the pulseaudio module to introduce new interfaces to
> > ? read and write pulseaudio tmpfs files and to use the pulseaudio
> > ? file descriptor.
> >
> > The support for Gnome2/ORBit-2 (version 2) has been dropped.
>
> if you want me to review this then you have to split this patch into
> smaller patches
You already reviewed the initial patch. However this new version is
much different from it, so you might want to review it again.
If you want, I can split it in separate patches, one for each module
(colord, consolekit, dbus, gnome, policykit, pulseaudio and
userdomain). However, they would be all interdependent, so I can't see
much gain in doing that...
Is that all right for you ?
Regards,
Guido
On 08/21/2016 09:02 PM, Guido Trentalancia wrote:
> Hello.
>
> On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy wrote:
>> On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote:
>>>
>>> Update for the gnome module:
>>>
>>> - target the dconf daemon, the gsettings user application, the
>>> gnome-settings-daemon and the at-spi daemon with all the
>>> needed domain transitions;
>>> - a new gstreamer_orcexec_t type and file context is introduced
>>> to support the OIL Runtime Compiler (ORC) optimized code
>>> execution (used for example by pulseaudio);
>>> - add support for more permissions needed in gconfd_t and gnome
>>> keyring domains;
>>> - add support for chat over dbus in the gconfd domain and in the
>>> new domains (dconf, gsettings, etc);
>>> - add support for a few needed fs and kernel permissions.
>>> - add support for reading the colord related files in the home
>>> directories (such as the ICC EDID profiles): requires the
>>> recent colord patch;
>>> - add support for for reading the colord related files in the home
>>> directories in the common user domain template;
>>> - add support for a new mime_info_t type to be used in the home
>>> directories;
>>> - includes minor modifications to the consolekit, dbus and
>>> policykit modules to support the new targeted gnome daemons
>>> and applications;
>>> - modifies the pulseaudio module to introduce new interfaces to
>>> read and write pulseaudio tmpfs files and to use the pulseaudio
>>> file descriptor.
>>>
>>> The support for Gnome2/ORBit-2 (version 2) has been dropped.
>>
>> if you want me to review this then you have to split this patch into
>> smaller patches
>
> You already reviewed the initial patch. However this new version is
> much different from it, so you might want to review it again.
>
> If you want, I can split it in separate patches, one for each module
> (colord, consolekit, dbus, gnome, policykit, pulseaudio and
> userdomain). However, they would be all interdependent, so I can't see
> much gain in doing that...
>
> Is that all right for you ?
I can't review this as-is. So if you want my feedback then you will have
to find a way to split this into smaller but sensible patches.
>
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/74ce28f6/attachment.bin
On Sun, 21/08/2016 at 21.05 +0200, Dominick Grift wrote:
> On 08/21/2016 09:02 PM, Guido Trentalancia wrote:
> >
> > Hello.
> >
> > On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy
> > wrote:
> > >
> > > On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Update for the gnome module:
> > > >
> > > > - target the dconf daemon, the gsettings user application, the
> > > > ? gnome-settings-daemon and the at-spi daemon with all the
> > > > ? needed domain transitions;
> > > > - a new gstreamer_orcexec_t type and file context is introduced
> > > > ? to support the OIL Runtime Compiler (ORC) optimized code
> > > > ? execution (used for example by pulseaudio);
> > > > - add support for more permissions needed in gconfd_t and gnome
> > > > ? keyring domains;
> > > > - add support for chat over dbus in the gconfd domain and in
> > > > the
> > > > ? new domains (dconf, gsettings, etc);
> > > > - add support for a few needed fs and kernel permissions.
> > > > - add support for reading the colord related files in the home
> > > > ? directories (such as the ICC EDID profiles): requires the
> > > > ? recent colord patch;
> > > > - add support for for reading the colord related files in the
> > > > home
> > > > ? directories in the common user domain template;
> > > > - add support for a new mime_info_t type to be used in the home
> > > > ? directories;
> > > > - includes minor modifications to the consolekit, dbus and
> > > > ? policykit modules to support the new targeted gnome daemons
> > > > ? and applications;
> > > > - modifies the pulseaudio module to introduce new interfaces to
> > > > ? read and write pulseaudio tmpfs files and to use the
> > > > pulseaudio
> > > > ? file descriptor.
> > > >
> > > > The support for Gnome2/ORBit-2 (version 2) has been dropped.
> > >
> > > if you want me to review this then you have to split this patch
> > > into
> > > smaller patches
> >
> > You already reviewed the initial patch. However this new version is
> > much different from it, so you might want to review it again.
> >
> > If you want, I can split it in separate patches, one for each
> > module
> > (colord, consolekit, dbus, gnome, policykit, pulseaudio and
> > userdomain). However, they would be all interdependent, so I can't
> > see
> > much gain in doing that...
> >
> > Is that all right for you ?
>
> I can't review this as-is. So if you want my feedback then you will
> have
> to find a way to split this into smaller but sensible patches.
It can't be really split.
It doesn't matter, if you don't want or don't have time to review it...
Regards,
Guido
Update for the gnome module:
- target the dconf daemon, the gsettings user application, the
gnome-settings-daemon and the at-spi daemon with all the
needed domain transitions;
- a new gstreamer_orcexec_t type and file context is introduced
to support the OIL Runtime Compiler (ORC) optimized code
execution (used for example by pulseaudio);
- add support for more permissions needed in gconfd_t and gnome
keyring domains;
- add support for chat over dbus in the gconfd domain and in the
new domains (dconf, gsettings, etc);
- add support for a few needed fs and kernel permissions.
- add support for reading the colord related files in the home
directories (such as the ICC EDID profiles): requires the
recent colord patch;
- add support for for reading the colord related files in the home
directories in the common user domain template;
- add support for a new mime_info_t type to be used in the home
directories;
- includes minor modifications to the consolekit, dbus and
policykit modules to support the new targeted gnome daemons
and applications;
- modifies the pulseaudio module to introduce new interfaces to
read and write pulseaudio tmpfs files and to use the pulseaudio
file descriptor;
- provides better module encapsulation (i.e. dbus module).
The support for Gnome2/ORBit-2 (version 2) has been dropped.
This patch depends on the recent colord patch.
Recent changes to the pulseaudio module depends on this patch !
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/colord.if | 41 +++
policy/modules/contrib/colord.te | 4
policy/modules/contrib/consolekit.te | 4
policy/modules/contrib/dbus.if | 22 +
policy/modules/contrib/dbus.te | 9
policy/modules/contrib/gnome.fc | 19 +
policy/modules/contrib/gnome.if | 418 ++++++++++++++++++++++++++++++++++-
policy/modules/contrib/gnome.te | 267 ++++++++++++++++++++++
policy/modules/contrib/policykit.fc | 2
policy/modules/contrib/policykit.if | 20 +
policy/modules/contrib/policykit.te | 1
policy/modules/contrib/pulseaudio.if | 77 ++++++
policy/modules/contrib/pulseaudio.te | 5
policy/modules/system/userdomain.if | 4
14 files changed, 890 insertions(+), 3 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200
@@ -58,3 +58,44 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+######################################
+## <summary>
+## Read colord home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_read_home_files',`
+ gen_require(`
+ type colord_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ read_files_pattern($1, colord_home_t, colord_home_t)
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## colord home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_manage_home_files',`
+ gen_require(`
+ type colord_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ manage_files_pattern($1, colord_home_t, colord_home_t)
+')
--- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200
@@ -123,6 +136,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_settings_daemon_use_fds(colord_t)
+')
+
+optional_policy(`
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200
@@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_settings_daemon_files(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.if 2016-08-06 21:27:11.344094223 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/dbus.if 2016-08-22 21:16:25.424569109 +0200
@@ -626,3 +626,25 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
+
+########################################
+## <summary>
+## Make a domain transition from a
+## given source domain to another
+## specified target domain using
+## the DBUS executable file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Source domain.
+## </summary>
+## </param>
+#
+interface(`dbus_domain_transition',`
+ gen_require(`
+ type dbusd_exec_t;
+ ')
+
+ allow $1 dbusd_exec_t:file { entrypoint exec_file_perms };
+ domtrans_pattern($1, dbusd_exec_t, $2)
+')--- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200
@@ -148,6 +148,15 @@ optional_policy(`
')
optional_policy(`
+ colord_read_home_files(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_read_settings_daemon_files(system_dbusd_t)
+ gnome_settings_daemon_use_fds(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200
@@ -1,16 +1,33 @@
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
+HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0)
+HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0)
HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0)
+
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0)
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0)
+/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0)
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
+/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0)
+
+/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-22 21:24:49.634876147 +0200
@@ -43,14 +43,39 @@ interface(`gnome_role',`
template(`gnome_role_template',`
gen_require(`
attribute gnomedomain, gkeyringd_domain;
+ attribute_role dconf_roles;
+ attribute_role at_spi_roles;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ attribute_role gnome_settings_roles;
+ attribute_role gnome_settings_daemon_roles;
+ type dconf_t, dconf_exec_t, dconf_home_t;
+ type at_spi_t, at_spi_exec_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
+ type gnome_settings_t, gnome_settings_exec_t;
+ type gnome_settings_daemon_t, gnome_settings_daemon_exec_t;
+ type gnome_settings_schemas_t;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
+ type mime_info_t;
+ type user_dbusd_t;
')
########################################
#
+ # Dconf declarations
+ #
+
+ roleattribute $2 dconf_roles;
+
+ ########################################
+ #
+ # At-spi declarations
+ #
+
+ roleattribute $2 at_spi_roles;
+
+ ########################################
+ #
# Gconf declarations
#
@@ -58,6 +83,20 @@ template(`gnome_role_template',`
########################################
#
+ # Gnome-settings declarations
+ #
+
+ roleattribute $2 gnome_settings_roles;
+
+ ########################################
+ #
+ # Gnome-settings-daemon declarations
+ #
+
+ roleattribute $2 gnome_settings_daemon_roles;
+
+ ########################################
+ #
# Gkeyringd declarations
#
@@ -69,6 +108,64 @@ template(`gnome_role_template',`
########################################
#
+ # Common policy
+ #
+
+ allow $3 dconf_home_t:dir manage_dir_perms;
+ allow $3 dconf_home_t:file manage_file_perms;
+ allow $3 dconf_home_t:lnk_file manage_lnk_file_perms;
+
+ allow $3 gnome_settings_schemas_t:dir list_dir_perms;
+ allow $3 gnome_settings_schemas_t:file read_file_perms;
+ allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+ allow $3 mime_info_t:dir list_dir_perms;
+ allow $3 mime_info_t:file read_file_perms;
+
+ allow at_spi_t user_dbusd_t:process signal;
+
+ allow user_dbusd_t self:process signal;
+
+ allow user_dbusd_t bin_t:file entrypoint;
+
+ gnome_read_settings_files(user_dbusd_t)
+ gnome_read_settings_daemon_files(user_dbusd_t)
+
+ files_read_usr_files($3)
+
+ kernel_read_system_state(user_dbusd_t)
+
+ optional_policy(`
+ xserver_read_user_xauth(user_dbusd_t)
+ xserver_stream_connect(user_dbusd_t)
+ ')
+
+ ########################################
+ #
+ # Dconf policy
+ #
+
+ allow dconf_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms };
+
+ domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t)
+
+ ########################################
+ #
+ # At-spi policy
+ #
+
+ allow at_spi_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms };
+
+ allow $3 at_spi_t:fd use;
+
+ domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t)
+
+ ########################################
+ #
# Gconf policy
#
@@ -84,6 +181,35 @@ template(`gnome_role_template',`
########################################
#
+ # Gnome-settings policy
+ #
+
+ domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t)
+
+ allow $3 gnome_settings_t:process { ptrace signal_perms };
+ ps_process_pattern($3, gnome_settings_t)
+
+ allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow gnome_settings_t bin_t:file entrypoint;
+
+ # for dbus-launch
+ corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t)
+
+ ########################################
+ #
+ # Gnome-settings-daemon policy
+ #
+
+ domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t)
+
+ allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto;
+
+ allow $3 gnome_settings_daemon_t:process { ptrace signal_perms };
+ ps_process_pattern($3, gnome_settings_daemon_t)
+
+ ########################################
+ #
# Gkeyringd policy
#
@@ -100,23 +226,87 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ userdom_manage_user_home_content_dirs($1_gkeyringd_t)
+ userdom_manage_user_home_content_files($1_gkeyringd_t)
+
+ manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
+
+ manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
+ userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file)
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ kernel_read_kernel_sysctls($1_gkeyringd_t)
+
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
gnome_stream_connect_gkeyringd($1, $3)
optional_policy(`
+ dbus_connect_spec_session_bus(user, dconf_t)
+ dbus_connect_spec_session_bus(user, at_spi_t)
+ dbus_connect_spec_session_bus(user, gnome_settings_daemon_t)
+ dbus_connect_system_bus(gnome_settings_daemon_t)
+ dbus_domain_transition(at_spi_t, user_dbusd_t)
+ dbus_domain_transition(gnome_settings_t, user_dbusd_t)
+ dbus_send_spec_session_bus(user, dconf_t)
+ dbus_send_spec_session_bus(user, at_spi_t)
+ dbus_send_spec_session_bus(user, gnome_settings_daemon_t)
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ gnome_dbus_chat_dconf($3)
+ gnome_dbus_chat_dconf(gnome_settings_t)
+ gnome_dbus_chat_at_spi($3)
+ gnome_dbus_chat_gconfd($3)
+ gnome_dbus_chat_gnome_settings(user_dbusd_t)
+ gnome_dbus_chat_gnome_settings_daemon($3)
+ gnome_dbus_chat_gnome_settings_daemon(at_spi_t)
gnome_dbus_chat_gkeyringd($1, $3)
')
')
')
+#######################################
+## <summary>
+## Read gnome-settings files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_settings_files',`
+ gen_require(`
+ type gnome_settings_t;
+ ')
+
+ read_files_pattern($1, gnome_settings_t, gnome_settings_t)
+')
+
+#######################################
+## <summary>
+## Read gnome-settings-daemon
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_settings_daemon_files',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t)
+')
+
########################################
## <summary>
## Execute gconf in the caller domain.
@@ -569,6 +759,36 @@ interface(`gnome_home_filetrans_gnome_ho
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in gnome gconf home
## directories with a private type.
## </summary>
@@ -604,6 +824,36 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -623,6 +873,133 @@ interface(`gnome_read_keyring_home_files
########################################
## <summary>
+## Read mime info files in the home
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_mime_info_home_files',`
+ gen_require(`
+ type mime_info_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_list_user_home_content($1)
+ read_files_pattern($1, mime_info_t, mime_info_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the dconf daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_dconf',`
+ gen_require(`
+ type dconf_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dconf_t:dbus send_msg;
+ allow dconf_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the at-spi daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_at_spi',`
+ gen_require(`
+ type at_spi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 at_spi_t:dbus send_msg;
+ allow at_spi_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the gconf daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnome-settings over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gnome_settings',`
+ gen_require(`
+ type gnome_settings_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnome_settings_t:dbus send_msg;
+ allow gnome_settings_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the gnome-settings-daemon over
+## dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gnome_settings_daemon',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnome_settings_daemon_t:dbus send_msg;
+ allow gnome_settings_daemon_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
@@ -735,3 +1112,42 @@ interface(`gnome_stream_connect_all_gkey
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
+
+########################################
+## <summary>
+## Use file descriptors for
+## the gnome settings daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_settings_daemon_use_fds',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ allow $1 gnome_settings_daemon_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for the gnome
+## settings daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_settings_daemon_use_fds',`
+ gen_require(`
+ type gnome_settings_daemon_t;
+ ')
+
+ dontaudit $1 gnome_settings_daemon_t:fd use;
+')
--- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-22 21:04:17.942469224 +0200
@@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1)
attribute gkeyringd_domain;
attribute gnomedomain;
+attribute_role dconf_roles;
+attribute_role at_spi_roles;
attribute_role gconfd_roles;
+attribute_role gnome_settings_roles;
+attribute_role gnome_settings_daemon_roles;
+
+type dconf_t;
+type dconf_exec_t;
+userdom_user_application_domain(dconf_t, dconf_exec_t)
+role dconf_roles types dconf_t;
+
+type dconf_home_t;
+userdom_user_home_content(dconf_home_t)
+
+type at_spi_t;
+type at_spi_exec_t;
+userdom_user_application_domain(at_spi_t, at_spi_exec_t)
+role at_spi_roles types at_spi_t;
type gconf_etc_t;
files_config_file(gconf_etc_t)
@@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
+type gnome_settings_t;
+type gnome_settings_exec_t;
+userdom_user_application_domain(gnome_settings_t, gnome_settings_exec_t)
+role gnome_settings_roles types gnome_settings_t;
+
+type gnome_settings_daemon_t;
+type gnome_settings_daemon_exec_t;
+userdom_user_application_domain(gnome_settings_daemon_t, gnome_settings_daemon_exec_t)
+role gnome_settings_daemon_roles types gnome_settings_daemon_t;
+
+type gnome_settings_schemas_t;
+files_config_file(gnome_settings_schemas_t)
+
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
@@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex
type gnome_keyring_home_t;
userdom_user_home_content(gnome_keyring_home_t)
+type gnome_keyring_cache_home_t;
+userdom_user_home_content(gnome_keyring_cache_home_t)
+
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type mime_info_t;
+files_config_file(mime_info_t)
+
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
@@ -73,7 +112,62 @@ optional_policy(`
##############################
#
-# Conf daemon local Policy
+# DConf daemon local policy (Gnome3)
+#
+
+allow dconf_t self:process signal;
+
+allow dconf_t dconf_home_t:dir manage_dir_perms;
+allow dconf_t dconf_home_t:file manage_file_perms;
+allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+userdom_search_user_home_content(dconf_t)
+
+fs_getattr_xattr_fs(dconf_t)
+
+kernel_read_system_state(dconf_t)
+
+selinux_getattr_fs(dconf_t)
+
+##############################
+#
+# At-spi local policy
+#
+
+allow at_spi_t self:process signal;
+
+allow at_spi_t dconf_home_t:dir manage_dir_perms;
+allow at_spi_t dconf_home_t:file manage_file_perms;
+allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms;
+allow at_spi_t gnome_settings_schemas_t:file read_file_perms;
+allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t)
+
+corecmd_search_bin(at_spi_t)
+
+files_read_usr_files(at_spi_t)
+
+fs_getattr_xattr_fs(at_spi_t)
+
+kernel_read_system_state(at_spi_t)
+
+selinux_getattr_fs(at_spi_t)
+
+# search in .cache
+userdom_search_user_home_dirs(at_spi_t)
+userdom_search_user_home_content(at_spi_t)
+
+optional_policy(`
+ xserver_read_user_xauth(at_spi_t)
+ xserver_stream_connect(at_spi_t)
+')
+
+##############################
+#
+# GConf daemon local Policy (Gnome2)
#
allow gconfd_t gconf_etc_t:dir list_dir_perms;
@@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+kernel_dontaudit_read_system_state(gconfd_t)
+
+files_search_tmp(gconfd_t)
+
+fs_getattr_xattr_fs(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
@@ -102,6 +202,171 @@ optional_policy(`
')
##############################
+#
+# Gnome-settings local policy
+#
+
+allow gnome_settings_t self:dir list_dir_perms;
+allow gnome_settings_t self:file rw_file_perms;
+allow gnome_settings_t self:process { fork sigchld };
+allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gnome_settings_t dconf_home_t:dir manage_dir_perms;
+allow gnome_settings_t dconf_home_t:file manage_file_perms;
+allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms;
+allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms;
+allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_t gnome_settings_exec_t:file entrypoint;
+
+rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t)
+
+corecmd_exec_bin(gnome_settings_t)
+corecmd_search_bin(gnome_settings_t)
+
+dev_dontaudit_search_sysfs(gnome_settings_t)
+dev_list_all_dev_nodes(gnome_settings_t)
+dev_rw_null(gnome_settings_t)
+dev_search_sysfs(gnome_settings_t)
+
+files_list_root(gnome_settings_t)
+files_read_etc_files(gnome_settings_t)
+files_read_usr_files(gnome_settings_t)
+files_search_pids(gnome_settings_t)
+
+fs_getattr_xattr_fs(gnome_settings_t)
+
+init_sigchld(gnome_settings_t)
+
+kernel_read_system_state(gnome_settings_t)
+
+libs_use_ld_so(gnome_settings_t)
+libs_use_shared_libs(gnome_settings_t)
+
+miscfiles_read_localization(gnome_settings_t)
+
+selinux_getattr_fs(gnome_settings_t)
+selinux_dontaudit_search_fs(gnome_settings_t)
+
+### should create an xserver interface for writing .xsession-errors
+userdom_dontaudit_write_user_home_content_files(gnome_settings_t)
+
+# search in .cache
+userdom_search_user_home_dirs(gnome_settings_t)
+userdom_search_user_home_content(gnome_settings_t)
+
+optional_policy(`
+ dbus_read_lib_files(gnome_settings_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gnome_settings_t)
+')
+
+##############################
+#
+# Gnome-settings-daemon local policy
+#
+
+allow gnome_settings_daemon_t self:dir list_dir_perms;
+allow gnome_settings_daemon_t self:file rw_file_perms;
+allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_daemon_t self:process { fork sigchld signal };
+allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms;
+allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms;
+allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms;
+allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms;
+
+allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms;
+allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms;
+allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms;
+
+allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms };
+
+rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t)
+
+read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t)
+
+cups_read_config(gnome_settings_daemon_t)
+cups_stream_connect(gnome_settings_daemon_t)
+
+dev_dontaudit_search_sysfs(gnome_settings_daemon_t)
+dev_read_urand(gnome_settings_daemon_t)
+dev_read_sysfs(gnome_settings_daemon_t)
+dev_rw_null(gnome_settings_daemon_t)
+
+files_list_root(gnome_settings_daemon_t)
+files_list_tmp(gnome_settings_daemon_t)
+files_read_etc_files(gnome_settings_daemon_t)
+files_read_usr_files(gnome_settings_daemon_t)
+files_search_tmp(gnome_settings_daemon_t)
+
+fs_getattr_tmpfs(gnome_settings_daemon_t)
+fs_getattr_xattr_fs(gnome_settings_daemon_t)
+fs_list_tmpfs(gnome_settings_daemon_t)
+fs_rw_tmpfs_files(gnome_settings_daemon_t)
+
+init_sigchld(gnome_settings_daemon_t)
+
+kernel_read_system_state(gnome_settings_daemon_t)
+
+libs_use_ld_so(gnome_settings_daemon_t)
+libs_use_shared_libs(gnome_settings_daemon_t)
+
+logging_search_logs(gnome_settings_daemon_t)
+
+miscfiles_read_fonts(gnome_settings_daemon_t)
+miscfiles_read_generic_certs(gnome_settings_daemon_t)
+miscfiles_read_localization(gnome_settings_daemon_t)
+
+selinux_getattr_fs(gnome_settings_daemon_t)
+selinux_dontaudit_search_fs(gnome_settings_daemon_t)
+
+### should create an xserver interface for writing .xsession-errors
+userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t)
+
+userdom_list_user_home_dirs(gnome_settings_daemon_t)
+userdom_list_user_tmp(gnome_settings_daemon_t)
+userdom_search_user_home_dirs(gnome_settings_daemon_t)
+userdom_search_user_home_content(gnome_settings_daemon_t)
+
+optional_policy(`
+ colord_dbus_chat(gnome_settings_daemon_t)
+ colord_manage_home_files(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnome_settings_daemon_t)
+ policykit_domtrans(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ pulseaudio_read_home(gnome_settings_daemon_t)
+ pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t)
+ pulseaudio_signull(gnome_settings_daemon_t)
+ pulseaudio_stream_connect(gnome_settings_daemon_t)
+ pulseaudio_use_fds(gnome_settings_daemon_t)
+')
+
+optional_policy(`
+ xserver_read_user_xauth(gnome_settings_daemon_t)
+ xserver_stream_connect(gnome_settings_daemon_t)
+')
+
+##############################
#
# Keyring-daemon local policy
#--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200
@@ -1,3 +1,5 @@
+/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200
@@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',`
########################################
## <summary>
+## Execute a domain transition to
+## run polkit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans',`
+ gen_require(`
+ type policykit_t, policykit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, policykit_exec_t, policykit_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run polkit_auth.
## </summary>
## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200
@@ -117,6 +118,7 @@ optional_policy(`
optional_policy(`
gnome_read_generic_home_content(policykit_t)
+ gnome_read_settings_daemon_files(policykit_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200
@@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',`
typeattribute $1 pulseaudio_tmpfsfile;
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
--- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200
@@ -193,6 +193,11 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200
@@ -593,6 +593,10 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ colord_manage_home_files($1_t)
+ ')
+
+ optional_policy(`
dbus_system_bus_client($1_t)
optional_policy(`
On 08/22/16 15:39, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - target the dconf daemon, the gsettings user application, the
> gnome-settings-daemon and the at-spi daemon with all the
> needed domain transitions;
> - a new gstreamer_orcexec_t type and file context is introduced
> to support the OIL Runtime Compiler (ORC) optimized code
> execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
> keyring domains;
> - add support for chat over dbus in the gconfd domain and in the
> new domains (dconf, gsettings, etc);
> - add support for a few needed fs and kernel permissions.
> - add support for reading the colord related files in the home
> directories (such as the ICC EDID profiles): requires the
> recent colord patch;
> - add support for for reading the colord related files in the home
> directories in the common user domain template;
> - add support for a new mime_info_t type to be used in the home
> directories;
> - includes minor modifications to the consolekit, dbus and
> policykit modules to support the new targeted gnome daemons
> and applications;
> - modifies the pulseaudio module to introduce new interfaces to
> read and write pulseaudio tmpfs files and to use the pulseaudio
> file descriptor;
> - provides better module encapsulation (i.e. dbus module).
>
> The support for Gnome2/ORBit-2 (version 2) has been dropped.
>
> This patch depends on the recent colord patch.
>
> Recent changes to the pulseaudio module depends on this patch !
Unfortunately, as Dominick pointed out, you've gone to the other end of
the patch organization spectrum and made too large of a patch. If you
split it up into individual commits, git format-patch and git send-email
will make it easy to send a series of patches in commit order. So all
you have to do is create reasonably-sized and logically-organized commits.
I did not review everything, but here are a few things I noticed:
> +########################################
> +## <summary>
> +## Make a domain transition from a
> +## given source domain to another
> +## specified target domain using
> +## the DBUS executable file type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Source domain.
> +## </summary>
> +## </param>
> +#
> +interface(`dbus_domain_transition',`
I'm not clear why this is necessary.
> + gen_require(`
> + type dbusd_exec_t;
> + ')
> +
> + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms };
Entrypoint should not be included here.
> + domtrans_pattern($1, dbusd_exec_t, $2)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-22 21:24:49.634876147 +0200
> @@ -43,14 +43,39 @@ interface(`gnome_role',`
> template(`gnome_role_template',`
> gen_require(`
> attribute gnomedomain, gkeyringd_domain;
> + attribute_role dconf_roles;
> + attribute_role at_spi_roles;
> attribute_role gconfd_roles;
> - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
> + attribute_role gnome_settings_roles;
> + attribute_role gnome_settings_daemon_roles;
Are all of these role attributes really necessary? Typically these are
only needed when there are long chains of transitions where the original
domain doesn't have any relation to latter domains. For example:
user_t -> domain1_t -> domain2_t
In this case, there is no link in the sources between user_t and
domain2_t, but domain2_t needs to be allowed user_r. Domain1_t's
interfaces can collect up all the roles that run domain1 in a role
attribute, and then use that attribute when running domain2.
> + type dconf_t, dconf_exec_t, dconf_home_t;
> + type at_spi_t, at_spi_exec_t;
> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> type gconf_home_t;
> + type gnome_settings_t, gnome_settings_exec_t;
> + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t;
> + type gnome_settings_schemas_t;
> + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> + type mime_info_t;
> + type user_dbusd_t;
This dbus type cannot be referenced directly in this module.
> optional_policy(`
> + dbus_connect_spec_session_bus(user, dconf_t)
> + dbus_connect_spec_session_bus(user, at_spi_t)
> + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t)
Prefixes can't be hardcoded like this.
> + dbus_connect_system_bus(gnome_settings_daemon_t)
> + dbus_domain_transition(at_spi_t, user_dbusd_t)
> + dbus_domain_transition(gnome_settings_t, user_dbusd_t)
> + dbus_send_spec_session_bus(user, dconf_t)
> + dbus_send_spec_session_bus(user, at_spi_t)
> + dbus_send_spec_session_bus(user, gnome_settings_daemon_t)
> dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
--
Chris PeBenito
Hello Christopher !
Thanks for providing your valuable feedback.
On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> On 08/22/16 15:39, Guido Trentalancia wrote:
> >
> > Update for the gnome module:
> >
> > - target the dconf daemon, the gsettings user application, the
> > ? gnome-settings-daemon and the at-spi daemon with all the
> > ? needed domain transitions;
> > - a new gstreamer_orcexec_t type and file context is introduced
> > ? to support the OIL Runtime Compiler (ORC) optimized code
> > ? execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > ? keyring domains;
> > - add support for chat over dbus in the gconfd domain and in the
> > ? new domains (dconf, gsettings, etc);
> > - add support for a few needed fs and kernel permissions.
> > - add support for reading the colord related files in the home
> > ? directories (such as the ICC EDID profiles): requires the
> > ? recent colord patch;
> > - add support for for reading the colord related files in the home
> > ? directories in the common user domain template;
> > - add support for a new mime_info_t type to be used in the home
> > ? directories;
> > - includes minor modifications to the consolekit, dbus and
> > ? policykit modules to support the new targeted gnome daemons
> > ? and applications;
> > - modifies the pulseaudio module to introduce new interfaces to
> > ? read and write pulseaudio tmpfs files and to use the pulseaudio
> > ? file descriptor;
> > - provides better module encapsulation (i.e. dbus module).
> >
> > The support for Gnome2/ORBit-2 (version 2) has been dropped.
> >
> > This patch depends on the recent colord patch.
> >
> > Recent changes to the pulseaudio module depends on this patch !
>
> Unfortunately, as Dominick pointed out, you've gone to the other end
> of?
> the patch organization spectrum and made too large of a patch.??If
> you?
> split it up into individual commits, git format-patch and git send-
> email?
> will make it easy to send a series of patches in commit order.??So
> all?
> you have to do is create reasonably-sized and logically-organized
> commits.
>
>
> I did not review everything, but here are a few things I noticed:
>
> >
> > +########################################
> > +## <summary>
> > +## Make a domain transition from a
> > +## given source domain to another
> > +## specified target domain using
> > +## the DBUS executable file type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Source domain.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dbus_domain_transition',`
>
> I'm not clear why this is necessary.
To encapsulate dbus related types in their own module (i.e. the dbus
module).
> > + gen_require(`
> > + type dbusd_exec_t;
> > + ')
> > +
> > + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms };
>
> Entrypoint should not be included here.
I will check if this does not break the transition...
> > + domtrans_pattern($1, dbusd_exec_t, $2)
>
> >
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if
> > 2016-08-06 21:27:11.354094337 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2
> > 016-08-22 21:24:49.634876147 +0200
> > @@ -43,14 +43,39 @@ interface(`gnome_role',`
> > ?template(`gnome_role_template',`
> > ? gen_require(`
> > ? attribute gnomedomain, gkeyringd_domain;
> > + attribute_role dconf_roles;
> > + attribute_role at_spi_roles;
> > ? attribute_role gconfd_roles;
> > - type gkeyringd_exec_t, gnome_keyring_home_t,
> > gnome_keyring_tmp_t;
> > + attribute_role gnome_settings_roles;
> > + attribute_role gnome_settings_daemon_roles;
>
> Are all of these role attributes really necessary???Typically these
> are?
> only needed when there are long chains of transitions where the
> original?
> domain doesn't have any relation to latter domains.??For example:
>
> user_t ->??domain1_t -> domain2_t
>
> In this case, there is no link in the sources between user_t and?
> domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's?
> interfaces can collect up all the roles that run domain1 in a role?
> attribute, and then use that attribute when running domain2.
I will remove the roles which are not needed.
> >
> > + type dconf_t, dconf_exec_t, dconf_home_t;
> > + type at_spi_t, at_spi_exec_t;
> > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > ? type gconf_home_t;
> > + type gnome_settings_t, gnome_settings_exec_t;
> > + type gnome_settings_daemon_t,
> > gnome_settings_daemon_exec_t;
> > + type gnome_settings_schemas_t;
> > + type gkeyringd_exec_t, gnome_keyring_home_t,
> > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > + type mime_info_t;
> > + type user_dbusd_t;
>
> This dbus type cannot be referenced directly in this module.
If $1_dbusd_t is used to get the role/type prefix from the caller, then
it doesn't compile for some reason which is not yet clear to me.
Any idea ?
> >
> > ? optional_policy(`
> > + dbus_connect_spec_session_bus(user, dconf_t)
> > + dbus_connect_spec_session_bus(user, at_spi_t)
> > + dbus_connect_spec_session_bus(user,
> > gnome_settings_daemon_t)
>
> Prefixes can't be hardcoded like this.
See above.
> >
> > + dbus_connect_system_bus(gnome_settings_daemon_t)
> > + dbus_domain_transition(at_spi_t, user_dbusd_t)
> > + dbus_domain_transition(gnome_settings_t,
> > user_dbusd_t)
> > + dbus_send_spec_session_bus(user, dconf_t)
> > + dbus_send_spec_session_bus(user, at_spi_t)
> > + dbus_send_spec_session_bus(user,
> > gnome_settings_daemon_t)
> > ? dbus_spec_session_domain($1, $1_gkeyringd_t,
> > gkeyringd_exec_t)
Best regards,
Guido
On Tue, 23/08/2016 at 14.44 +0200, Guido Trentalancia wrote:
> Hello Christopher !
>
> Thanks for providing your valuable feedback.
>
> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> >
> > On 08/22/16 15:39, Guido Trentalancia wrote:
> > >
> > >
> > > Update for the gnome module:
> > >
> > > - target the dconf daemon, the gsettings user application, the
> > > ? gnome-settings-daemon and the at-spi daemon with all the
> > > ? needed domain transitions;
> > > - a new gstreamer_orcexec_t type and file context is introduced
> > > ? to support the OIL Runtime Compiler (ORC) optimized code
> > > ? execution (used for example by pulseaudio);
> > > - add support for more permissions needed in gconfd_t and gnome
> > > ? keyring domains;
> > > - add support for chat over dbus in the gconfd domain and in the
> > > ? new domains (dconf, gsettings, etc);
> > > - add support for a few needed fs and kernel permissions.
> > > - add support for reading the colord related files in the home
> > > ? directories (such as the ICC EDID profiles): requires the
> > > ? recent colord patch;
> > > - add support for for reading the colord related files in the
> > > home
> > > ? directories in the common user domain template;
> > > - add support for a new mime_info_t type to be used in the home
> > > ? directories;
> > > - includes minor modifications to the consolekit, dbus and
> > > ? policykit modules to support the new targeted gnome daemons
> > > ? and applications;
> > > - modifies the pulseaudio module to introduce new interfaces to
> > > ? read and write pulseaudio tmpfs files and to use the pulseaudio
> > > ? file descriptor;
> > > - provides better module encapsulation (i.e. dbus module).
> > >
> > > The support for Gnome2/ORBit-2 (version 2) has been dropped.
> > >
> > > This patch depends on the recent colord patch.
> > >
> > > Recent changes to the pulseaudio module depends on this patch !
[...]
> > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if
> > > 2016-08-06 21:27:11.354094337 +0200
> > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if
> > > 2
> > > 016-08-22 21:24:49.634876147 +0200
> > > @@ -43,14 +43,39 @@ interface(`gnome_role',`
> > > ?template(`gnome_role_template',`
> > > ? gen_require(`
> > > ? attribute gnomedomain, gkeyringd_domain;
> > > + attribute_role dconf_roles;
> > > + attribute_role at_spi_roles;
> > > ? attribute_role gconfd_roles;
> > > - type gkeyringd_exec_t, gnome_keyring_home_t,
> > > gnome_keyring_tmp_t;
> > > + attribute_role gnome_settings_roles;
> > > + attribute_role gnome_settings_daemon_roles;
> >
> > Are all of these role attributes really necessary???Typically these
> > are?
> > only needed when there are long chains of transitions where the
> > original?
> > domain doesn't have any relation to latter domains.??For example:
> >
> > user_t ->??domain1_t -> domain2_t
> >
> > In this case, there is no link in the sources between user_t and?
> > domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's?
> > interfaces can collect up all the roles that run domain1 in a role?
> > attribute, and then use that attribute when running domain2.
>
> I will remove the roles which are not needed.
I have tested the above and the conclusion is that only the dconf
attribute can be removed without breaking the functionality.
Regards,
Guido
On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> On 08/22/16 15:39, Guido Trentalancia wrote:
> >
> > Update for the gnome module:
> >
> > - target the dconf daemon, the gsettings user application, the
> > ? gnome-settings-daemon and the at-spi daemon with all the
> > ? needed domain transitions;
> > - a new gstreamer_orcexec_t type and file context is introduced
> > ? to support the OIL Runtime Compiler (ORC) optimized code
> > ? execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> > ? keyring domains;
> > - add support for chat over dbus in the gconfd domain and in the
> > ? new domains (dconf, gsettings, etc);
> > - add support for a few needed fs and kernel permissions.
> > - add support for reading the colord related files in the home
> > ? directories (such as the ICC EDID profiles): requires the
> > ? recent colord patch;
> > - add support for for reading the colord related files in the home
> > ? directories in the common user domain template;
> > - add support for a new mime_info_t type to be used in the home
> > ? directories;
> > - includes minor modifications to the consolekit, dbus and
> > ? policykit modules to support the new targeted gnome daemons
> > ? and applications;
> > - modifies the pulseaudio module to introduce new interfaces to
> > ? read and write pulseaudio tmpfs files and to use the pulseaudio
> > ? file descriptor;
> > - provides better module encapsulation (i.e. dbus module).
> >
> > The support for Gnome2/ORBit-2 (version 2) has been dropped.
> >
> > This patch depends on the recent colord patch.
> >
> > Recent changes to the pulseaudio module depends on this patch !
[...]
> >
> > + type dconf_t, dconf_exec_t, dconf_home_t;
> > + type at_spi_t, at_spi_exec_t;
> > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > ? type gconf_home_t;
> > + type gnome_settings_t, gnome_settings_exec_t;
> > + type gnome_settings_daemon_t,
> > gnome_settings_daemon_exec_t;
> > + type gnome_settings_schemas_t;
> > + type gkeyringd_exec_t, gnome_keyring_home_t,
> > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > + type mime_info_t;
> > + type user_dbusd_t;
>
> This dbus type cannot be referenced directly in this module.
It's not a dbus type, although it might resemble that from its
naming...
It's just a convenience private type used to create a domain for
running non-system dbus sessions.
> >
> > ? optional_policy(`
> > + dbus_connect_spec_session_bus(user, dconf_t)
> > + dbus_connect_spec_session_bus(user, at_spi_t)
> > + dbus_connect_spec_session_bus(user,
> > gnome_settings_daemon_t)
>
> Prefixes can't be hardcoded like this.
It's related to the above private type.
It is used somewhat similarly to a variable in a program.
It's not related to "user" as in the arguments "(user, user_r,
user_t)".
As already explained, it would fail to compile with a "conflicting type
rule" error if I use the $1 argument.
> >
> > + dbus_connect_system_bus(gnome_settings_daemon_t)
> > + dbus_domain_transition(at_spi_t, user_dbusd_t)
> > + dbus_domain_transition(gnome_settings_t,
> > user_dbusd_t)
> > + dbus_send_spec_session_bus(user, dconf_t)
> > + dbus_send_spec_session_bus(user, at_spi_t)
> > + dbus_send_spec_session_bus(user,
> > gnome_settings_daemon_t)
> > ? dbus_spec_session_domain($1, $1_gkeyringd_t,
> > gkeyringd_exec_t)
Regards,
Guido
On 08/23/16 08:44, Guido Trentalancia wrote:
> Hello Christopher !
>
> Thanks for providing your valuable feedback.
>
> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>
>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>> + type at_spi_t, at_spi_exec_t;
>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>> type gconf_home_t;
>>> + type gnome_settings_t, gnome_settings_exec_t;
>>> + type gnome_settings_daemon_t,
>>> gnome_settings_daemon_exec_t;
>>> + type gnome_settings_schemas_t;
>>> + type gkeyringd_exec_t, gnome_keyring_home_t,
>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>> + type mime_info_t;
>>> + type user_dbusd_t;
>>
>> This dbus type cannot be referenced directly in this module.
>
> If $1_dbusd_t is used to get the role/type prefix from the caller, then
> it doesn't compile for some reason which is not yet clear to me.
>
> Any idea ?
The $1_dbusd_t rules need to be contained in the dbus module, not the
gnome module. Beyond that, it's tough to say what the problem is,
without knowing the error messages.
--
Chris PeBenito
The error is: "Conflicting type rules".
Unfortunately, the cil temporary file is destroyed before make gives the shell prompt back, so it is not possible to inspect the location of the problem.
Guido
On the 24th august 2016 01:02:29 CEST, Chris PeBenito <[email protected]> wrote:
>On 08/23/16 08:44, Guido Trentalancia wrote:
>> Hello Christopher !
>>
>> Thanks for providing your valuable feedback.
>>
>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>
>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>> + type at_spi_t, at_spi_exec_t;
>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>> type gconf_home_t;
>>>> + type gnome_settings_t, gnome_settings_exec_t;
>>>> + type gnome_settings_daemon_t,
>>>> gnome_settings_daemon_exec_t;
>>>> + type gnome_settings_schemas_t;
>>>> + type gkeyringd_exec_t, gnome_keyring_home_t,
>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>> + type mime_info_t;
>>>> + type user_dbusd_t;
>>>
>>> This dbus type cannot be referenced directly in this module.
>>
>> If $1_dbusd_t is used to get the role/type prefix from the caller,
>then
>> it doesn't compile for some reason which is not yet clear to me.
>>
>> Any idea ?
>
>The $1_dbusd_t rules need to be contained in the dbus module, not the
>gnome module. Beyond that, it's tough to say what the problem is,
>without knowing the error messages.
Hello Christopher.
I have more detailed information about this problem...
On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
> On 08/23/16 08:44, Guido Trentalancia wrote:
> >
> > Hello Christopher !
> >
> > Thanks for providing your valuable feedback.
> >
> > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> > >
> > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > >
> > > >
> > > > + type dconf_t, dconf_exec_t, dconf_home_t;
> > > > + type at_spi_t, at_spi_exec_t;
> > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > > > ? type gconf_home_t;
> > > > + type gnome_settings_t, gnome_settings_exec_t;
> > > > + type gnome_settings_daemon_t,
> > > > gnome_settings_daemon_exec_t;
> > > > + type gnome_settings_schemas_t;
> > > > + type gkeyringd_exec_t, gnome_keyring_home_t,
> > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > + type mime_info_t;
> > > > + type user_dbusd_t;
> > >
> > > This dbus type cannot be referenced directly in this module.
> >
> > If $1_dbusd_t is used to get the role/type prefix from the caller,
> > then
> > it doesn't compile for some reason which is not yet clear to me.
> >
> > Any idea ?
>
> The $1_dbusd_t rules need to be contained in the dbus module, not
> the?
> gnome module.??Beyond that, it's tough to say what the problem is,?
> without knowing the error messages.
Suppose to have the following additional dbus interface:
#######################################
## <summary>
## Make a domain transition from a
## given source domain to the
## DBUS session bus domain using
## the DBUS executable file type.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dbus_domain_transition_session_bus',`
gen_require(`
type dbusd_exec_t;
type $1_dbusd_t;
')
allow $2 dbusd_exec_t:file exec_file_perms;
domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
')
and suppose that it is called by the following statement:
dbus_domain_transition_session_bus($1, at_spi_t)
where $1 = "user".
During policy load, the following error is generated:
Conflicting type rules
Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
Failed to generate binary
/usr/sbin/semodule: Failed!
make: *** [Rules.modular:58: load] Error 1
The temporary file is deleted automatically and cannot be inspected.
I hope it is clear now...
Do you have an idea ? It's the only thing missing before all the dbus
rules are moved from the gnome to the dbus module and I can create a
new version of this important patch.
Regards,
Guido
On 08/24/16 17:55, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have more detailed information about this problem...
>
> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>
>>> Hello Christopher !
>>>
>>> Thanks for providing your valuable feedback.
>>>
>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>
>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>
>>>>>
>>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>>> + type at_spi_t, at_spi_exec_t;
>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>> type gconf_home_t;
>>>>> + type gnome_settings_t, gnome_settings_exec_t;
>>>>> + type gnome_settings_daemon_t,
>>>>> gnome_settings_daemon_exec_t;
>>>>> + type gnome_settings_schemas_t;
>>>>> + type gkeyringd_exec_t, gnome_keyring_home_t,
>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>> + type mime_info_t;
>>>>> + type user_dbusd_t;
>>>>
>>>> This dbus type cannot be referenced directly in this module.
>>>
>>> If $1_dbusd_t is used to get the role/type prefix from the caller,
>>> then
>>> it doesn't compile for some reason which is not yet clear to me.
>>>
>>> Any idea ?
>>
>> The $1_dbusd_t rules need to be contained in the dbus module, not
>> the
>> gnome module. Beyond that, it's tough to say what the problem is,
>> without knowing the error messages.
>
> Suppose to have the following additional dbus interface:
>
> #######################################
> ## <summary>
> ## Make a domain transition from a
> ## given source domain to the
> ## DBUS session bus domain using
> ## the DBUS executable file type.
> ## </summary>
> ## <param name="role_prefix">
> ## <summary>
> ## The prefix of the user role (e.g., user
> ## is the prefix for user_r).
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`dbus_domain_transition_session_bus',`
> gen_require(`
> type dbusd_exec_t;
> type $1_dbusd_t;
> ')
>
> allow $2 dbusd_exec_t:file exec_file_perms;
> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> ')
>
> and suppose that it is called by the following statement:
>
> dbus_domain_transition_session_bus($1, at_spi_t)
>
> where $1 = "user".
>
> During policy load, the following error is generated:
>
> Conflicting type rules
> Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> Failed to generate binary
> /usr/sbin/semodule: Failed!
> make: *** [Rules.modular:58: load] Error 1
>
> The temporary file is deleted automatically and cannot be inspected.
>
> I hope it is clear now...
>
> Do you have an idea ? It's the only thing missing before all the dbus
> rules are moved from the gnome to the dbus module and I can create a
> new version of this important patch.
It's not so helpful unfortunately. My guess is that it is a conflicting
type_transition. Unfortunately the compiler error message isn't helpful.
--
Chris PeBenito
It works fine in the latest version of this patch (from within the gnome module)!!
So, why does it stop working when I create a dbus interface and call it from the gnome module?
I am stuck with this unfortunately...
How about the other missing patch for the "module_load" permission in the kernel and files modules? Have you found an alternative name for that interface?
The patch for the kernel is waiting to get committed, along with the testcase and a small Makefile patch for the testsuite.
I have also posted here a patch for the Reference Policy Makefile so that it integrates better with the SELinux testsuite (which at the moment works out of the box only on Red Hat).
Best regards,
Guido
On the 25th August 2016 00:10:22 CEST, Chris PeBenito <[email protected]> wrote:
>On 08/24/16 17:55, Guido Trentalancia wrote:
>> Hello Christopher.
>>
>> I have more detailed information about this problem...
>>
>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>>
>>>> Hello Christopher !
>>>>
>>>> Thanks for providing your valuable feedback.
>>>>
>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>>
>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>
>>>>>>
>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>> type gconf_home_t;
>>>>>> + type gnome_settings_t, gnome_settings_exec_t;
>>>>>> + type gnome_settings_daemon_t,
>>>>>> gnome_settings_daemon_exec_t;
>>>>>> + type gnome_settings_schemas_t;
>>>>>> + type gkeyringd_exec_t, gnome_keyring_home_t,
>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>> + type mime_info_t;
>>>>>> + type user_dbusd_t;
>>>>>
>>>>> This dbus type cannot be referenced directly in this module.
>>>>
>>>> If $1_dbusd_t is used to get the role/type prefix from the caller,
>>>> then
>>>> it doesn't compile for some reason which is not yet clear to me.
>>>>
>>>> Any idea ?
>>>
>>> The $1_dbusd_t rules need to be contained in the dbus module, not
>>> the
>>> gnome module. Beyond that, it's tough to say what the problem is,
>>> without knowing the error messages.
>>
>> Suppose to have the following additional dbus interface:
>>
>> #######################################
>> ## <summary>
>> ## Make a domain transition from a
>> ## given source domain to the
>> ## DBUS session bus domain using
>> ## the DBUS executable file type.
>> ## </summary>
>> ## <param name="role_prefix">
>> ## <summary>
>> ## The prefix of the user role (e.g., user
>> ## is the prefix for user_r).
>> ## </summary>
>> ## </param>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dbus_domain_transition_session_bus',`
>> gen_require(`
>> type dbusd_exec_t;
>> type $1_dbusd_t;
>> ')
>>
>> allow $2 dbusd_exec_t:file exec_file_perms;
>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>> ')
>>
>> and suppose that it is called by the following statement:
>>
>> dbus_domain_transition_session_bus($1, at_spi_t)
>>
>> where $1 = "user".
>>
>> During policy load, the following error is generated:
>>
>> Conflicting type rules
>> Binary policy creation failed at line 29393 of
>/var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>> Failed to generate binary
>> /usr/sbin/semodule: Failed!
>> make: *** [Rules.modular:58: load] Error 1
>>
>> The temporary file is deleted automatically and cannot be inspected.
>>
>> I hope it is clear now...
>>
>> Do you have an idea ? It's the only thing missing before all the dbus
>> rules are moved from the gnome to the dbus module and I can create a
>> new version of this important patch.
>
>It's not so helpful unfortunately. My guess is that it is a
>conflicting
>type_transition. Unfortunately the compiler error message isn't
>helpful.
On 08/25/2016 12:42 AM, Guido Trentalancia via refpolicy wrote:
> It works fine in the latest version of this patch (from within the gnome module)!!
>
> So, why does it stop working when I create a dbus interface and call it from the gnome module?
>
> I am stuck with this unfortunately...
>
I have been there before. I have attempted to confined desktops for
years. Facing all kinds of limitations of the reference policy. I am not
saying that the issue you are facing is related to limitations to the
refpolicy, because I do not know for sure. What I do feel i know is that
confining complex desktops with reference policy is difficult if not
impossible.
The CIL policy was designed to deal with complex requirements. My DSSP
policy demonstrates that with CIL , complex desktops can be confined.
Besides the techinical issues there is also the issue of design with
confining complex desktops. There are many patterns that become visible
later in the process. Causing one to have to refactor the policy. I
already see things in your patch where I personally would have done
things differently taking into account the bigger picture.
Basically a good approach would be to first confine the desktop fully.
then look at that from a distance, and then write it again with in mind
all the things you've learned.
> How about the other missing patch for the "module_load" permission in the kernel and files modules? Have you found an alternative name for that interface?
>
> The patch for the kernel is waiting to get committed, along with the testcase and a small Makefile patch for the testsuite.
>
> I have also posted here a patch for the Reference Policy Makefile so that it integrates better with the SELinux testsuite (which at the moment works out of the box only on Red Hat).
>
> Best regards,
>
> Guido
>
> On the 25th August 2016 00:10:22 CEST, Chris PeBenito <[email protected]> wrote:
>> On 08/24/16 17:55, Guido Trentalancia wrote:
>>> Hello Christopher.
>>>
>>> I have more detailed information about this problem...
>>>
>>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>>>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>>>
>>>>> Hello Christopher !
>>>>>
>>>>> Thanks for providing your valuable feedback.
>>>>>
>>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>>>
>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>
>>>>>>>
>>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>>> type gconf_home_t;
>>>>>>> + type gnome_settings_t, gnome_settings_exec_t;
>>>>>>> + type gnome_settings_daemon_t,
>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>> + type gnome_settings_schemas_t;
>>>>>>> + type gkeyringd_exec_t, gnome_keyring_home_t,
>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>> + type mime_info_t;
>>>>>>> + type user_dbusd_t;
>>>>>>
>>>>>> This dbus type cannot be referenced directly in this module.
>>>>>
>>>>> If $1_dbusd_t is used to get the role/type prefix from the caller,
>>>>> then
>>>>> it doesn't compile for some reason which is not yet clear to me.
>>>>>
>>>>> Any idea ?
>>>>
>>>> The $1_dbusd_t rules need to be contained in the dbus module, not
>>>> the
>>>> gnome module. Beyond that, it's tough to say what the problem is,
>>>> without knowing the error messages.
>>>
>>> Suppose to have the following additional dbus interface:
>>>
>>> #######################################
>>> ## <summary>
>>> ## Make a domain transition from a
>>> ## given source domain to the
>>> ## DBUS session bus domain using
>>> ## the DBUS executable file type.
>>> ## </summary>
>>> ## <param name="role_prefix">
>>> ## <summary>
>>> ## The prefix of the user role (e.g., user
>>> ## is the prefix for user_r).
>>> ## </summary>
>>> ## </param>
>>> ## <param name="domain">
>>> ## <summary>
>>> ## Domain allowed access.
>>> ## </summary>
>>> ## </param>
>>> #
>>> interface(`dbus_domain_transition_session_bus',`
>>> gen_require(`
>>> type dbusd_exec_t;
>>> type $1_dbusd_t;
>>> ')
>>>
>>> allow $2 dbusd_exec_t:file exec_file_perms;
>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>> ')
>>>
>>> and suppose that it is called by the following statement:
>>>
>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>
>>> where $1 = "user".
>>>
>>> During policy load, the following error is generated:
>>>
>>> Conflicting type rules
>>> Binary policy creation failed at line 29393 of
>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>> Failed to generate binary
>>> /usr/sbin/semodule: Failed!
>>> make: *** [Rules.modular:58: load] Error 1
>>>
>>> The temporary file is deleted automatically and cannot be inspected.
>>>
>>> I hope it is clear now...
>>>
>>> Do you have an idea ? It's the only thing missing before all the dbus
>>> rules are moved from the gnome to the dbus module and I can create a
>>> new version of this important patch.
>>
>> It's not so helpful unfortunately. My guess is that it is a
>> conflicting
>> type_transition. Unfortunately the compiler error message isn't
>> helpful.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160825/7c684dac/attachment.bin
Hello Christopher.
I have more information on this problem.
On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
> On 08/24/16 17:55, Guido Trentalancia wrote:
> >
> > Hello Christopher.
> >
> > I have more detailed information about this problem...
> >
> > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
> > >
> > > On 08/23/16 08:44, Guido Trentalancia wrote:
> > > >
> > > >
> > > > Hello Christopher !
> > > >
> > > > Thanks for providing your valuable feedback.
> > > >
> > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> > > > >
> > > > >
> > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > + type dconf_t, dconf_exec_t, dconf_home_t;
> > > > > > + type at_spi_t, at_spi_exec_t;
> > > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > > > > > ? type gconf_home_t;
> > > > > > + type gnome_settings_t,
> > > > > > gnome_settings_exec_t;
> > > > > > + type gnome_settings_daemon_t,
> > > > > > gnome_settings_daemon_exec_t;
> > > > > > + type gnome_settings_schemas_t;
> > > > > > + type gkeyringd_exec_t,
> > > > > > gnome_keyring_home_t,
> > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > + type mime_info_t;
> > > > > > + type user_dbusd_t;
> > > > >
> > > > > This dbus type cannot be referenced directly in this module.
> > > >
> > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > caller,
> > > > then
> > > > it doesn't compile for some reason which is not yet clear to
> > > > me.
> > > >
> > > > Any idea ?
> > >
> > > The $1_dbusd_t rules need to be contained in the dbus module, not
> > > the
> > > gnome module.??Beyond that, it's tough to say what the problem
> > > is,
> > > without knowing the error messages.
> >
> > Suppose to have the following additional dbus interface:
> >
> > #######################################
> > ## <summary>
> > ##??????Make a domain transition from a
> > ##??????given source domain to the
> > ##??????DBUS session bus domain using
> > ##??????the DBUS executable file type.
> > ## </summary>
> > ## <param name="role_prefix">
> > ##??????<summary>
> > ##??????The prefix of the user role (e.g., user
> > ##??????is the prefix for user_r).
> > ##??????</summary>
> > ## </param>
> > ## <param name="domain">
> > ##??????<summary>
> > ##??????Domain allowed access.
> > ##??????</summary>
> > ## </param>
> > #
> > interface(`dbus_domain_transition_session_bus',`
> > ????????gen_require(`
> > ????????????????type dbusd_exec_t;
> > ????????????????type $1_dbusd_t;
> > ????????')
> >
> > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > ')
> >
> > and suppose that it is called by the following statement:
> >
> > dbus_domain_transition_session_bus($1, at_spi_t)
> >
> > where $1 = "user".
> >
> > During policy load, the following error is generated:
> >
> > Conflicting type rules
> > Binary policy creation failed at line 29393 of
> > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > Failed to generate binary
> > /usr/sbin/semodule:??Failed!
> > make: *** [Rules.modular:58: load] Error 1
> >
> > The temporary file is deleted automatically and cannot be
> > inspected.
> >
> > I hope it is clear now...
> >
> > Do you have an idea ? It's the only thing missing before all the
> > dbus
> > rules are moved from the gnome to the dbus module and I can create
> > a
> > new version of this important patch.
>
> It's not so helpful unfortunately.??My guess is that it is a
> conflicting?
> type_transition.??Unfortunately the compiler error message isn't
> helpful.
I have tested and your guess is correct !
The above interface expands as follows:
interface(`dbus_domain_transition_session_bus',`
allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
# type_transition $2 dbusd_exec_t:process $1_dbusd_t;
allow $1_dbusd_t $2:fd use;
allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t $2:process sigchld;
')
The line that has been commented out (type_transition) is the
problematic rule which leads to the "conflicting type rules" error upon
loading the policy.
Such rule comes from the domain_auto_transition_pattern provided by
support/misc_patterns.spt.
However, if I hardcode "user" instead of "$1", the type_transition
works fine. I suspect, it stops functioning when $1 is replaced by
"sysadm" or "staff".
If I do manually substitute the two and try to recompile, the following
happens:
$1=sysadm ==> staff.te doesn't compile (unknown type error)
$1=staff ==> sysadm.te doesn't compile (unknown type error)
In some way, it sounds like a bug or some sort of limitation of the
actual policy... Can you shed some light ?
Best regards,
Guido
On 08/25/16 05:47, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have more information on this problem.
>
> On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
>> On 08/24/16 17:55, Guido Trentalancia wrote:
>>>
>>> Hello Christopher.
>>>
>>> I have more detailed information about this problem...
>>>
>>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>>>>
>>>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>>>
>>>>>
>>>>> Hello Christopher !
>>>>>
>>>>> Thanks for providing your valuable feedback.
>>>>>
>>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>>>
>>>>>>
>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>>> type gconf_home_t;
>>>>>>> + type gnome_settings_t,
>>>>>>> gnome_settings_exec_t;
>>>>>>> + type gnome_settings_daemon_t,
>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>> + type gnome_settings_schemas_t;
>>>>>>> + type gkeyringd_exec_t,
>>>>>>> gnome_keyring_home_t,
>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>> + type mime_info_t;
>>>>>>> + type user_dbusd_t;
>>>>>>
>>>>>> This dbus type cannot be referenced directly in this module.
>>>>>
>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>> caller,
>>>>> then
>>>>> it doesn't compile for some reason which is not yet clear to
>>>>> me.
>>>>>
>>>>> Any idea ?
>>>>
>>>> The $1_dbusd_t rules need to be contained in the dbus module, not
>>>> the
>>>> gnome module. Beyond that, it's tough to say what the problem
>>>> is,
>>>> without knowing the error messages.
>>>
>>> Suppose to have the following additional dbus interface:
>>>
>>> #######################################
>>> ## <summary>
>>> ## Make a domain transition from a
>>> ## given source domain to the
>>> ## DBUS session bus domain using
>>> ## the DBUS executable file type.
>>> ## </summary>
>>> ## <param name="role_prefix">
>>> ## <summary>
>>> ## The prefix of the user role (e.g., user
>>> ## is the prefix for user_r).
>>> ## </summary>
>>> ## </param>
>>> ## <param name="domain">
>>> ## <summary>
>>> ## Domain allowed access.
>>> ## </summary>
>>> ## </param>
>>> #
>>> interface(`dbus_domain_transition_session_bus',`
>>> gen_require(`
>>> type dbusd_exec_t;
>>> type $1_dbusd_t;
>>> ')
>>>
>>> allow $2 dbusd_exec_t:file exec_file_perms;
>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>> ')
>>>
>>> and suppose that it is called by the following statement:
>>>
>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>
>>> where $1 = "user".
>>>
>>> During policy load, the following error is generated:
>>>
>>> Conflicting type rules
>>> Binary policy creation failed at line 29393 of
>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>> Failed to generate binary
>>> /usr/sbin/semodule: Failed!
>>> make: *** [Rules.modular:58: load] Error 1
>>>
>>> The temporary file is deleted automatically and cannot be
>>> inspected.
>>>
>>> I hope it is clear now...
>>>
>>> Do you have an idea ? It's the only thing missing before all the
>>> dbus
>>> rules are moved from the gnome to the dbus module and I can create
>>> a
>>> new version of this important patch.
>>
>> It's not so helpful unfortunately. My guess is that it is a
>> conflicting
>> type_transition. Unfortunately the compiler error message isn't
>> helpful.
>
> I have tested and your guess is correct !
>
> The above interface expands as follows:
>
> interface(`dbus_domain_transition_session_bus',`
> allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
>
> domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
> # type_transition $2 dbusd_exec_t:process $1_dbusd_t;
>
> allow $1_dbusd_t $2:fd use;
> allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
> allow $1_dbusd_t $2:process sigchld;
> ')
>
> The line that has been commented out (type_transition) is the
> problematic rule which leads to the "conflicting type rules" error upon
> loading the policy.
>
> Such rule comes from the domain_auto_transition_pattern provided by
> support/misc_patterns.spt.
>
> However, if I hardcode "user" instead of "$1", the type_transition
> works fine. I suspect, it stops functioning when $1 is replaced by
> "sysadm" or "staff".
>
> If I do manually substitute the two and try to recompile, the following
> happens:
>
> $1=sysadm ==> staff.te doesn't compile (unknown type error)
>
> $1=staff ==> sysadm.te doesn't compile (unknown type error)
>
> In some way, it sounds like a bug or some sort of limitation of the
> actual policy... Can you shed some light ?
I'm not clear why you would see unknown types. You have to inspect the
intermediate files. I believe if you add them to a .SECONDARY entry in
the Makefile/Rules.*, it will not delete them when they're done. I'd be
fine taking that patch too, so intermediate files are never deleted.
--
Chris PeBenito
Hello Christopher.
On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote:
[...]
> > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > + type dconf_t, dconf_exec_t,
> > > > > > > > dconf_home_t;
> > > > > > > > + type at_spi_t, at_spi_exec_t;
> > > > > > > > ? type gconfd_t, gconfd_exec_t,
> > > > > > > > gconf_tmp_t;
> > > > > > > > ? type gconf_home_t;
> > > > > > > > + type gnome_settings_t,
> > > > > > > > gnome_settings_exec_t;
> > > > > > > > + type gnome_settings_daemon_t,
> > > > > > > > gnome_settings_daemon_exec_t;
> > > > > > > > + type gnome_settings_schemas_t;
> > > > > > > > + type gkeyringd_exec_t,
> > > > > > > > gnome_keyring_home_t,
> > > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > > > + type mime_info_t;
> > > > > > > > + type user_dbusd_t;
> > > > > > >
> > > > > > > This dbus type cannot be referenced directly in this
> > > > > > > module.
> > > > > >
> > > > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > > > caller,
> > > > > > then
> > > > > > it doesn't compile for some reason which is not yet clear
> > > > > > to
> > > > > > me.
> > > > > >
> > > > > > Any idea ?
> > > > >
> > > > > The $1_dbusd_t rules need to be contained in the dbus module,
> > > > > not
> > > > > the
> > > > > gnome module.??Beyond that, it's tough to say what the
> > > > > problem
> > > > > is,
> > > > > without knowing the error messages.
> > > >
> > > > Suppose to have the following additional dbus interface:
> > > >
> > > > #######################################
> > > > ## <summary>
> > > > ##??????Make a domain transition from a
> > > > ##??????given source domain to the
> > > > ##??????DBUS session bus domain using
> > > > ##??????the DBUS executable file type.
> > > > ## </summary>
> > > > ## <param name="role_prefix">
> > > > ##??????<summary>
> > > > ##??????The prefix of the user role (e.g., user
> > > > ##??????is the prefix for user_r).
> > > > ##??????</summary>
> > > > ## </param>
> > > > ## <param name="domain">
> > > > ##??????<summary>
> > > > ##??????Domain allowed access.
> > > > ##??????</summary>
> > > > ## </param>
> > > > #
> > > > interface(`dbus_domain_transition_session_bus',`
> > > > ????????gen_require(`
> > > > ????????????????type dbusd_exec_t;
> > > > ????????????????type $1_dbusd_t;
> > > > ????????')
> > > >
> > > > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > > > ')
> > > >
> > > > and suppose that it is called by the following statement:
> > > >
> > > > dbus_domain_transition_session_bus($1, at_spi_t)
> > > >
> > > > where $1 = "user".
> > > >
> > > > During policy load, the following error is generated:
> > > >
> > > > Conflicting type rules
> > > > Binary policy creation failed at line 29393 of
> > > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > > > Failed to generate binary
> > > > /usr/sbin/semodule:??Failed!
> > > > make: *** [Rules.modular:58: load] Error 1
> > > >
> > > > The temporary file is deleted automatically and cannot be
> > > > inspected.
> > > >
> > > > I hope it is clear now...
> > > >
> > > > Do you have an idea ? It's the only thing missing before all
> > > > the
> > > > dbus
> > > > rules are moved from the gnome to the dbus module and I can
> > > > create
> > > > a
> > > > new version of this important patch.
> > >
> > > It's not so helpful unfortunately.??My guess is that it is a
> > > conflicting
> > > type_transition.??Unfortunately the compiler error message isn't
> > > helpful.
> >
> > I have tested and your guess is correct !
> >
> > The above interface expands as follows:
> >
> > interface(`dbus_domain_transition_session_bus',`
> > ????????allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
> >
> > ????????domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
> > #????????type_transition $2 dbusd_exec_t:process $1_dbusd_t;
> >
> > ????????allow $1_dbusd_t $2:fd use;
> > ????????allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
> > ????????allow $1_dbusd_t $2:process sigchld;
> > ')
> >
> > The line that has been commented out (type_transition) is the
> > problematic rule which leads to the "conflicting type rules" error
> > upon
> > loading the policy.
> >
> > Such rule comes from the domain_auto_transition_pattern provided by
> > support/misc_patterns.spt.
> >
> > However, if I hardcode "user" instead of "$1", the type_transition
> > works fine. I suspect, it stops functioning when $1 is replaced by
> > "sysadm" or "staff".
> >
> > If I do manually substitute the two and try to recompile, the
> > following
> > happens:
> >
> > $1=sysadm ==> staff.te doesn't compile (unknown type error)
> >
> > $1=staff ==> sysadm.te doesn't compile (unknown type error)
> >
> > In some way, it sounds like a bug or some sort of limitation of the
> > actual policy... Can you shed some light ?
>
> I'm not clear why you would see unknown types.??You have to inspect
> the?
> intermediate files.??I believe if you add them to a .SECONDARY entry
> in?
> the Makefile/Rules.*, it will not delete them when they're done.??I'd
> be?
> fine taking that patch too, so intermediate files are never deleted.
I think the files that you mention are stored in the "tmp" subdirectory
of the policy source.
I don't think there is a need to modify the Makefile or Rules.* files.
The "Conflicting type rules" error comes from libsepol when one tries
to load the policy using semodule (called by the policy Makefile).
What semodule deleted (/var/lib/selinux/refpolicy-
06082016/tmp/modules/400/sysadm/cil) might be a binary file generated
by libsepol. In any case, it has nothing to do with the policy
Makefile.
Unfortunately, I have checked the temporary files in the "tmp"
subdirectory of the build tree, but the only difference between the
working version and the non-working version is that the static
hardcoded "user" string ("user_dbusd_t") in the type_transition rule is
replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on).
I noticed that the dbus_role_template is also using that variable type
($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or
"xguest").
The problem seems to be that the $1_dbusd_t type defined by the
dbus_role_template conflicts with the type defined by the new interface
that is required by gnome (it conflicts with the type_transition rule).
I believe this is a bug or some sort of limitation of the existing
policy... Do you know how to fix it ?
Regards,
Guido
Hello Christopher.
On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
> On 08/24/16 17:55, Guido Trentalancia wrote:
> >
> > Hello Christopher.
> >
> > I have more detailed information about this problem...
> >
> > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
> > >
> > > On 08/23/16 08:44, Guido Trentalancia wrote:
> > > >
> > > >
> > > > Hello Christopher !
> > > >
> > > > Thanks for providing your valuable feedback.
> > > >
> > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> > > > >
> > > > >
> > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > + type dconf_t, dconf_exec_t, dconf_home_t;
> > > > > > + type at_spi_t, at_spi_exec_t;
> > > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > > > > > ? type gconf_home_t;
> > > > > > + type gnome_settings_t,
> > > > > > gnome_settings_exec_t;
> > > > > > + type gnome_settings_daemon_t,
> > > > > > gnome_settings_daemon_exec_t;
> > > > > > + type gnome_settings_schemas_t;
> > > > > > + type gkeyringd_exec_t,
> > > > > > gnome_keyring_home_t,
> > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > + type mime_info_t;
> > > > > > + type user_dbusd_t;
> > > > >
> > > > > This dbus type cannot be referenced directly in this module.
> > > >
> > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > caller,
> > > > then
> > > > it doesn't compile for some reason which is not yet clear to
> > > > me.
> > > >
> > > > Any idea ?
> > >
> > > The $1_dbusd_t rules need to be contained in the dbus module, not
> > > the
> > > gnome module.??Beyond that, it's tough to say what the problem
> > > is,
> > > without knowing the error messages.
> >
> > Suppose to have the following additional dbus interface:
> >
> > #######################################
> > ## <summary>
> > ##??????Make a domain transition from a
> > ##??????given source domain to the
> > ##??????DBUS session bus domain using
> > ##??????the DBUS executable file type.
> > ## </summary>
> > ## <param name="role_prefix">
> > ##??????<summary>
> > ##??????The prefix of the user role (e.g., user
> > ##??????is the prefix for user_r).
> > ##??????</summary>
> > ## </param>
> > ## <param name="domain">
> > ##??????<summary>
> > ##??????Domain allowed access.
> > ##??????</summary>
> > ## </param>
> > #
> > interface(`dbus_domain_transition_session_bus',`
> > ????????gen_require(`
> > ????????????????type dbusd_exec_t;
> > ????????????????type $1_dbusd_t;
> > ????????')
> >
> > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > ')
> >
> > and suppose that it is called by the following statement:
> >
> > dbus_domain_transition_session_bus($1, at_spi_t)
> >
> > where $1 = "user".
> >
> > During policy load, the following error is generated:
> >
> > Conflicting type rules
> > Binary policy creation failed at line 29393 of
> > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > Failed to generate binary
> > /usr/sbin/semodule:??Failed!
> > make: *** [Rules.modular:58: load] Error 1
> >
> > The temporary file is deleted automatically and cannot be
> > inspected.
> >
> > I hope it is clear now...
> >
> > Do you have an idea ? It's the only thing missing before all the
> > dbus
> > rules are moved from the gnome to the dbus module and I can create
> > a
> > new version of this important patch.
>
> It's not so helpful unfortunately.??My guess is that it is a
> conflicting?
> type_transition.??Unfortunately the compiler error message isn't
> helpful.
I have just posted a patch on the SELinux mailing list to produce a
more meaningful error message for conflicting type rules, see the
following thread:
[PATCH] libsepol: Produce more meaningful error messages for
conflicting type rules
In this case, the conflicting type rule is:
scontext=at_spi_t
tcontext=dbusd_exec_t
tclass=process
result=sysadm_dbusd_t
which confirms the previous debugging results (it's the type_transition
rule).
Another one is similar, with scontext=gnome_settings_t.
What I suspect is that when it compiles, it quadruplicates the type
transition for each of user, staff, sysadm and xguest, thus leading to
conflicting rules.
Therefore, the solution might be to use a common static name for the
domain (for example, "session_dbusd_t" instead of "$1_dbusd_t").
Regards,
Guido
On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote:
> Hello Christopher.
>
> On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
>> On 08/24/16 17:55, Guido Trentalancia wrote:
>>>
>>> Hello Christopher.
>>>
>>> I have more detailed information about this problem...
>>>
>>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>>>>
>>>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>>>
>>>>>
>>>>> Hello Christopher !
>>>>>
>>>>> Thanks for providing your valuable feedback.
>>>>>
>>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>>>
>>>>>>
>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t;
>>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>>> type gconf_home_t;
>>>>>>> + type gnome_settings_t,
>>>>>>> gnome_settings_exec_t;
>>>>>>> + type gnome_settings_daemon_t,
>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>> + type gnome_settings_schemas_t;
>>>>>>> + type gkeyringd_exec_t,
>>>>>>> gnome_keyring_home_t,
>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>> + type mime_info_t;
>>>>>>> + type user_dbusd_t;
>>>>>>
>>>>>> This dbus type cannot be referenced directly in this module.
>>>>>
>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>> caller,
>>>>> then
>>>>> it doesn't compile for some reason which is not yet clear to
>>>>> me.
>>>>>
>>>>> Any idea ?
>>>>
>>>> The $1_dbusd_t rules need to be contained in the dbus module, not
>>>> the
>>>> gnome module. Beyond that, it's tough to say what the problem
>>>> is,
>>>> without knowing the error messages.
>>>
>>> Suppose to have the following additional dbus interface:
>>>
>>> #######################################
>>> ## <summary>
>>> ## Make a domain transition from a
>>> ## given source domain to the
>>> ## DBUS session bus domain using
>>> ## the DBUS executable file type.
>>> ## </summary>
>>> ## <param name="role_prefix">
>>> ## <summary>
>>> ## The prefix of the user role (e.g., user
>>> ## is the prefix for user_r).
>>> ## </summary>
>>> ## </param>
>>> ## <param name="domain">
>>> ## <summary>
>>> ## Domain allowed access.
>>> ## </summary>
>>> ## </param>
>>> #
>>> interface(`dbus_domain_transition_session_bus',`
>>> gen_require(`
>>> type dbusd_exec_t;
>>> type $1_dbusd_t;
>>> ')
>>>
>>> allow $2 dbusd_exec_t:file exec_file_perms;
>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>> ')
>>>
>>> and suppose that it is called by the following statement:
>>>
>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>
>>> where $1 = "user".
>>>
>>> During policy load, the following error is generated:
>>>
>>> Conflicting type rules
>>> Binary policy creation failed at line 29393 of
>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>> Failed to generate binary
>>> /usr/sbin/semodule: Failed!
>>> make: *** [Rules.modular:58: load] Error 1
>>>
>>> The temporary file is deleted automatically and cannot be
>>> inspected.
>>>
>>> I hope it is clear now...
>>>
>>> Do you have an idea ? It's the only thing missing before all the
>>> dbus
>>> rules are moved from the gnome to the dbus module and I can create
>>> a
>>> new version of this important patch.
>>
>> It's not so helpful unfortunately. My guess is that it is a
>> conflicting
>> type_transition. Unfortunately the compiler error message isn't
>> helpful.
>
> I have just posted a patch on the SELinux mailing list to produce a
> more meaningful error message for conflicting type rules, see the
> following thread:
>
> [PATCH] libsepol: Produce more meaningful error messages for
> conflicting type rules
>
> In this case, the conflicting type rule is:
>
> scontext=at_spi_t
> tcontext=dbusd_exec_t
> tclass=process
> result=sysadm_dbusd_t
>
> which confirms the previous debugging results (it's the type_transition
> rule).
>
> Another one is similar, with scontext=gnome_settings_t.
>
> What I suspect is that when it compiles, it quadruplicates the type
> transition for each of user, staff, sysadm and xguest, thus leading to
> conflicting rules.
>
> Therefore, the solution might be to use a common static name for the
> domain (for example, "session_dbusd_t" instead of "$1_dbusd_t").
and that will introduce other issues. because the session bus must be
able to run things on behalf of the caller
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/ba98bb1b/attachment.bin
Hello Dominick.
On Sat, 27/08/2016 at 19.10 +0200, Dominick Grift via refpolicy wrote:
> On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote:
[...]
> > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > + type dconf_t, dconf_exec_t,
> > > > > > > > dconf_home_t;
> > > > > > > > + type at_spi_t, at_spi_exec_t;
> > > > > > > > ? type gconfd_t, gconfd_exec_t,
> > > > > > > > gconf_tmp_t;
> > > > > > > > ? type gconf_home_t;
> > > > > > > > + type gnome_settings_t,
> > > > > > > > gnome_settings_exec_t;
> > > > > > > > + type gnome_settings_daemon_t,
> > > > > > > > gnome_settings_daemon_exec_t;
> > > > > > > > + type gnome_settings_schemas_t;
> > > > > > > > + type gkeyringd_exec_t,
> > > > > > > > gnome_keyring_home_t,
> > > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > > > + type mime_info_t;
> > > > > > > > + type user_dbusd_t;
> > > > > > >
> > > > > > > This dbus type cannot be referenced directly in this
> > > > > > > module.
> > > > > >
> > > > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > > > caller,
> > > > > > then
> > > > > > it doesn't compile for some reason which is not yet clear
> > > > > > to
> > > > > > me.
> > > > > >
> > > > > > Any idea ?
> > > > >
> > > > > The $1_dbusd_t rules need to be contained in the dbus module,
> > > > > not
> > > > > the
> > > > > gnome module.??Beyond that, it's tough to say what the
> > > > > problem
> > > > > is,
> > > > > without knowing the error messages.
> > > >
> > > > Suppose to have the following additional dbus interface:
> > > >
> > > > #######################################
> > > > ## <summary>
> > > > ##??????Make a domain transition from a
> > > > ##??????given source domain to the
> > > > ##??????DBUS session bus domain using
> > > > ##??????the DBUS executable file type.
> > > > ## </summary>
> > > > ## <param name="role_prefix">
> > > > ##??????<summary>
> > > > ##??????The prefix of the user role (e.g., user
> > > > ##??????is the prefix for user_r).
> > > > ##??????</summary>
> > > > ## </param>
> > > > ## <param name="domain">
> > > > ##??????<summary>
> > > > ##??????Domain allowed access.
> > > > ##??????</summary>
> > > > ## </param>
> > > > #
> > > > interface(`dbus_domain_transition_session_bus',`
> > > > ????????gen_require(`
> > > > ????????????????type dbusd_exec_t;
> > > > ????????????????type $1_dbusd_t;
> > > > ????????')
> > > >
> > > > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > > > ')
> > > >
> > > > and suppose that it is called by the following statement:
> > > >
> > > > dbus_domain_transition_session_bus($1, at_spi_t)
> > > >
> > > > where $1 = "user".
> > > >
> > > > During policy load, the following error is generated:
> > > >
> > > > Conflicting type rules
> > > > Binary policy creation failed at line 29393 of
> > > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > > > Failed to generate binary
> > > > /usr/sbin/semodule:??Failed!
> > > > make: *** [Rules.modular:58: load] Error 1
> > > >
> > > > The temporary file is deleted automatically and cannot be
> > > > inspected.
> > > >
> > > > I hope it is clear now...
> > > >
> > > > Do you have an idea ? It's the only thing missing before all
> > > > the
> > > > dbus
> > > > rules are moved from the gnome to the dbus module and I can
> > > > create
> > > > a
> > > > new version of this important patch.
> > >
> > > It's not so helpful unfortunately.??My guess is that it is a
> > > conflicting?
> > > type_transition.??Unfortunately the compiler error message isn't
> > > helpful.
> >
> > I have just posted a patch on the SELinux mailing list to produce a
> > more meaningful error message for conflicting type rules, see the
> > following thread:
> >
> > [PATCH] libsepol: Produce more meaningful error messages for
> > conflicting type rules
> >
> > In this case, the conflicting type rule is:
> >
> > scontext=at_spi_t
> > tcontext=dbusd_exec_t
> > tclass=process
> > result=sysadm_dbusd_t
> >
> > which confirms the previous debugging results (it's the
> > type_transition
> > rule).
> >
> > Another one is similar, with scontext=gnome_settings_t.
> >
> > What I suspect is that when it compiles, it quadruplicates the type
> > transition for each of user, staff, sysadm and xguest, thus leading
> > to
> > conflicting rules.
> >
> > Therefore, the solution might be to use a common static name for
> > the
> > domain (for example, "session_dbusd_t" instead of "$1_dbusd_t").
>
> and that will introduce other issues. because the session bus must be
> able to run things on behalf of the caller
Thanks for providing a forecast of other issues.
So, what's the way out of this damn loop ?
I am almost getting lost...
Regards,
Guido
On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
> Hello Dominick.
>
> On Sat, 27/08/2016 at 19.10 +0200, Dominick Grift via refpolicy wrote:
>> On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote:
>
> [...]
>
>>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> + type dconf_t, dconf_exec_t,
>>>>>>>>> dconf_home_t;
>>>>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>>>>> type gconfd_t, gconfd_exec_t,
>>>>>>>>> gconf_tmp_t;
>>>>>>>>> type gconf_home_t;
>>>>>>>>> + type gnome_settings_t,
>>>>>>>>> gnome_settings_exec_t;
>>>>>>>>> + type gnome_settings_daemon_t,
>>>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>>>> + type gnome_settings_schemas_t;
>>>>>>>>> + type gkeyringd_exec_t,
>>>>>>>>> gnome_keyring_home_t,
>>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>>>> + type mime_info_t;
>>>>>>>>> + type user_dbusd_t;
>>>>>>>>
>>>>>>>> This dbus type cannot be referenced directly in this
>>>>>>>> module.
>>>>>>>
>>>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>>>> caller,
>>>>>>> then
>>>>>>> it doesn't compile for some reason which is not yet clear
>>>>>>> to
>>>>>>> me.
>>>>>>>
>>>>>>> Any idea ?
>>>>>>
>>>>>> The $1_dbusd_t rules need to be contained in the dbus module,
>>>>>> not
>>>>>> the
>>>>>> gnome module. Beyond that, it's tough to say what the
>>>>>> problem
>>>>>> is,
>>>>>> without knowing the error messages.
>>>>>
>>>>> Suppose to have the following additional dbus interface:
>>>>>
>>>>> #######################################
>>>>> ## <summary>
>>>>> ## Make a domain transition from a
>>>>> ## given source domain to the
>>>>> ## DBUS session bus domain using
>>>>> ## the DBUS executable file type.
>>>>> ## </summary>
>>>>> ## <param name="role_prefix">
>>>>> ## <summary>
>>>>> ## The prefix of the user role (e.g., user
>>>>> ## is the prefix for user_r).
>>>>> ## </summary>
>>>>> ## </param>
>>>>> ## <param name="domain">
>>>>> ## <summary>
>>>>> ## Domain allowed access.
>>>>> ## </summary>
>>>>> ## </param>
>>>>> #
>>>>> interface(`dbus_domain_transition_session_bus',`
>>>>> gen_require(`
>>>>> type dbusd_exec_t;
>>>>> type $1_dbusd_t;
>>>>> ')
>>>>>
>>>>> allow $2 dbusd_exec_t:file exec_file_perms;
>>>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>>>> ')
>>>>>
>>>>> and suppose that it is called by the following statement:
>>>>>
>>>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>>>
>>>>> where $1 = "user".
>>>>>
>>>>> During policy load, the following error is generated:
>>>>>
>>>>> Conflicting type rules
>>>>> Binary policy creation failed at line 29393 of
>>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>>>> Failed to generate binary
>>>>> /usr/sbin/semodule: Failed!
>>>>> make: *** [Rules.modular:58: load] Error 1
>>>>>
>>>>> The temporary file is deleted automatically and cannot be
>>>>> inspected.
>>>>>
>>>>> I hope it is clear now...
>>>>>
>>>>> Do you have an idea ? It's the only thing missing before all
>>>>> the
>>>>> dbus
>>>>> rules are moved from the gnome to the dbus module and I can
>>>>> create
>>>>> a
>>>>> new version of this important patch.
>>>>
>>>> It's not so helpful unfortunately. My guess is that it is a
>>>> conflicting
>>>> type_transition. Unfortunately the compiler error message isn't
>>>> helpful.
>>>
>>> I have just posted a patch on the SELinux mailing list to produce a
>>> more meaningful error message for conflicting type rules, see the
>>> following thread:
>>>
>>> [PATCH] libsepol: Produce more meaningful error messages for
>>> conflicting type rules
>>>
>>> In this case, the conflicting type rule is:
>>>
>>> scontext=at_spi_t
>>> tcontext=dbusd_exec_t
>>> tclass=process
>>> result=sysadm_dbusd_t
>>>
>>> which confirms the previous debugging results (it's the
>>> type_transition
>>> rule).
>>>
>>> Another one is similar, with scontext=gnome_settings_t.
>>>
>>> What I suspect is that when it compiles, it quadruplicates the type
>>> transition for each of user, staff, sysadm and xguest, thus leading
>>> to
>>> conflicting rules.
>>>
>>> Therefore, the solution might be to use a common static name for
>>> the
>>> domain (for example, "session_dbusd_t" instead of "$1_dbusd_t").
>>
>> and that will introduce other issues. because the session bus must be
>> able to run things on behalf of the caller
>
> Thanks for providing a forecast of other issues.
>
> So, what's the way out of this damn loop ?
>
> I am almost getting lost...
>
I dont know.
> Regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/5446cd68/attachment-0001.bin
On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
[...]
> > > > > It's not so helpful unfortunately.??My guess is that it is a
> > > > > conflicting?
> > > > > type_transition.??Unfortunately the compiler error message
> > > > > isn't
> > > > > helpful.
> > > >
> > > > I have just posted a patch on the SELinux mailing list to
> > > > produce a
> > > > more meaningful error message for conflicting type rules, see
> > > > the
> > > > following thread:
> > > >
> > > > [PATCH] libsepol: Produce more meaningful error messages for
> > > > conflicting type rules
> > > >
> > > > In this case, the conflicting type rule is:
> > > >
> > > > scontext=at_spi_t
> > > > tcontext=dbusd_exec_t
> > > > tclass=process
> > > > result=sysadm_dbusd_t
> > > >
> > > > which confirms the previous debugging results (it's the
> > > > type_transition
> > > > rule).
> > > >
> > > > Another one is similar, with scontext=gnome_settings_t.
> > > >
> > > > What I suspect is that when it compiles, it quadruplicates the
> > > > type
> > > > transition for each of user, staff, sysadm and xguest, thus
> > > > leading
> > > > to
> > > > conflicting rules.
> > > >
> > > > Therefore, the solution might be to use a common static name
> > > > for
> > > > the
> > > > domain (for example, "session_dbusd_t" instead of
> > > > "$1_dbusd_t").
> > >
> > > and that will introduce other issues. because the session bus
> > > must be
> > > able to run things on behalf of the caller
> >
> > Thanks for providing a forecast of other issues.
> >
> > So, what's the way out of this damn loop ?
> >
> > I am almost getting lost...
> >
>
> I dont know.
We need to find a cure for this !!
What prevents it from running things on behalf of the caller ? And what
do you mean exactly for running things on behalf of the caller ?
I have the following interface:
allow $1 dbusd_exec_t:file exec_file_perms;
domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
which is called with $1=at_spi_t and $1=gnome_settings_t but goes
completely ignored !
If I search for "execute" or "transition" permissions using sesearch,
it doesn't find anything, so for some strange reason the interface goes
completely ignored !
Is that what you meant earlier ? Why is it happening ??
Regards,
Guido
On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>
> [...]
>
>>>>>> It's not so helpful unfortunately. My guess is that it is a
>>>>>> conflicting
>>>>>> type_transition. Unfortunately the compiler error message
>>>>>> isn't
>>>>>> helpful.
>>>>>
>>>>> I have just posted a patch on the SELinux mailing list to
>>>>> produce a
>>>>> more meaningful error message for conflicting type rules, see
>>>>> the
>>>>> following thread:
>>>>>
>>>>> [PATCH] libsepol: Produce more meaningful error messages for
>>>>> conflicting type rules
>>>>>
>>>>> In this case, the conflicting type rule is:
>>>>>
>>>>> scontext=at_spi_t
>>>>> tcontext=dbusd_exec_t
>>>>> tclass=process
>>>>> result=sysadm_dbusd_t
>>>>>
>>>>> which confirms the previous debugging results (it's the
>>>>> type_transition
>>>>> rule).
>>>>>
>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>
>>>>> What I suspect is that when it compiles, it quadruplicates the
>>>>> type
>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>> leading
>>>>> to
>>>>> conflicting rules.
>>>>>
>>>>> Therefore, the solution might be to use a common static name
>>>>> for
>>>>> the
>>>>> domain (for example, "session_dbusd_t" instead of
>>>>> "$1_dbusd_t").
>>>>
>>>> and that will introduce other issues. because the session bus
>>>> must be
>>>> able to run things on behalf of the caller
>>>
>>> Thanks for providing a forecast of other issues.
>>>
>>> So, what's the way out of this damn loop ?
>>>
>>> I am almost getting lost...
>>>
>>
>> I dont know.
>
> We need to find a cure for this !!
I have been pleading for this for years. In my case the solution to
these problems is DSSP and CIL. I was never able to solve these issues
with reference policy unfortunately.
>
> What prevents it from running things on behalf of the caller ? And what
> do you mean exactly for running things on behalf of the caller ?
It hard to explain. The best way to appreciate what I mean is to
experience it yourself. It will become clear as you move towards a fully
confined desktop.
A lot of programs can be started by the session bus. Many of these
programs started by the session bus on behalf of users run other
programs and so forth and so forth. Some of these programs need to
eventually be able run shell with a domain transition back to the login
shell domain.
staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
To be able to do this we need to use derived types. You can't do it if
theres a single session_dbus_t type.
>
> I have the following interface:
>
> allow $1 dbusd_exec_t:file exec_file_perms;
> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
>
> which is called with $1=at_spi_t and $1=gnome_settings_t but goes
> completely ignored !
>
> If I search for "execute" or "transition" permissions using sesearch,
> it doesn't find anything, so for some strange reason the interface goes
> completely ignored !
>
> Is that what you meant earlier ? Why is it happening ??
>
> Regards,
>
> Guido
>
Maybe others know a way out. I really don't. Sorry.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/ce13f8cd/attachment.bin
Hello Dominick.
Thanks for providing more information.
On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
> >
> > On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
> > >
> > > On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
> >
> > [...]
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > It's not so helpful unfortunately.??My guess is that it
> > > > > > > is a
> > > > > > > conflicting?
> > > > > > > type_transition.??Unfortunately the compiler error
> > > > > > > message
> > > > > > > isn't
> > > > > > > helpful.
> > > > > >
> > > > > > I have just posted a patch on the SELinux mailing list to
> > > > > > produce a
> > > > > > more meaningful error message for conflicting type rules,
> > > > > > see
> > > > > > the
> > > > > > following thread:
> > > > > >
> > > > > > [PATCH] libsepol: Produce more meaningful error messages
> > > > > > for
> > > > > > conflicting type rules
> > > > > >
> > > > > > In this case, the conflicting type rule is:
> > > > > >
> > > > > > scontext=at_spi_t
> > > > > > tcontext=dbusd_exec_t
> > > > > > tclass=process
> > > > > > result=sysadm_dbusd_t
> > > > > >
> > > > > > which confirms the previous debugging results (it's the
> > > > > > type_transition
> > > > > > rule).
> > > > > >
> > > > > > Another one is similar, with scontext=gnome_settings_t.
> > > > > >
> > > > > > What I suspect is that when it compiles, it quadruplicates
> > > > > > the
> > > > > > type
> > > > > > transition for each of user, staff, sysadm and xguest, thus
> > > > > > leading
> > > > > > to
> > > > > > conflicting rules.
> > > > > >
> > > > > > Therefore, the solution might be to use a common static
> > > > > > name
> > > > > > for
> > > > > > the
> > > > > > domain (for example, "session_dbusd_t" instead of
> > > > > > "$1_dbusd_t").
> > > > >
> > > > > and that will introduce other issues. because the session bus
> > > > > must be
> > > > > able to run things on behalf of the caller
> > > >
> > > > Thanks for providing a forecast of other issues.
> > > >
> > > > So, what's the way out of this damn loop ?
> > > >
> > > > I am almost getting lost...
> > > >
> > >
> > > I dont know.
> >
> > We need to find a cure for this !!
>
> I have been pleading for this for years. In my case the solution to
> these problems is DSSP and CIL. I was never able to solve these
> issues
> with reference policy unfortunately.
There must be a way of solving this problem.
> > What prevents it from running things on behalf of the caller ? And
> > what
> > do you mean exactly for running things on behalf of the caller ?
>
> It hard to explain. The best way to appreciate what I mean is to
> experience it yourself. It will become clear as you move towards a
> fully
> confined desktop.
>
> A lot of programs can be started by the session bus. Many of these
> programs started by the session bus on behalf of users run other
> programs and so forth and so forth. Some of these programs need to
> eventually be able run shell with a domain transition back to the
> login
> shell domain.
>
> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>
> To be able to do this we need to use derived types. You can't do it
> if
> theres a single session_dbus_t type.
In the case at hand, there isn't the need to get back to the initial
domain.
If I am not wrong, the whole transition is as follows:
user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t
(at_spi_exec_t)-> at_spi_t
The last transition is not working for some reason (I have used the new
dbus interface quoted below)...
> > I have the following interface:
> >
> > allow $1 dbusd_exec_t:file exec_file_perms;
> > domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
> >
> > which is called with $1=at_spi_t and $1=gnome_settings_t but goes
> > completely ignored !
> >
> > If I search for "execute" or "transition" permissions using
> > sesearch,
> > it doesn't find anything, so for some strange reason the interface
> > goes
> > ?completely ignored !
> >
> > Is that what you meant earlier ? Why is it happening ??
[...]
> Maybe others know a way out. I really don't. Sorry.
Don't worry about that. But with the help of others, we need to find a
cure for this !
Regards,
Guido
On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote:
> Hello Dominick.
>
> Thanks for providing more information.
>
> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>
>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>
>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>
>>> [...]
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>> is a
>>>>>>>> conflicting
>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>> message
>>>>>>>> isn't
>>>>>>>> helpful.
>>>>>>>
>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>> produce a
>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>> see
>>>>>>> the
>>>>>>> following thread:
>>>>>>>
>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>> for
>>>>>>> conflicting type rules
>>>>>>>
>>>>>>> In this case, the conflicting type rule is:
>>>>>>>
>>>>>>> scontext=at_spi_t
>>>>>>> tcontext=dbusd_exec_t
>>>>>>> tclass=process
>>>>>>> result=sysadm_dbusd_t
>>>>>>>
>>>>>>> which confirms the previous debugging results (it's the
>>>>>>> type_transition
>>>>>>> rule).
>>>>>>>
>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>
>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>> the
>>>>>>> type
>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>> leading
>>>>>>> to
>>>>>>> conflicting rules.
>>>>>>>
>>>>>>> Therefore, the solution might be to use a common static
>>>>>>> name
>>>>>>> for
>>>>>>> the
>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>> "$1_dbusd_t").
>>>>>>
>>>>>> and that will introduce other issues. because the session bus
>>>>>> must be
>>>>>> able to run things on behalf of the caller
>>>>>
>>>>> Thanks for providing a forecast of other issues.
>>>>>
>>>>> So, what's the way out of this damn loop ?
>>>>>
>>>>> I am almost getting lost...
>>>>>
>>>>
>>>> I dont know.
>>>
>>> We need to find a cure for this !!
>>
>> I have been pleading for this for years. In my case the solution to
>> these problems is DSSP and CIL. I was never able to solve these
>> issues
>> with reference policy unfortunately.
>
> There must be a way of solving this problem.
>
>>> What prevents it from running things on behalf of the caller ? And
>>> what
>>> do you mean exactly for running things on behalf of the caller ?
>>
>> It hard to explain. The best way to appreciate what I mean is to
>> experience it yourself. It will become clear as you move towards a
>> fully
>> confined desktop.
>>
>> A lot of programs can be started by the session bus. Many of these
>> programs started by the session bus on behalf of users run other
>> programs and so forth and so forth. Some of these programs need to
>> eventually be able run shell with a domain transition back to the
>> login
>> shell domain.
>>
>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>
>> To be able to do this we need to use derived types. You can't do it
>> if
>> theres a single session_dbus_t type.
>
> In the case at hand, there isn't the need to get back to the initial
> domain.
>
> If I am not wrong, the whole transition is as follows:
>
> user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t
> (at_spi_exec_t)-> at_spi_t
>
To see what i am trying to say you have to experience it for yourself.
Gnome is this single body made up of individual entities. Just because
atspi "may" not need to be prefixed doesnt mean that the session bus
doesnt need to be prefixed. atspi isnt the only app executed by the
session bus.
And let me just remind you. atspi needs to be able to run the session
bus if it is not currently running. Do you see the chicken and egg problem?
> The last transition is not working for some reason (I have used the new
> dbus interface quoted below)...
>
>>> I have the following interface:
>>>
>>> allow $1 dbusd_exec_t:file exec_file_perms;
>>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
>>>
>>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes
>>> completely ignored !
>>>
>>> If I search for "execute" or "transition" permissions using
>>> sesearch,
>>> it doesn't find anything, so for some strange reason the interface
>>> goes
>>> completely ignored !
>>>
>>> Is that what you meant earlier ? Why is it happening ??
>
> [...]
>
>> Maybe others know a way out. I really don't. Sorry.
>
> Don't worry about that. But with the help of others, we need to find a
> cure for this !
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/fa8c81c7/attachment-0001.bin
On 08/28/2016 09:24 AM, Dominick Grift wrote:
> On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote:
>> Hello Dominick.
>>
>> Thanks for providing more information.
>>
>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>>
>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>>
>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>>
>>>> [...]
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>>> is a
>>>>>>>>> conflicting
>>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>>> message
>>>>>>>>> isn't
>>>>>>>>> helpful.
>>>>>>>>
>>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>>> produce a
>>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>>> see
>>>>>>>> the
>>>>>>>> following thread:
>>>>>>>>
>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>>> for
>>>>>>>> conflicting type rules
>>>>>>>>
>>>>>>>> In this case, the conflicting type rule is:
>>>>>>>>
>>>>>>>> scontext=at_spi_t
>>>>>>>> tcontext=dbusd_exec_t
>>>>>>>> tclass=process
>>>>>>>> result=sysadm_dbusd_t
>>>>>>>>
>>>>>>>> which confirms the previous debugging results (it's the
>>>>>>>> type_transition
>>>>>>>> rule).
>>>>>>>>
>>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>>
>>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>>> the
>>>>>>>> type
>>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>>> leading
>>>>>>>> to
>>>>>>>> conflicting rules.
>>>>>>>>
>>>>>>>> Therefore, the solution might be to use a common static
>>>>>>>> name
>>>>>>>> for
>>>>>>>> the
>>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>>> "$1_dbusd_t").
>>>>>>>
>>>>>>> and that will introduce other issues. because the session bus
>>>>>>> must be
>>>>>>> able to run things on behalf of the caller
>>>>>>
>>>>>> Thanks for providing a forecast of other issues.
>>>>>>
>>>>>> So, what's the way out of this damn loop ?
>>>>>>
>>>>>> I am almost getting lost...
>>>>>>
>>>>>
>>>>> I dont know.
>>>>
>>>> We need to find a cure for this !!
>>>
>>> I have been pleading for this for years. In my case the solution to
>>> these problems is DSSP and CIL. I was never able to solve these
>>> issues
>>> with reference policy unfortunately.
>>
>> There must be a way of solving this problem.
>>
>>>> What prevents it from running things on behalf of the caller ? And
>>>> what
>>>> do you mean exactly for running things on behalf of the caller ?
>>>
>>> It hard to explain. The best way to appreciate what I mean is to
>>> experience it yourself. It will become clear as you move towards a
>>> fully
>>> confined desktop.
>>>
>>> A lot of programs can be started by the session bus. Many of these
>>> programs started by the session bus on behalf of users run other
>>> programs and so forth and so forth. Some of these programs need to
>>> eventually be able run shell with a domain transition back to the
>>> login
>>> shell domain.
>>>
>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>>
>>> To be able to do this we need to use derived types. You can't do it
>>> if
>>> theres a single session_dbus_t type.
>>
>> In the case at hand, there isn't the need to get back to the initial
>> domain.
>>
>> If I am not wrong, the whole transition is as follows:
>>
>> user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t
>> (at_spi_exec_t)-> at_spi_t
>>
>
> To see what i am trying to say you have to experience it for yourself.
> Gnome is this single body made up of individual entities. Just because
> atspi "may" not need to be prefixed doesnt mean that the session bus
> doesnt need to be prefixed. atspi isnt the only app executed by the
> session bus.
>
> And let me just remind you. atspi needs to be able to run the session
> bus if it is not currently running. Do you see the chicken and egg problem?
>
>
You have to see the bigger picture. That is why i suggested you confine
a minimal desktop first before you start submitting patches. Because
once you have a broad overview you will see important issues that need
to be resolved. You aren't able to identify them if you do not look at
this as a whole.
Things should just naturally work. We can't have the house of cards
collapse on the first anomaly that happens.
>> The last transition is not working for some reason (I have used the new
>> dbus interface quoted below)...
>>
>>>> I have the following interface:
>>>>
>>>> allow $1 dbusd_exec_t:file exec_file_perms;
>>>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
>>>>
>>>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes
>>>> completely ignored !
>>>>
>>>> If I search for "execute" or "transition" permissions using
>>>> sesearch,
>>>> it doesn't find anything, so for some strange reason the interface
>>>> goes
>>>> completely ignored !
>>>>
>>>> Is that what you meant earlier ? Why is it happening ??
>>
>> [...]
>>
>>> Maybe others know a way out. I really don't. Sorry.
>>
>> Don't worry about that. But with the help of others, we need to find a
>> cure for this !
>>
>> Regards,
>>
>> Guido
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/6374cf5a/attachment.bin
Things are very far from working naturally as they are.
On the other hand, the patches are surely far from being complete or stable yet, but at least every version allows to start the Gnome desktop.
Now I met this major problem, it looks by all means a limitation of the existing framework, but I am sure that it will be sorted out...
I am also waiting to hear from Christopher about this.
Regards,
Guido
On the 28th of August 2016 10:03:17 CEST, Dominick Grift via refpolicy <[email protected]> wrote:
>On 08/28/2016 09:24 AM, Dominick Grift wrote:
>> On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote:
>>> Hello Dominick.
>>>
>>> Thanks for providing more information.
>>>
>>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>>>
>>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>>>
>>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>>>
>>>>> [...]
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>>>> is a
>>>>>>>>>> conflicting
>>>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>>>> message
>>>>>>>>>> isn't
>>>>>>>>>> helpful.
>>>>>>>>>
>>>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>>>> produce a
>>>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>>>> see
>>>>>>>>> the
>>>>>>>>> following thread:
>>>>>>>>>
>>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>>>> for
>>>>>>>>> conflicting type rules
>>>>>>>>>
>>>>>>>>> In this case, the conflicting type rule is:
>>>>>>>>>
>>>>>>>>> scontext=at_spi_t
>>>>>>>>> tcontext=dbusd_exec_t
>>>>>>>>> tclass=process
>>>>>>>>> result=sysadm_dbusd_t
>>>>>>>>>
>>>>>>>>> which confirms the previous debugging results (it's the
>>>>>>>>> type_transition
>>>>>>>>> rule).
>>>>>>>>>
>>>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>>>
>>>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>>>> the
>>>>>>>>> type
>>>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>>>> leading
>>>>>>>>> to
>>>>>>>>> conflicting rules.
>>>>>>>>>
>>>>>>>>> Therefore, the solution might be to use a common static
>>>>>>>>> name
>>>>>>>>> for
>>>>>>>>> the
>>>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>>>> "$1_dbusd_t").
>>>>>>>>
>>>>>>>> and that will introduce other issues. because the session bus
>>>>>>>> must be
>>>>>>>> able to run things on behalf of the caller
>>>>>>>
>>>>>>> Thanks for providing a forecast of other issues.
>>>>>>>
>>>>>>> So, what's the way out of this damn loop ?
>>>>>>>
>>>>>>> I am almost getting lost...
>>>>>>>
>>>>>>
>>>>>> I dont know.
>>>>>
>>>>> We need to find a cure for this !!
>>>>
>>>> I have been pleading for this for years. In my case the solution to
>>>> these problems is DSSP and CIL. I was never able to solve these
>>>> issues
>>>> with reference policy unfortunately.
>>>
>>> There must be a way of solving this problem.
>>>
>>>>> What prevents it from running things on behalf of the caller ? And
>>>>> what
>>>>> do you mean exactly for running things on behalf of the caller ?
>>>>
>>>> It hard to explain. The best way to appreciate what I mean is to
>>>> experience it yourself. It will become clear as you move towards a
>>>> fully
>>>> confined desktop.
>>>>
>>>> A lot of programs can be started by the session bus. Many of these
>>>> programs started by the session bus on behalf of users run other
>>>> programs and so forth and so forth. Some of these programs need to
>>>> eventually be able run shell with a domain transition back to the
>>>> login
>>>> shell domain.
>>>>
>>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>>>
>>>> To be able to do this we need to use derived types. You can't do it
>>>> if
>>>> theres a single session_dbus_t type.
>>>
>>> In the case at hand, there isn't the need to get back to the initial
>>> domain.
>>>
>>> If I am not wrong, the whole transition is as follows:
>>>
>>> user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t
>>> (at_spi_exec_t)-> at_spi_t
>>>
>>
>> To see what i am trying to say you have to experience it for
>yourself.
>> Gnome is this single body made up of individual entities. Just
>because
>> atspi "may" not need to be prefixed doesnt mean that the session bus
>> doesnt need to be prefixed. atspi isnt the only app executed by the
>> session bus.
>>
>> And let me just remind you. atspi needs to be able to run the session
>> bus if it is not currently running. Do you see the chicken and egg
>problem?
>>
>>
>
>You have to see the bigger picture. That is why i suggested you confine
>a minimal desktop first before you start submitting patches. Because
>once you have a broad overview you will see important issues that need
>to be resolved. You aren't able to identify them if you do not look at
>this as a whole.
>
>Things should just naturally work. We can't have the house of cards
>collapse on the first anomaly that happens.
>
>>> The last transition is not working for some reason (I have used the
>new
>>> dbus interface quoted below)...
>>>
>>>>> I have the following interface:
>>>>>
>>>>> allow $1 dbusd_exec_t:file exec_file_perms;
>>>>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t)
>>>>>
>>>>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes
>>>>> completely ignored !
>>>>>
>>>>> If I search for "execute" or "transition" permissions using
>>>>> sesearch,
>>>>> it doesn't find anything, so for some strange reason the interface
>>>>> goes
>>>>> completely ignored !
>>>>>
>>>>> Is that what you meant earlier ? Why is it happening ??
>>>
>>> [...]
>>>
>>>> Maybe others know a way out. I really don't. Sorry.
>>>
>>> Don't worry about that. But with the help of others, we need to find
>a
>>> cure for this !
>>>
>>> Regards,
>>>
>>> Guido
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>>
On 08/26/16 18:21, Guido Trentalancia wrote:
> Hello Christopher.
>
> On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote:
>
> [...]
>
>>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> + type dconf_t, dconf_exec_t,
>>>>>>>>> dconf_home_t;
>>>>>>>>> + type at_spi_t, at_spi_exec_t;
>>>>>>>>> type gconfd_t, gconfd_exec_t,
>>>>>>>>> gconf_tmp_t;
>>>>>>>>> type gconf_home_t;
>>>>>>>>> + type gnome_settings_t,
>>>>>>>>> gnome_settings_exec_t;
>>>>>>>>> + type gnome_settings_daemon_t,
>>>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>>>> + type gnome_settings_schemas_t;
>>>>>>>>> + type gkeyringd_exec_t,
>>>>>>>>> gnome_keyring_home_t,
>>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>>>> + type mime_info_t;
>>>>>>>>> + type user_dbusd_t;
>>>>>>>>
>>>>>>>> This dbus type cannot be referenced directly in this
>>>>>>>> module.
>>>>>>>
>>>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>>>> caller,
>>>>>>> then
>>>>>>> it doesn't compile for some reason which is not yet clear
>>>>>>> to
>>>>>>> me.
>>>>>>>
>>>>>>> Any idea ?
>>>>>>
>>>>>> The $1_dbusd_t rules need to be contained in the dbus module,
>>>>>> not
>>>>>> the
>>>>>> gnome module. Beyond that, it's tough to say what the
>>>>>> problem
>>>>>> is,
>>>>>> without knowing the error messages.
>>>>>
>>>>> Suppose to have the following additional dbus interface:
>>>>>
>>>>> #######################################
>>>>> ## <summary>
>>>>> ## Make a domain transition from a
>>>>> ## given source domain to the
>>>>> ## DBUS session bus domain using
>>>>> ## the DBUS executable file type.
>>>>> ## </summary>
>>>>> ## <param name="role_prefix">
>>>>> ## <summary>
>>>>> ## The prefix of the user role (e.g., user
>>>>> ## is the prefix for user_r).
>>>>> ## </summary>
>>>>> ## </param>
>>>>> ## <param name="domain">
>>>>> ## <summary>
>>>>> ## Domain allowed access.
>>>>> ## </summary>
>>>>> ## </param>
>>>>> #
>>>>> interface(`dbus_domain_transition_session_bus',`
>>>>> gen_require(`
>>>>> type dbusd_exec_t;
>>>>> type $1_dbusd_t;
>>>>> ')
>>>>>
>>>>> allow $2 dbusd_exec_t:file exec_file_perms;
>>>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>>>> ')
>>>>>
>>>>> and suppose that it is called by the following statement:
>>>>>
>>>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>>>
>>>>> where $1 = "user".
>>>>>
>>>>> During policy load, the following error is generated:
>>>>>
>>>>> Conflicting type rules
>>>>> Binary policy creation failed at line 29393 of
>>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>>>> Failed to generate binary
>>>>> /usr/sbin/semodule: Failed!
>>>>> make: *** [Rules.modular:58: load] Error 1
>>>>>
>>>>> The temporary file is deleted automatically and cannot be
>>>>> inspected.
>>>>>
>>>>> I hope it is clear now...
>>>>>
>>>>> Do you have an idea ? It's the only thing missing before all
>>>>> the
>>>>> dbus
>>>>> rules are moved from the gnome to the dbus module and I can
>>>>> create
>>>>> a
>>>>> new version of this important patch.
>>>>
>>>> It's not so helpful unfortunately. My guess is that it is a
>>>> conflicting
>>>> type_transition. Unfortunately the compiler error message isn't
>>>> helpful.
>>>
>>> I have tested and your guess is correct !
>>>
>>> The above interface expands as follows:
>>>
>>> interface(`dbus_domain_transition_session_bus',`
>>> allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
>>>
>>> domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
>>> # type_transition $2 dbusd_exec_t:process $1_dbusd_t;
>>>
>>> allow $1_dbusd_t $2:fd use;
>>> allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
>>> allow $1_dbusd_t $2:process sigchld;
>>> ')
>>>
>>> The line that has been commented out (type_transition) is the
>>> problematic rule which leads to the "conflicting type rules" error
>>> upon
>>> loading the policy.
>>>
>>> Such rule comes from the domain_auto_transition_pattern provided by
>>> support/misc_patterns.spt.
>>>
>>> However, if I hardcode "user" instead of "$1", the type_transition
>>> works fine. I suspect, it stops functioning when $1 is replaced by
>>> "sysadm" or "staff".
>>>
>>> If I do manually substitute the two and try to recompile, the
>>> following
>>> happens:
>>>
>>> $1=sysadm ==> staff.te doesn't compile (unknown type error)
>>>
>>> $1=staff ==> sysadm.te doesn't compile (unknown type error)
>>>
>>> In some way, it sounds like a bug or some sort of limitation of the
>>> actual policy... Can you shed some light ?
>>
>> I'm not clear why you would see unknown types. You have to inspect
>> the
>> intermediate files. I believe if you add them to a .SECONDARY entry
>> in
>> the Makefile/Rules.*, it will not delete them when they're done. I'd
>> be
>> fine taking that patch too, so intermediate files are never deleted.
>
> I think the files that you mention are stored in the "tmp" subdirectory
> of the policy source.
>
> I don't think there is a need to modify the Makefile or Rules.* files.
>
> The "Conflicting type rules" error comes from libsepol when one tries
> to load the policy using semodule (called by the policy Makefile).
>
> What semodule deleted (/var/lib/selinux/refpolicy-
> 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated
> by libsepol. In any case, it has nothing to do with the policy
> Makefile.
>
> Unfortunately, I have checked the temporary files in the "tmp"
> subdirectory of the build tree, but the only difference between the
> working version and the non-working version is that the static
> hardcoded "user" string ("user_dbusd_t") in the type_transition rule is
> replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on).
>
> I noticed that the dbus_role_template is also using that variable type
> ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or
> "xguest").
>
> The problem seems to be that the $1_dbusd_t type defined by the
> dbus_role_template conflicts with the type defined by the new interface
> that is required by gnome (it conflicts with the type_transition rule).
>
> I believe this is a bug or some sort of limitation of the existing
> policy... Do you know how to fix it ?
The dbus module is where *_dbusd_t should be declared, so *_dbusd_t
declarations in a gnome module are incorrect. The only other issue that
I can think of is in the past, if you required a type and then later
declared it in the same file, that would hit a compiler limitation/bug
that would (incorrectly) call it a duplicate type declaration.
In terms of type_transition you'd have to inspect the intermediate file
that is used to compile the binary to try to see where the conflict is.
It may also be a conflict across multiple modules, which would make it
more difficult to uncover.
--
Chris PeBenito
On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
> Things are very far from working naturally as they are.
>
> On the other hand, the patches are surely far from being complete or stable yet, but at least every version allows to start the Gnome desktop.
>
> Now I met this major problem, it looks by all means a limitation of the existing framework, but I am sure that it will be sorted out...
>
> I am also waiting to hear from Christopher about this.
The way I see it is that general purpose desktops are incredibly
complicated and are not designed with security in mind. I wonder if the
policy complexity needed to confine it all actually buys a proportional
amount of security gains. I'm not saying it shouldn't be done, but I am
skeptical that it is worth it.
--
Chris PeBenito
On 08/28/2016 08:40 PM, Chris PeBenito wrote:
> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>> Things are very far from working naturally as they are.
>>
>> On the other hand, the patches are surely far from being complete or
>> stable yet, but at least every version allows to start the Gnome desktop.
>>
>> Now I met this major problem, it looks by all means a limitation of
>> the existing framework, but I am sure that it will be sorted out...
>>
>> I am also waiting to hear from Christopher about this.
>
> The way I see it is that general purpose desktops are incredibly
> complicated and are not designed with security in mind. I wonder if the
> policy complexity needed to confine it all actually buys a proportional
> amount of security gains. I'm not saying it shouldn't be done, but I am
> skeptical that it is worth it.
>
It is expensive. I agree, but i would not go so far as to say that
confining the desktop does not buy a proportional amount of security gains.
It is telling though that you're not the only authority saying that
using selinux to confine the desktop is not practical (Walsh shares your
opinion).
Anyhow DSSP fills a gap here. So if you value integrity on the desktop
DSSP is be happy to take contributions :)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/376db0aa/attachment.bin
Hello Christopher!
I think it's definitely worth in terms of security confining the Gnome desktop (as well as the other applications) properly.
The user domain is the most common vulnerable point, so it should have the most limited number of permissions possibile.
By confining the desktop properly we get great security gains exactly in that direction.
Any insight on the problem that I encountered?
I couldn't get things working in the dbus module with the variable $1_dbusd_t type, so I am now moving to testing with a static type instead.
Best regards,
Guido
On the 28th of August 2016 20:40:39 CEST, Chris PeBenito <[email protected]> wrote:
>On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>> Things are very far from working naturally as they are.
>>
>> On the other hand, the patches are surely far from being complete or
>stable yet, but at least every version allows to start the Gnome
>desktop.
>>
>> Now I met this major problem, it looks by all means a limitation of
>the existing framework, but I am sure that it will be sorted out...
>>
>> I am also waiting to hear from Christopher about this.
>
>The way I see it is that general purpose desktops are incredibly
>complicated and are not designed with security in mind. I wonder if
>the
>policy complexity needed to confine it all actually buys a proportional
>
>amount of security gains. I'm not saying it shouldn't be done, but I
>am
>skeptical that it is worth it.
On 08/28/2016 09:12 PM, Dominick Grift wrote:
> On 08/28/2016 08:40 PM, Chris PeBenito wrote:
>> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>>> Things are very far from working naturally as they are.
>>>
>>> On the other hand, the patches are surely far from being complete or
>>> stable yet, but at least every version allows to start the Gnome desktop.
>>>
>>> Now I met this major problem, it looks by all means a limitation of
>>> the existing framework, but I am sure that it will be sorted out...
>>>
>>> I am also waiting to hear from Christopher about this.
>>
>> The way I see it is that general purpose desktops are incredibly
>> complicated and are not designed with security in mind. I wonder if the
>> policy complexity needed to confine it all actually buys a proportional
>> amount of security gains. I'm not saying it shouldn't be done, but I am
>> skeptical that it is worth it.
>>
>
> It is expensive. I agree, but i would not go so far as to say that
> confining the desktop does not buy a proportional amount of security gains.
>
> It is telling though that you're not the only authority saying that
> using selinux to confine the desktop is not practical (Walsh shares your
> opinion).
>
> Anyhow DSSP fills a gap here. So if you value integrity on the desktop
> DSSP is be happy to take contributions :)
>
SELinux is a flexible MAC, and it is designed to be a framework to
address the widest range of access control challenges. It is THE tool
for this job.
Were talking Access Control, this is not just about containing flawed or
malicious code. We use access control to govern who can do what as well.
I will be the first to agree that desktops aren't designed with security
in mind. That is one of the reasons we need to contain it. Some of the
code in there looks downright disturbing.
My shell is "fragile" I will be the first to admit. But at least I have
an excuse (dropped out of kindergarten), plus i know its "fragile" and
so i contain my own code.
SELinux is not "practical" at all (until its is the only tool left
capable enough to do the job). Desktop or not. Ask 10 random people, and
I am willing to bet that at least 8 of them agree. Heck security is not
practical!
Our identities. passwords and other authentication credentials are
pretty much all we have on this network called Internet. We should do
all we can to protect it.
On a desktop, the desktop is generally the most vulnerable.
Yes we need to contain the system side as well, but A desktop generally
has much less of that compared to a server.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160829/a9e0bfcb/attachment.bin
@Dominick, absolutely.
I was really upset (to put it lightly) to find out that Fedora 24
doesn't confine Google Chrome any more, which is completely
unacceptable. I might become a contributor to DSSP for this reason.
Thanks,
- Naftuli Tzvi
On Mon, Aug 29, 2016 at 1:20 AM, Dominick Grift via refpolicy
<[email protected]> wrote:
> On 08/28/2016 09:12 PM, Dominick Grift wrote:
>> On 08/28/2016 08:40 PM, Chris PeBenito wrote:
>>> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>>>> Things are very far from working naturally as they are.
>>>>
>>>> On the other hand, the patches are surely far from being complete or
>>>> stable yet, but at least every version allows to start the Gnome desktop.
>>>>
>>>> Now I met this major problem, it looks by all means a limitation of
>>>> the existing framework, but I am sure that it will be sorted out...
>>>>
>>>> I am also waiting to hear from Christopher about this.
>>>
>>> The way I see it is that general purpose desktops are incredibly
>>> complicated and are not designed with security in mind. I wonder if the
>>> policy complexity needed to confine it all actually buys a proportional
>>> amount of security gains. I'm not saying it shouldn't be done, but I am
>>> skeptical that it is worth it.
>>>
>>
>> It is expensive. I agree, but i would not go so far as to say that
>> confining the desktop does not buy a proportional amount of security gains.
>>
>> It is telling though that you're not the only authority saying that
>> using selinux to confine the desktop is not practical (Walsh shares your
>> opinion).
>>
>> Anyhow DSSP fills a gap here. So if you value integrity on the desktop
>> DSSP is be happy to take contributions :)
>>
>
> SELinux is a flexible MAC, and it is designed to be a framework to
> address the widest range of access control challenges. It is THE tool
> for this job.
>
> Were talking Access Control, this is not just about containing flawed or
> malicious code. We use access control to govern who can do what as well.
>
> I will be the first to agree that desktops aren't designed with security
> in mind. That is one of the reasons we need to contain it. Some of the
> code in there looks downright disturbing.
>
> My shell is "fragile" I will be the first to admit. But at least I have
> an excuse (dropped out of kindergarten), plus i know its "fragile" and
> so i contain my own code.
>
> SELinux is not "practical" at all (until its is the only tool left
> capable enough to do the job). Desktop or not. Ask 10 random people, and
> I am willing to bet that at least 8 of them agree. Heck security is not
> practical!
>
> Our identities. passwords and other authentication credentials are
> pretty much all we have on this network called Internet. We should do
> all we can to protect it.
>
> On a desktop, the desktop is generally the most vulnerable.
> Yes we need to contain the system side as well, but A desktop generally
> has much less of that compared to a server.
>
>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Hello Dominick.
On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
> >
> > On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
> > >
> > > On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
> >
> > [...]
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > It's not so helpful unfortunately.??My guess is that it
> > > > > > > is a
> > > > > > > conflicting?
> > > > > > > type_transition.??Unfortunately the compiler error
> > > > > > > message
> > > > > > > isn't
> > > > > > > helpful.
> > > > > >
> > > > > > I have just posted a patch on the SELinux mailing list to
> > > > > > produce a
> > > > > > more meaningful error message for conflicting type rules,
> > > > > > see
> > > > > > the
> > > > > > following thread:
> > > > > >
> > > > > > [PATCH] libsepol: Produce more meaningful error messages
> > > > > > for
> > > > > > conflicting type rules
> > > > > >
> > > > > > In this case, the conflicting type rule is:
> > > > > >
> > > > > > scontext=at_spi_t
> > > > > > tcontext=dbusd_exec_t
> > > > > > tclass=process
> > > > > > result=sysadm_dbusd_t
> > > > > >
> > > > > > which confirms the previous debugging results (it's the
> > > > > > type_transition
> > > > > > rule).
> > > > > >
> > > > > > Another one is similar, with scontext=gnome_settings_t.
> > > > > >
> > > > > > What I suspect is that when it compiles, it quadruplicates
> > > > > > the
> > > > > > type
> > > > > > transition for each of user, staff, sysadm and xguest, thus
> > > > > > leading
> > > > > > to
> > > > > > conflicting rules.
> > > > > >
> > > > > > Therefore, the solution might be to use a common static
> > > > > > name
> > > > > > for
> > > > > > the
> > > > > > domain (for example, "session_dbusd_t" instead of
> > > > > > "$1_dbusd_t").
> > > > >
> > > > > and that will introduce other issues. because the session bus
> > > > > must be
> > > > > able to run things on behalf of the caller
> > > >
> > > > Thanks for providing a forecast of other issues.
> > > >
> > > > So, what's the way out of this damn loop ?
> > > >
> > > > I am almost getting lost...
> > > >
> > >
> > > I dont know.
> >
> > We need to find a cure for this !!
>
> I have been pleading for this for years. In my case the solution to
> these problems is DSSP and CIL. I was never able to solve these
> issues
> with reference policy unfortunately.
>
> >
> >
> > What prevents it from running things on behalf of the caller ? And
> > what
> > do you mean exactly for running things on behalf of the caller ?
>
> It hard to explain. The best way to appreciate what I mean is to
> experience it yourself. It will become clear as you move towards a
> fully
> confined desktop.
>
> A lot of programs can be started by the session bus. Many of these
> programs started by the session bus on behalf of users run other
> programs and so forth and so forth. Some of these programs need to
> eventually be able run shell with a domain transition back to the
> login
> shell domain.
>
> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>
> To be able to do this we need to use derived types. You can't do it
> if
> theres a single session_dbus_t type.
I am hitting a similar situation at the moment with the modified gnome
and dbus modules...
user_t -> session_dbusd_t -> cannot execute bin_t or shell in the
user_t domain
Perhaps, it is possible to change the existing code so that it adds the
conflicting type rules, but then when it actually needs to apply them,
it looks up for duplicates and it only applies the one which matches
the calling context.
It should be feasible...
What do you say ?
We need to find a way out of this !
Best regards,
Guido
On 08/30/2016 09:15 PM, Guido Trentalancia wrote:
> Hello Dominick.
>
> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>
>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>
>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>
>>> [...]
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>> is a
>>>>>>>> conflicting
>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>> message
>>>>>>>> isn't
>>>>>>>> helpful.
>>>>>>>
>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>> produce a
>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>> see
>>>>>>> the
>>>>>>> following thread:
>>>>>>>
>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>> for
>>>>>>> conflicting type rules
>>>>>>>
>>>>>>> In this case, the conflicting type rule is:
>>>>>>>
>>>>>>> scontext=at_spi_t
>>>>>>> tcontext=dbusd_exec_t
>>>>>>> tclass=process
>>>>>>> result=sysadm_dbusd_t
>>>>>>>
>>>>>>> which confirms the previous debugging results (it's the
>>>>>>> type_transition
>>>>>>> rule).
>>>>>>>
>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>
>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>> the
>>>>>>> type
>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>> leading
>>>>>>> to
>>>>>>> conflicting rules.
>>>>>>>
>>>>>>> Therefore, the solution might be to use a common static
>>>>>>> name
>>>>>>> for
>>>>>>> the
>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>> "$1_dbusd_t").
>>>>>>
>>>>>> and that will introduce other issues. because the session bus
>>>>>> must be
>>>>>> able to run things on behalf of the caller
>>>>>
>>>>> Thanks for providing a forecast of other issues.
>>>>>
>>>>> So, what's the way out of this damn loop ?
>>>>>
>>>>> I am almost getting lost...
>>>>>
>>>>
>>>> I dont know.
>>>
>>> We need to find a cure for this !!
>>
>> I have been pleading for this for years. In my case the solution to
>> these problems is DSSP and CIL. I was never able to solve these
>> issues
>> with reference policy unfortunately.
>>
>>>
>>>
>>> What prevents it from running things on behalf of the caller ? And
>>> what
>>> do you mean exactly for running things on behalf of the caller ?
>>
>> It hard to explain. The best way to appreciate what I mean is to
>> experience it yourself. It will become clear as you move towards a
>> fully
>> confined desktop.
>>
>> A lot of programs can be started by the session bus. Many of these
>> programs started by the session bus on behalf of users run other
>> programs and so forth and so forth. Some of these programs need to
>> eventually be able run shell with a domain transition back to the
>> login
>> shell domain.
>>
>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>
>> To be able to do this we need to use derived types. You can't do it
>> if
>> theres a single session_dbus_t type.
>
> I am hitting a similar situation at the moment with the modified gnome
> and dbus modules...
>
> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the
> user_t domain
>
> Perhaps, it is possible to change the existing code so that it adds the
> conflicting type rules, but then when it actually needs to apply them,
> it looks up for duplicates and it only applies the one which matches
> the calling context.
>
> It should be feasible...
>
> What do you say ?
>
I am saying what I said. This issue is very old and no one ever bothered
to fix it. It is not going to happen.
Module policy is legacy. A new superior language that does not have
these issues is available.
> We need to find a way out of this !
There is a way out but its not module policy
>
> Best regards,
>
> Guido
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160830/c9528686/attachment-0001.bin
Hello Christopher.
On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote:
> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
> >
> > Things are very far from working naturally as they are.
> >
> > On the other hand, the patches are surely far from being complete
> > or stable yet, but at least every version allows to start the Gnome
> > desktop.
> >
> > Now I met this major problem, it looks by all means a limitation of
> > the existing framework, but I am sure that it will be sorted out...
> >
> > I am also waiting to hear from Christopher about this.
>
> The way I see it is that general purpose desktops are incredibly?
> complicated and are not designed with security in mind.??I wonder if
> the?
> policy complexity needed to confine it all actually buys a
> proportional?
> amount of security gains.??I'm not saying it shouldn't be done, but I
> am?
> skeptical that it is worth it.
Apart from confining the whole desktop, what I recently proposed to
Dominick for further evaluation is as follows:
- we patch the libsepol code so that it creates all the conflicting
type rules instead of aborting;
- we also patch the policy enforcing code, so that when it needs to
enforce one of such conflicting type rules, it first searches for
duplicates and then it enforces the one that matches the calling
context.
Do you think the above is feasible (in particular, "matching the
calling context") ?
Best regards,
Guido
On 08/30/16 15:23, Guido Trentalancia wrote:
> Hello Christopher.
>
> On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote:
>> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>>>
>>> Things are very far from working naturally as they are.
>>>
>>> On the other hand, the patches are surely far from being complete
>>> or stable yet, but at least every version allows to start the Gnome
>>> desktop.
>>>
>>> Now I met this major problem, it looks by all means a limitation of
>>> the existing framework, but I am sure that it will be sorted out...
>>>
>>> I am also waiting to hear from Christopher about this.
>>
>> The way I see it is that general purpose desktops are incredibly
>> complicated and are not designed with security in mind. I wonder if
>> the
>> policy complexity needed to confine it all actually buys a
>> proportional
>> amount of security gains. I'm not saying it shouldn't be done, but I
>> am
>> skeptical that it is worth it.
>
> Apart from confining the whole desktop, what I recently proposed to
> Dominick for further evaluation is as follows:
>
> - we patch the libsepol code so that it creates all the conflicting
> type rules instead of aborting;
> - we also patch the policy enforcing code, so that when it needs to
> enforce one of such conflicting type rules, it first searches for
> duplicates and then it enforces the one that matches the calling
> context.
>
> Do you think the above is feasible (in particular, "matching the
> calling context") ?
I don't know what you mean by "matching the calling context." A
conflicting type transition looks like this:
type_transition source_type exec_type:process new_domain;
type_transition source_type exec_type:process other_new_domain;
I don't see how you can decide between the two if they both exist in the
policy (unless they are in opposite if/else blocks, which is valid).
--
Chris PeBenito
On 08/30/16 15:21, Dominick Grift via refpolicy wrote:
> On 08/30/2016 09:15 PM, Guido Trentalancia wrote:
>> Hello Dominick.
>>
>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>>
>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>>
>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>>
>>>> [...]
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>>> is a
>>>>>>>>> conflicting
>>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>>> message
>>>>>>>>> isn't
>>>>>>>>> helpful.
>>>>>>>>
>>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>>> produce a
>>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>>> see
>>>>>>>> the
>>>>>>>> following thread:
>>>>>>>>
>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>>> for
>>>>>>>> conflicting type rules
>>>>>>>>
>>>>>>>> In this case, the conflicting type rule is:
>>>>>>>>
>>>>>>>> scontext=at_spi_t
>>>>>>>> tcontext=dbusd_exec_t
>>>>>>>> tclass=process
>>>>>>>> result=sysadm_dbusd_t
>>>>>>>>
>>>>>>>> which confirms the previous debugging results (it's the
>>>>>>>> type_transition
>>>>>>>> rule).
>>>>>>>>
>>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>>
>>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>>> the
>>>>>>>> type
>>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>>> leading
>>>>>>>> to
>>>>>>>> conflicting rules.
>>>>>>>>
>>>>>>>> Therefore, the solution might be to use a common static
>>>>>>>> name
>>>>>>>> for
>>>>>>>> the
>>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>>> "$1_dbusd_t").
>>>>>>>
>>>>>>> and that will introduce other issues. because the session bus
>>>>>>> must be
>>>>>>> able to run things on behalf of the caller
>>>>>>
>>>>>> Thanks for providing a forecast of other issues.
>>>>>>
>>>>>> So, what's the way out of this damn loop ?
>>>>>>
>>>>>> I am almost getting lost...
>>>>>>
>>>>>
>>>>> I dont know.
>>>>
>>>> We need to find a cure for this !!
>>>
>>> I have been pleading for this for years. In my case the solution to
>>> these problems is DSSP and CIL. I was never able to solve these
>>> issues
>>> with reference policy unfortunately.
>>>
>>>>
>>>>
>>>> What prevents it from running things on behalf of the caller ? And
>>>> what
>>>> do you mean exactly for running things on behalf of the caller ?
>>>
>>> It hard to explain. The best way to appreciate what I mean is to
>>> experience it yourself. It will become clear as you move towards a
>>> fully
>>> confined desktop.
>>>
>>> A lot of programs can be started by the session bus. Many of these
>>> programs started by the session bus on behalf of users run other
>>> programs and so forth and so forth. Some of these programs need to
>>> eventually be able run shell with a domain transition back to the
>>> login
>>> shell domain.
>>>
>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>>
>>> To be able to do this we need to use derived types. You can't do it
>>> if
>>> theres a single session_dbus_t type.
>>
>> I am hitting a similar situation at the moment with the modified gnome
>> and dbus modules...
>>
>> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the
>> user_t domain
>>
>> Perhaps, it is possible to change the existing code so that it adds the
>> conflicting type rules, but then when it actually needs to apply them,
>> it looks up for duplicates and it only applies the one which matches
>> the calling context.
>>
>> It should be feasible...
>>
>> What do you say ?
>>
>
> I am saying what I said. This issue is very old and no one ever bothered
> to fix it. It is not going to happen.
>
> Module policy is legacy. A new superior language that does not have
> these issues is available.
>
>> We need to find a way out of this !
>
> There is a way out but its not module policy
Perhaps you can structure the policy better, but a conflicting type
transition is an error even if is written in CIL.
--
Chris PeBenito
On Tue, 30/08/2016 at 17.37 -0400, Chris PeBenito wrote:
> On 08/30/16 15:23, Guido Trentalancia wrote:
> >
> > Hello Christopher.
> >
> > On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote:
> > >
> > > On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Things are very far from working naturally as they are.
> > > >
> > > > On the other hand, the patches are surely far from being
> > > > complete
> > > > or stable yet, but at least every version allows to start the
> > > > Gnome
> > > > desktop.
> > > >
> > > > Now I met this major problem, it looks by all means a
> > > > limitation of
> > > > the existing framework, but I am sure that it will be sorted
> > > > out...
> > > >
> > > > I am also waiting to hear from Christopher about this.
> > >
> > > The way I see it is that general purpose desktops are incredibly
> > > complicated and are not designed with security in mind.??I wonder
> > > if
> > > the
> > > policy complexity needed to confine it all actually buys a
> > > proportional
> > > amount of security gains.??I'm not saying it shouldn't be done,
> > > but I
> > > am
> > > skeptical that it is worth it.
> >
> > Apart from confining the whole desktop, what I recently proposed to
> > Dominick for further evaluation is as follows:
> >
> > - we patch the libsepol code so that it creates all the conflicting
> > type rules instead of aborting;
> > - we also patch the policy enforcing code, so that when it needs to
> > enforce one of such conflicting type rules, it first searches for
> > duplicates and then it enforces the one that matches the calling
> > context.
> >
> > Do you think the above is feasible (in particular, "matching the
> > calling context") ?
>
> I don't know what you mean by "matching the calling context."??A?
> conflicting type transition looks like this:
>
> type_transition source_type exec_type:process new_domain;
> type_transition source_type exec_type:process other_new_domain;
>
> I don't see how you can decide between the two if they both exist in
> the?
> policy (unless they are in opposite if/else blocks, which is valid).
type_transition session_dbusd_t bin_t:process user_t;
type_transition session_dbusd_t bin_t:process staff_t;
type_transition
session_dbusd_t bin_t:process sysadm_t;
type_transition session_dbusd_t
bin_t:process xguest_t;
At the moment, they cannot coexist (conflicting type rules).
Imagine that we insert all of them into the policy.
The process that is running as session_dbusd_t (the source) is actually classified as user_u:user_r:session_dbusd_t (or equivalently for the other three possible cases).
So, for the case at hand, we know that the first rule should be considered for such process:
we enforce: type_transition session_dbusd_t bin_t:process user_t;
Theoretically, we can select the correct rule for each calling process by looking at the full context of such process.
Am I missing something ?
Regards,
Guido
On 08/30/2016 11:39 PM, Chris PeBenito wrote:
> On 08/30/16 15:21, Dominick Grift via refpolicy wrote:
>> On 08/30/2016 09:15 PM, Guido Trentalancia wrote:
>>> Hello Dominick.
>>>
>>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>>>
>>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>>>
>>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>>>
>>>>> [...]
>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>>>> is a
>>>>>>>>>> conflicting
>>>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>>>> message
>>>>>>>>>> isn't
>>>>>>>>>> helpful.
>>>>>>>>>
>>>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>>>> produce a
>>>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>>>> see
>>>>>>>>> the
>>>>>>>>> following thread:
>>>>>>>>>
>>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>>>> for
>>>>>>>>> conflicting type rules
>>>>>>>>>
>>>>>>>>> In this case, the conflicting type rule is:
>>>>>>>>>
>>>>>>>>> scontext=at_spi_t
>>>>>>>>> tcontext=dbusd_exec_t
>>>>>>>>> tclass=process
>>>>>>>>> result=sysadm_dbusd_t
>>>>>>>>>
>>>>>>>>> which confirms the previous debugging results (it's the
>>>>>>>>> type_transition
>>>>>>>>> rule).
>>>>>>>>>
>>>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>>>
>>>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>>>> the
>>>>>>>>> type
>>>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>>>> leading
>>>>>>>>> to
>>>>>>>>> conflicting rules.
>>>>>>>>>
>>>>>>>>> Therefore, the solution might be to use a common static
>>>>>>>>> name
>>>>>>>>> for
>>>>>>>>> the
>>>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>>>> "$1_dbusd_t").
>>>>>>>>
>>>>>>>> and that will introduce other issues. because the session bus
>>>>>>>> must be
>>>>>>>> able to run things on behalf of the caller
>>>>>>>
>>>>>>> Thanks for providing a forecast of other issues.
>>>>>>>
>>>>>>> So, what's the way out of this damn loop ?
>>>>>>>
>>>>>>> I am almost getting lost...
>>>>>>>
>>>>>>
>>>>>> I dont know.
>>>>>
>>>>> We need to find a cure for this !!
>>>>
>>>> I have been pleading for this for years. In my case the solution to
>>>> these problems is DSSP and CIL. I was never able to solve these
>>>> issues
>>>> with reference policy unfortunately.
>>>>
>>>>>
>>>>>
>>>>> What prevents it from running things on behalf of the caller ? And
>>>>> what
>>>>> do you mean exactly for running things on behalf of the caller ?
>>>>
>>>> It hard to explain. The best way to appreciate what I mean is to
>>>> experience it yourself. It will become clear as you move towards a
>>>> fully
>>>> confined desktop.
>>>>
>>>> A lot of programs can be started by the session bus. Many of these
>>>> programs started by the session bus on behalf of users run other
>>>> programs and so forth and so forth. Some of these programs need to
>>>> eventually be able run shell with a domain transition back to the
>>>> login
>>>> shell domain.
>>>>
>>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>>>
>>>> To be able to do this we need to use derived types. You can't do it
>>>> if
>>>> theres a single session_dbus_t type.
>>>
>>> I am hitting a similar situation at the moment with the modified gnome
>>> and dbus modules...
>>>
>>> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the
>>> user_t domain
>>>
>>> Perhaps, it is possible to change the existing code so that it adds the
>>> conflicting type rules, but then when it actually needs to apply them,
>>> it looks up for duplicates and it only applies the one which matches
>>> the calling context.
>>>
>>> It should be feasible...
>>>
>>> What do you say ?
>>>
>>
>> I am saying what I said. This issue is very old and no one ever bothered
>> to fix it. It is not going to happen.
>>
>> Module policy is legacy. A new superior language that does not have
>> these issues is available.
>>
>>> We need to find a way out of this !
>>
>> There is a way out but its not module policy
>
> Perhaps you can structure the policy better, but a conflicting type
> transition is an error even if is written in CIL.
>
>
Sure. That is true. Maybe the ability to structure your policy better
makes a big difference, aside from having the luxury of more meaningful
compiler errors and warnings.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160831/f4aabd70/attachment-0001.bin
On 08/31/2016 08:55 AM, Dominick Grift wrote:
> On 08/30/2016 11:39 PM, Chris PeBenito wrote:
>> On 08/30/16 15:21, Dominick Grift via refpolicy wrote:
>>> On 08/30/2016 09:15 PM, Guido Trentalancia wrote:
>>>> Hello Dominick.
>>>>
>>>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote:
>>>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote:
>>>>>>
>>>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote:
>>>>>>>
>>>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote:
>>>>>>
>>>>>> [...]
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> It's not so helpful unfortunately. My guess is that it
>>>>>>>>>>> is a
>>>>>>>>>>> conflicting
>>>>>>>>>>> type_transition. Unfortunately the compiler error
>>>>>>>>>>> message
>>>>>>>>>>> isn't
>>>>>>>>>>> helpful.
>>>>>>>>>>
>>>>>>>>>> I have just posted a patch on the SELinux mailing list to
>>>>>>>>>> produce a
>>>>>>>>>> more meaningful error message for conflicting type rules,
>>>>>>>>>> see
>>>>>>>>>> the
>>>>>>>>>> following thread:
>>>>>>>>>>
>>>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages
>>>>>>>>>> for
>>>>>>>>>> conflicting type rules
>>>>>>>>>>
>>>>>>>>>> In this case, the conflicting type rule is:
>>>>>>>>>>
>>>>>>>>>> scontext=at_spi_t
>>>>>>>>>> tcontext=dbusd_exec_t
>>>>>>>>>> tclass=process
>>>>>>>>>> result=sysadm_dbusd_t
>>>>>>>>>>
>>>>>>>>>> which confirms the previous debugging results (it's the
>>>>>>>>>> type_transition
>>>>>>>>>> rule).
>>>>>>>>>>
>>>>>>>>>> Another one is similar, with scontext=gnome_settings_t.
>>>>>>>>>>
>>>>>>>>>> What I suspect is that when it compiles, it quadruplicates
>>>>>>>>>> the
>>>>>>>>>> type
>>>>>>>>>> transition for each of user, staff, sysadm and xguest, thus
>>>>>>>>>> leading
>>>>>>>>>> to
>>>>>>>>>> conflicting rules.
>>>>>>>>>>
>>>>>>>>>> Therefore, the solution might be to use a common static
>>>>>>>>>> name
>>>>>>>>>> for
>>>>>>>>>> the
>>>>>>>>>> domain (for example, "session_dbusd_t" instead of
>>>>>>>>>> "$1_dbusd_t").
>>>>>>>>>
>>>>>>>>> and that will introduce other issues. because the session bus
>>>>>>>>> must be
>>>>>>>>> able to run things on behalf of the caller
>>>>>>>>
>>>>>>>> Thanks for providing a forecast of other issues.
>>>>>>>>
>>>>>>>> So, what's the way out of this damn loop ?
>>>>>>>>
>>>>>>>> I am almost getting lost...
>>>>>>>>
>>>>>>>
>>>>>>> I dont know.
>>>>>>
>>>>>> We need to find a cure for this !!
>>>>>
>>>>> I have been pleading for this for years. In my case the solution to
>>>>> these problems is DSSP and CIL. I was never able to solve these
>>>>> issues
>>>>> with reference policy unfortunately.
>>>>>
>>>>>>
>>>>>>
>>>>>> What prevents it from running things on behalf of the caller ? And
>>>>>> what
>>>>>> do you mean exactly for running things on behalf of the caller ?
>>>>>
>>>>> It hard to explain. The best way to appreciate what I mean is to
>>>>> experience it yourself. It will become clear as you move towards a
>>>>> fully
>>>>> confined desktop.
>>>>>
>>>>> A lot of programs can be started by the session bus. Many of these
>>>>> programs started by the session bus on behalf of users run other
>>>>> programs and so forth and so forth. Some of these programs need to
>>>>> eventually be able run shell with a domain transition back to the
>>>>> login
>>>>> shell domain.
>>>>>
>>>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t
>>>>>
>>>>> To be able to do this we need to use derived types. You can't do it
>>>>> if
>>>>> theres a single session_dbus_t type.
>>>>
>>>> I am hitting a similar situation at the moment with the modified gnome
>>>> and dbus modules...
>>>>
>>>> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the
>>>> user_t domain
>>>>
>>>> Perhaps, it is possible to change the existing code so that it adds the
>>>> conflicting type rules, but then when it actually needs to apply them,
>>>> it looks up for duplicates and it only applies the one which matches
>>>> the calling context.
>>>>
>>>> It should be feasible...
>>>>
>>>> What do you say ?
>>>>
>>>
>>> I am saying what I said. This issue is very old and no one ever bothered
>>> to fix it. It is not going to happen.
>>>
>>> Module policy is legacy. A new superior language that does not have
>>> these issues is available.
>>>
>>>> We need to find a way out of this !
>>>
>>> There is a way out but its not module policy
>>
>> Perhaps you can structure the policy better, but a conflicting type
>> transition is an error even if is written in CIL.
>>
>>
>
> Sure. That is true. Maybe the ability to structure your policy better
> makes a big difference, aside from having the luxury of more meaningful
> compiler errors and warnings.
>
Not suggesting secilc is perfect. It is not.
SECILC should identify and warn about any blockabstracts it finds in
optional policy. Currently it allows them without any notification that
it is not allowed and/or that it causes inconsistent behavior. This is
bound to cause confusion.
Even though these are documented "rules". The compiler should still
catch it and prevent it from happening.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160831/b130d02a/attachment.bin
On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - target the dconf daemon, the gsettings user application, the
> gnome-settings-daemon and the at-spi daemon with all the
> needed domain transitions;
> - a new gstreamer_orcexec_t type and file context is introduced
> to support the OIL Runtime Compiler (ORC) optimized code
> execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
> keyring domains;
> - add support for chat over dbus in the gconfd domain and in the
> new domains (dconf, gsettings, etc);
> - add support for a few needed fs and kernel permissions.
> - add support for reading the colord related files in the home
> directories (such as the ICC EDID profiles): requires the
> recent colord patch;
> - add support for for reading the colord related files in the home
> directories in the common user domain template;
> - add support for a new mime_info_t type to be used in the home
> directories;
> - includes minor modifications to the consolekit, dbus and
> policykit modules to support the new targeted gnome daemons
> and applications;
> - modifies the pulseaudio module to introduce new interfaces to
> read and write pulseaudio tmpfs files and to use the pulseaudio
> file descriptor;
> - provides better module encapsulation (i.e. dbus module).
>
> The support for Gnome2/ORBit-2 (version 2) has been dropped.
>
> This patch depends on the recent colord patch.
>
> Recent changes to the pulseaudio module depends on this patch !
Hey,
I've been fairly busy lately so didnt closely follow this thread and its
too long now for me to understand what exactly the problems are.
If I followed correctly, it seems like the biggest problem currently is
transitioning to/from dbus? can you show the "ps auxfZ | grep dbus"
lines?
How exactly are you running into problems? Can you post a very minimal
command that triggers the problems? Is there some hello world I can put
in /usr/share/dbus-1/services and a command to trigger the issue?
A lot of these other problems in this patch seem to be issues with dbus
so lets fix that first then the other ones will be easier.
-- Jason
Hello Jason.
On Thu, 01/09/2016 at 12.20 +0800, Jason Zaman wrote:
> On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote:
> >
> > Update for the gnome module:
[...]
> Hey,
>
> I've been fairly busy lately so didnt closely follow this thread and
> its
> too long now for me to understand what exactly the problems are.
I'll point you to a few right messages to read in this thread to
understand the problem clearly...
Please read the following messages in order:
http://oss.tresys.com/pipermail/refpolicy/2016-August/008360.html?(non-
quoted message text only)
http://oss.tresys.com/pipermail/refpolicy/2016-August/008369.html?(non-
quoted message text only)
What Dominick added here is partly true, although at the I have had
some success with re-writing the policy for the whole desktop (or most
of it):
http://oss.tresys.com/pipermail/refpolicy/2016-August/008370.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008374.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008382.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008385.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008384.html
The following messages are about a possible way to solve the problem
without changing the actual policy (which can be tricky):
http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html
http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html
So, you have an excellent excerpt now...
> If I followed correctly, it seems like the biggest problem currently
> is
> transitioning to/from dbus? can you show the "ps auxfZ | grep dbus"
> lines?
The problem is transitioning from a user domain (user, staff, sysadm or
xguest) to other domains such as dbus (or gkeyring) and then back to
the initial user domain.
At the moment the policy uses variable types built using the user
argument ($1) passed to the gnome/dbus role() interface.
Such approach has big limitations and the current framework is poorly
designed with respect to the ability to perform the above mentioned
transition.
> How exactly are you running into problems? Can you post a very
> minimal
> command that triggers the problems? Is there some hello world I can
> put
> in /usr/share/dbus-1/services and a command to trigger the issue?
It's more complex than just starting a command. There are problems in
the underlying framework when the modified policy is loaded
(conflicting type rules, i.e. conflicting type transitions).
One way to solve the problem is by changing the policy. I have had some
success so far, however it's tricky, expensive and it's not the optimal
solution.
A possible optimal solution is proposed in the last two or three
messages that I posted (see the last two or three messages quoted
above).
> A lot of these other problems in this patch seem to be issues with
> dbus
> so lets fix that first then the other ones will be easier.
If you want to help implementing a patch, we need to identify the code
where such policy is actually enforced, so that there we can track the
calling user domain to choose the right type transition.
Regards,
Guido
On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote:
> Hello Jason.
>
> On Thu, 01/09/2016 at 12.20 +0800, Jason Zaman wrote:
> > On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote:
> > >
> > > Update for the gnome module:
>
> [...]
>
> > Hey,
> >
> > I've been fairly busy lately so didnt closely follow this thread and
> > its
> > too long now for me to understand what exactly the problems are.
>
> I'll point you to a few right messages to read in this thread to
> understand the problem clearly...
>
> Please read the following messages in order:
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008360.html?(non-
> quoted message text only)
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008369.html?(non-
> quoted message text only)
>
> What Dominick added here is partly true, although at the I have had
> some success with re-writing the policy for the whole desktop (or most
> of it):
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008370.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008374.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008382.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008385.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008384.html
>
> The following messages are about a possible way to solve the problem
> without changing the actual policy (which can be tricky):
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html
>
> So, you have an excellent excerpt now...
This helped a lot but I am still unclear what the original problem is.
> > If I followed correctly, it seems like the biggest problem currently
> > is
> > transitioning to/from dbus? can you show the "ps auxfZ | grep dbus"
> > lines?
>
> The problem is transitioning from a user domain (user, staff, sysadm or
> xguest) to other domains such as dbus (or gkeyring) and then back to
> the initial user domain.
>
> At the moment the policy uses variable types built using the user
> argument ($1) passed to the gnome/dbus role() interface.
>
> Such approach has big limitations and the current framework is poorly
> designed with respect to the ability to perform the above mentioned
> transition.
As you realized, this kind if thing is not allowed:
type_transition session_dbusd_t bin_t:process user_t;
type_transition session_dbusd_t bin_t:process staff_t;
type_transition session_dbusd_t bin_t:process sysadm_t;
type_transition session_dbusd_t bin_t:process xguest_t;
There are typically two ways to fix it, the easiest is prefixed types so
that the transitions become:
type_transition user_dbusd_t bin_t:process user_t;
type_transition staff_dbusd_t bin_t:process staff_t;
dbus is currently setup like this along with most other kinds of
programs that need their own domain but then need to transition back to
the user's shell (eg staff_sudo_t, and a few login type things are what
first come to mind).
The other way is to have the program be selinux aware. Ie link with
libselinux and query the policy for what should be used.
For example, when running a user's cronjob, cron will look in
/etc/selinux/mcs/contexts/default_contexts for the line and query all
the role/type combos until it finds one that is allowed by the policy
for that user. For these kinds of things the program basically does
setexeccon() before the exec to manually set it so do not require the
type_transition rules at all.
DBus is also SELinux aware and it looks like logic for something like
this might already exist. On my system I have:
/etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure what
should be in it.
There are many ways to fix a problem like this depending on a lot of
things.
>
> > How exactly are you running into problems? Can you post a very
> > minimal
> > command that triggers the problems? Is there some hello world I can
> > put
> > in /usr/share/dbus-1/services and a command to trigger the issue?
>
> It's more complex than just starting a command. There are problems in
> the underlying framework when the modified policy is loaded
> (conflicting type rules, i.e. conflicting type transitions).
>
> One way to solve the problem is by changing the policy. I have had some
> success so far, however it's tricky, expensive and it's not the optimal
> solution.
>
> A possible optimal solution is proposed in the last two or three
> messages that I posted (see the last two or three messages quoted
> above).
I still do not understand exactly what problem you are trying to solve
tho. What is running and what is it trying to do? Can you show some
error messages?
Are these lines the ones that are giving issues? Why do you need the
lines at all?
dbus_domain_transition(at_spi_t, user_dbusd_t)
dbus_domain_transition(gnome_settings_t, user_dbusd_t)
Wouldnt they just need dbus send_msg? Why does it need to exec the dbus
daemon? It should already be running, they dont need to start it or
anything. Can you show some error messages?
> > A lot of these other problems in this patch seem to be issues with
> > dbus
> > so lets fix that first then the other ones will be easier.
>
> If you want to help implementing a patch, we need to identify the code
> where such policy is actually enforced, so that there we can track the
> calling user domain to choose the right type transition.
We need to take a step back, there are too many issues mixed together
with this patch. fixing the policy to allow conflicting types sounds
like the wrong solution to whatever the problem is.
-- Jason
> Regards,
>
> Guido
Hello Jason,
thanks for getting back on this.
On Thu, 01/09/2016 at 19.53 +0800, Jason Zaman wrote:
> On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote:
[...]
> > The following messages are about a possible way to solve the
> > problem
> > without changing the actual policy (which can be tricky):
> >
> > http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html
> >
> > http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html
> >
> > http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html
> >
> > So, you have an excellent excerpt now...
>
> This helped a lot but I am still unclear what the original problem
> is.
The original problem is that the patch that I posted to update the
gnome policy and the gnome file contexts leads to the conflicting type
rules issues.
It's a limitation of the current situation.
What the patch does (its description) has been posted here:
http://oss.tresys.com/pipermail/refpolicy/2016-August/008324.html
Try by yourself, by applying such patch, then modifying as indicated by
Christopher (moving dbus related statements from the gnome role
template to the dbus module) and finally using the prefixed types (at
the moment it uses user_dbusd_t, which won't work for all users).
It shouldn't take very long to apply the patch and modify it... At
least you can touch the problem with your own hands.
> > > If I followed correctly, it seems like the biggest problem
> > > currently
> > > is
> > > transitioning to/from dbus? can you show the "ps auxfZ | grep
> > > dbus"
> > > lines?
> >
> > The problem is transitioning from a user domain (user, staff,
> > sysadm or
> > xguest) to other domains such as dbus (or gkeyring) and then back
> > to
> > the initial user domain.
> >
> > At the moment the policy uses variable types built using the user
> > argument ($1) passed to the gnome/dbus role() interface.
> >
> > Such approach has big limitations and the current framework is
> > poorly
> > designed with respect to the ability to perform the above mentioned
> > transition.
>
> As you realized, this kind if thing is not allowed:
> ????type_transition session_dbusd_t bin_t:process user_t;
> ????type_transition session_dbusd_t bin_t:process staff_t;
> ????type_transition session_dbusd_t bin_t:process sysadm_t;
> ????type_transition session_dbusd_t bin_t:process xguest_t;
>
> There are typically two ways to fix it, the easiest is prefixed types
> so
> that the transitions become:
> ????type_transition user_dbusd_t bin_t:process user_t;
> ????type_transition staff_dbusd_t bin_t:process staff_t;
That is what doesn't work: the prefixed types. They lead to conflicting
type rules.
> dbus is currently setup like this along with most other kinds of
> programs that need their own domain but then need to transition back
> to
> the user's shell (eg staff_sudo_t, and a few login type things are
> what
> first come to mind).
>
> The other way is to have the program be selinux aware. Ie link with
> libselinux and query the policy for what should be used.
> For example, when running a user's cronjob, cron will look in
> /etc/selinux/mcs/contexts/default_contexts for the line and query all
> the role/type combos until it finds one that is allowed by the policy
> for that user. For these kinds of things the program basically does
> setexeccon() before the exec to manually set it so do not require the
> type_transition rules at all.
I don't think this is the right approach for the problem at hand.
> DBus is also SELinux aware and it looks like logic for something like
> this might already exist. On my system I have:
> /etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure
> what
> should be in it.?
It's probably reserved for dbus file contexts.
> There are many ways to fix a problem like this depending on a lot of
> things.
>
> >
> >
> > >
> > > How exactly are you running into problems? Can you post a very
> > > minimal
> > > command that triggers the problems? Is there some hello world I
> > > can
> > > put
> > > in /usr/share/dbus-1/services and a command to trigger the issue?
> >
> > It's more complex than just starting a command. There are problems
> > in
> > the underlying framework when the modified policy is loaded
> > (conflicting type rules, i.e. conflicting type transitions).
> >
> > One way to solve the problem is by changing the policy. I have had
> > some
> > success so far, however it's tricky, expensive and it's not the
> > optimal
> > solution.
> >
> > A possible optimal solution is proposed in the last two or three
> > messages that I posted (see the last two or three messages quoted
> > above).
>
> I still do not understand exactly what problem you are trying to
> solve
> tho. What is running and what is it trying to do? Can you show some
> error messages?
>
> Are these lines the ones that are giving issues? Why do you need the
> lines at all?
> dbus_domain_transition(at_spi_t, user_dbusd_t)
> dbus_domain_transition(gnome_settings_t, user_dbusd_t)
At the moment the gnome desktop is not confined. It runs in the user
domain.
One of the things that the patch does is to start confining the gnome
desktop.
If you start doing so, you'll end up with needing transitions that
apparently cannot be supported by the current framework.
If you want to reproduce the problem, you need to start confining the
gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and so
on. A way to start doing so is to try the patch (v4) that I posted and
modify it as indicated by Christopher in the review.
> Wouldnt they just need dbus send_msg? Why does it need to exec the
> dbus
> daemon? It should already be running, they dont need to start it or
> anything. Can you show some error messages?
The system dbus daemon is running, not the session one.
> > > A lot of these other problems in this patch seem to be issues
> > > with
> > > dbus
> > > so lets fix that first then the other ones will be easier.
All I can say, is that the prefixed types don't work when you start
confining the gnome desktop.
Try by yourself, it takes 5 minutes to apply the patch and modify it to
use the prefixed types instead of "user_dbusd_t".
> > If you want to help implementing a patch, we need to identify the
> > code
> > where such policy is actually enforced, so that there we can track
> > the
> > calling user domain to choose the right type transition.
>
> We need to take a step back, there are too many issues mixed together
> with this patch. fixing the policy to allow conflicting types sounds
> like the wrong solution to whatever the problem is.
At the moment, I still believe that is the optimal solution: allowing
conflicts in the policy and resolving them at runtime by exploiting the
knowledge of the user and role parts of the context.
Regards,
Guido
On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote:
> Hello Jason,
>
> thanks for getting back on this.
>
> On Thu, 01/09/2016 at 19.53 +0800, Jason Zaman wrote:
> > On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote:
>
> [...]
>
> > > The following messages are about a possible way to solve the
> > > problem
> > > without changing the actual policy (which can be tricky):
> > >
> > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html
> > >
> > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html
> > >
> > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html
> > >
> > > So, you have an excellent excerpt now...
> >
> > This helped a lot but I am still unclear what the original problem
> > is.
>
> The original problem is that the patch that I posted to update the
> gnome policy and the gnome file contexts leads to the conflicting type
> rules issues.
>
> It's a limitation of the current situation.
>
> What the patch does (its description) has been posted here:
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008324.html
>
> Try by yourself, by applying such patch, then modifying as indicated by
> Christopher (moving dbus related statements from the gnome role
> template to the dbus module) and finally using the prefixed types (at
> the moment it uses user_dbusd_t, which won't work for all users).
>
> It shouldn't take very long to apply the patch and modify it... At
> least you can touch the problem with your own hands.
>
> > > > If I followed correctly, it seems like the biggest problem
> > > > currently
> > > > is
> > > > transitioning to/from dbus? can you show the "ps auxfZ | grep
> > > > dbus"
> > > > lines?
> > >
> > > The problem is transitioning from a user domain (user, staff,
> > > sysadm or
> > > xguest) to other domains such as dbus (or gkeyring) and then back
> > > to
> > > the initial user domain.
> > >
> > > At the moment the policy uses variable types built using the user
> > > argument ($1) passed to the gnome/dbus role() interface.
> > >
> > > Such approach has big limitations and the current framework is
> > > poorly
> > > designed with respect to the ability to perform the above mentioned
> > > transition.
> >
> > As you realized, this kind if thing is not allowed:
> > ????type_transition session_dbusd_t bin_t:process user_t;
> > ????type_transition session_dbusd_t bin_t:process staff_t;
> > ????type_transition session_dbusd_t bin_t:process sysadm_t;
> > ????type_transition session_dbusd_t bin_t:process xguest_t;
> >
> > There are typically two ways to fix it, the easiest is prefixed types
> > so
> > that the transitions become:
> > ????type_transition user_dbusd_t bin_t:process user_t;
> > ????type_transition staff_dbusd_t bin_t:process staff_t;
>
> That is what doesn't work: the prefixed types. They lead to conflicting
> type rules.
>
> > dbus is currently setup like this along with most other kinds of
> > programs that need their own domain but then need to transition back
> > to
> > the user's shell (eg staff_sudo_t, and a few login type things are
> > what
> > first come to mind).
> >
> > The other way is to have the program be selinux aware. Ie link with
> > libselinux and query the policy for what should be used.
> > For example, when running a user's cronjob, cron will look in
> > /etc/selinux/mcs/contexts/default_contexts for the line and query all
> > the role/type combos until it finds one that is allowed by the policy
> > for that user. For these kinds of things the program basically does
> > setexeccon() before the exec to manually set it so do not require the
> > type_transition rules at all.
>
> I don't think this is the right approach for the problem at hand.
>
> > DBus is also SELinux aware and it looks like logic for something like
> > this might already exist. On my system I have:
> > /etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure
> > what
> > should be in it.?
>
> It's probably reserved for dbus file contexts.
>
> > There are many ways to fix a problem like this depending on a lot of
> > things.
> >
> > >
> > >
> > > >
> > > > How exactly are you running into problems? Can you post a very
> > > > minimal
> > > > command that triggers the problems? Is there some hello world I
> > > > can
> > > > put
> > > > in /usr/share/dbus-1/services and a command to trigger the issue?
> > >
> > > It's more complex than just starting a command. There are problems
> > > in
> > > the underlying framework when the modified policy is loaded
> > > (conflicting type rules, i.e. conflicting type transitions).
> > >
> > > One way to solve the problem is by changing the policy. I have had
> > > some
> > > success so far, however it's tricky, expensive and it's not the
> > > optimal
> > > solution.
> > >
> > > A possible optimal solution is proposed in the last two or three
> > > messages that I posted (see the last two or three messages quoted
> > > above).
> >
> > I still do not understand exactly what problem you are trying to
> > solve
> > tho. What is running and what is it trying to do? Can you show some
> > error messages?
> >
> > Are these lines the ones that are giving issues? Why do you need the
> > lines at all?
> > dbus_domain_transition(at_spi_t, user_dbusd_t)
> > dbus_domain_transition(gnome_settings_t, user_dbusd_t)
>
> At the moment the gnome desktop is not confined. It runs in the user
> domain.
>
> One of the things that the patch does is to start confining the gnome
> desktop.
>
> If you start doing so, you'll end up with needing transitions that
> apparently cannot be supported by the current framework.
>
> If you want to reproduce the problem, you need to start confining the
> gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and so
> on. A way to start doing so is to try the patch (v4) that I posted and
> modify it as indicated by Christopher in the review.
>
> > Wouldnt they just need dbus send_msg? Why does it need to exec the
> > dbus
> > daemon? It should already be running, they dont need to start it or
> > anything. Can you show some error messages?
>
> The system dbus daemon is running, not the session one.
The session dbus is supposed to be started when you login first thing.
at-spi shouldnt be trying to start it.
> > > > A lot of these other problems in this patch seem to be issues
> > > > with
> > > > dbus
> > > > so lets fix that first then the other ones will be easier.
>
> All I can say, is that the prefixed types don't work when you start
> confining the gnome desktop.
You still haven't explained exactly what is trying to run what? What are
the starting domains? what is the program? what is it trying to run?
what are the domains (before and after the patch) of the things it tries
to run? What are the error messages?
> Try by yourself, it takes 5 minutes to apply the patch and modify it to
> use the prefixed types instead of "user_dbusd_t".
Yeah, I know the rules dont work, I can see that without even building.
My question is why do you need the rules? You keep saying you need these
rules but what *exactly* do they fix? Once we know that we can suggest
other solutions.
Using user_dbusd_t is useless. your patch would fix it for user_t, but
staff_t and any others would be still broken.
> > > If you want to help implementing a patch, we need to identify the
> > > code
> > > where such policy is actually enforced, so that there we can track
> > > the
> > > calling user domain to choose the right type transition.
> >
> > We need to take a step back, there are too many issues mixed together
> > with this patch. fixing the policy to allow conflicting types sounds
> > like the wrong solution to whatever the problem is.
>
> At the moment, I still believe that is the optimal solution: allowing
> conflicts in the policy and resolving them at runtime by exploiting the
> knowledge of the user and role parts of the context.
>
> Regards,
>
> Guido
On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote:
> On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote:
[...]
> > At the moment the gnome desktop is not confined. It runs in the
> > user
> > domain.
> >
> > One of the things that the patch does is to start confining the
> > gnome
> > desktop.
> >
> > If you start doing so, you'll end up with needing transitions that
> > apparently cannot be supported by the current framework.
> >
> > If you want to reproduce the problem, you need to start confining
> > the
> > gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and
> > so
> > on. A way to start doing so is to try the patch (v4) that I posted
> > and
> > modify it as indicated by Christopher in the review.
> >
> > >
> > > Wouldnt they just need dbus send_msg? Why does it need to exec
> > > the
> > > dbus
> > > daemon? It should already be running, they dont need to start it
> > > or
> > > anything. Can you show some error messages?
> >
> > The system dbus daemon is running, not the session one.
>
> The session dbus is supposed to be started when you login first
> thing.
Yes, exactly.
> at-spi shouldnt be trying to start it.
Who said that ? At-spi starts with Gnome from the xdg autostart
directory by default.
> > > > > A lot of these other problems in this patch seem to be issues
> > > > > with
> > > > > dbus
> > > > > so lets fix that first then the other ones will be easier.
> >
> > All I can say, is that the prefixed types don't work when you start
> > confining the gnome desktop.
>
> You still haven't explained exactly what is trying to run what? What
> are
> the starting domains? what is the program? what is it trying to run?
> what are the domains (before and after the patch) of the things it
> tries
> to run? What are the error messages?
>
> >
> > Try by yourself, it takes 5 minutes to apply the patch and modify
> > it to
> > use the prefixed types instead of "user_dbusd_t".
>
> Yeah, I know the rules dont work, I can see that without even
> building.
> My question is why do you need the rules? You keep saying you need
> these
> rules but what *exactly* do they fix? Once we know that we can
> suggest
> other solutions.
The new rules solve some problems in the current policy that don't let
Gnome to start and also they confine other pieces of Gnome that are not
currently confined (dconf, at-spi, gsd and so on).
Other things that are tackled by the patch are listed at the top of it
(description of the patch). It is several things all together.
> Using user_dbusd_t is useless. your patch would fix it for user_t,
> but
> staff_t and any others would be still broken.
Yes, I know. It was so because the prefixed types don't work properly.
I think we are starting to loop around the same arguments...
> > > > If you want to help implementing a patch, we need to identify
> > > > the
> > > > code
> > > > where such policy is actually enforced, so that there we can
> > > > track
> > > > the
> > > > calling user domain to choose the right type transition.
> > >
> > > We need to take a step back, there are too many issues mixed
> > > together
> > > with this patch. fixing the policy to allow conflicting types
> > > sounds
> > > like the wrong solution to whatever the problem is.
> >
> > At the moment, I still believe that is the optimal solution:
> > allowing
> > conflicts in the policy and resolving them at runtime by exploiting
> > the
> > knowledge of the user and role parts of the context.
The above is what is needed to achieve an optimal solution to the
problem that I encountered while developing this gnome patch.
Guido
On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via refpolicy wrote:
> On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote:
> > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote:
> Who said that ? At-spi starts with Gnome from the xdg autostart
> directory by default.
What happens if you start dbus-daemon --session from xdg autostart too?
> > > > > If you want to help implementing a patch, we need to identify
> > > > > the
> > > > > code
> > > > > where such policy is actually enforced, so that there we can
> > > > > track
> > > > > the
> > > > > calling user domain to choose the right type transition.
> > > >
> > > > We need to take a step back, there are too many issues mixed
> > > > together
> > > > with this patch. fixing the policy to allow conflicting types
> > > > sounds
> > > > like the wrong solution to whatever the problem is.
> > >
> > > At the moment, I still believe that is the optimal solution:
> > > allowing
> > > conflicts in the policy and resolving them at runtime by exploiting
> > > the
> > > knowledge of the user and role parts of the context.
>
> The above is what is needed to achieve an optimal solution to the
> problem that I encountered while developing this gnome patch.
Again ... *what problem*? show me the error messages you get without
this patch applied. You keep saying that what you have done is optimal
to solve the problem but you have not explained what the problem is.
Do you need atspi to be able to exec dbus-daemon? What happens if you
start dbus-daemon before atspi?
Why cant you just prefix the atspi domains too?
type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
-- Jason
On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote:
> On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via
> refpolicy wrote:
> >
> > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote:
> > >
> > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia
> > > wrote:
> > Who said that ? At-spi starts with Gnome from the xdg autostart
> > directory by default.
>
> What happens if you start dbus-daemon --session from xdg autostart
> too?
The DBUS session daemon is not designed to be started from xdg
autostart. There must be multiple instances of it.
> > > > > > If you want to help implementing a patch, we need to
> > > > > > identify
> > > > > > the
> > > > > > code
> > > > > > where such policy is actually enforced, so that there we
> > > > > > can
> > > > > > track
> > > > > > the
> > > > > > calling user domain to choose the right type transition.
> > > > >
> > > > > We need to take a step back, there are too many issues mixed
> > > > > together
> > > > > with this patch. fixing the policy to allow conflicting types
> > > > > sounds
> > > > > like the wrong solution to whatever the problem is.
> > > >
> > > > At the moment, I still believe that is the optimal solution:
> > > > allowing
> > > > conflicts in the policy and resolving them at runtime by
> > > > exploiting
> > > > the
> > > > knowledge of the user and role parts of the context.
> >
> > The above is what is needed to achieve an optimal solution to the
> > problem that I encountered while developing this gnome patch.
>
> Again ... *what problem*? show me the error messages you get without
> this patch applied. You keep saying that what you have done is
As already explained, without the patch applied, Gnome doesn't start,
pulseaudio doesn't work fine, there are permissions granted that are
not strictly needed and however it is not confined properly (there are
Gnome processes running in the user domain, which instead should run in
their own domain).
> optimal
> to solve the problem but you have not explained what the problem is.
I have no other ways of explaining it.
The others have understood the problem, perhaps you can read their
replies to get more insight...
> Do you need atspi to be able to exec dbus-daemon? What happens if you
> start dbus-daemon before atspi?
>
> Why cant you just prefix the atspi domains too?
> type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
>
> -- Jason
Guido
Hello Jason,
I'll try another time to answer your question...
On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote:
> On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via
> refpolicy wrote:
> >
> > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote:
> > >
> > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia
> > > wrote:
> > Who said that ? At-spi starts with Gnome from the xdg autostart
> > directory by default.
>
> What happens if you start dbus-daemon --session from xdg autostart
> too?
>
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > If you want to help implementing a patch, we need to
> > > > > > identify
> > > > > > the
> > > > > > code
> > > > > > where such policy is actually enforced, so that there we
> > > > > > can
> > > > > > track
> > > > > > the
> > > > > > calling user domain to choose the right type transition.
> > > > >
> > > > > We need to take a step back, there are too many issues mixed
> > > > > together
> > > > > with this patch. fixing the policy to allow conflicting types
> > > > > sounds
> > > > > like the wrong solution to whatever the problem is.
> > > >
> > > > At the moment, I still believe that is the optimal solution:
> > > > allowing
> > > > conflicts in the policy and resolving them at runtime by
> > > > exploiting
> > > > the
> > > > knowledge of the user and role parts of the context.
> >
> > The above is what is needed to achieve an optimal solution to the
> > problem that I encountered while developing this gnome patch.
>
> Again ... *what problem*? show me the error messages you get without
> this patch applied. You keep saying that what you have done is
> optimal
> to solve the problem but you have not explained what the problem is.
The main problem that the patch was trying to sort out is to allow
Gnome to run with the Reference Policy and to confine it better (for a
full description, please refer to the latest version of the patch).
In this case, there isn't just one specific error message. There is a
series of permissions denied in the log files and the desktop won't
start (as in not passing the xdm login screen, for example) or it won't
function properly.
While developing the above mentioned patch, I came across a problem
with the policy: conflicting type rules.
The specific error message in this case is "Conflicting type rules"
when loading the policy (it compiles fine).
You can reproduce it by applying the patch and then changing the
"user_dbusd_t" type that I have used initially to the prefixed type
"$1_dbusd_t".
To solve the latter problem, I believe that the optimal solution is not
to change the policy further, but to:
- change the existing source code so that it adds the conflicting type
rules without generating an error;
- resolve the conflict at runtime by exploiting the knowledge of the
user and role parts of the context.
I was asking other people what they think of such proposed solution
and, provided that it sounds feasible to them, if they have specific
ideas on its implementation.
I hope it does make sense now...
> Do you need atspi to be able to exec dbus-daemon? What happens if you
> start dbus-daemon before atspi?
> Why cant you just prefix the atspi domains too?
I don't know if prefixing the other domains works.
However, if you post a revised patch, I can test it and let you know.
At the moment, I have removed the prefixed types and I am working with static types prefixed by the keyword "session". It works, but it surely isn't what I would call optimal.
> type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
Regards,
Guido
On Thu, Sep 01, 2016 at 09:30:25PM +0200, Guido Trentalancia via refpolicy wrote:
> > Why cant you just prefix the atspi domains too?
>
> I don't know if prefixing the other domains works.
> However, if you post a revised patch, I can test it and let you know.
> At the moment, I have removed the prefixed types and I am working with
> static types prefixed by the keyword "session". It works, but it
> surely isn't what I would call optimal.
I'm pretty sure removing prefixes is the opposite direction from where
you need to be going.
Xfce uses at-spi-bus-launcher so I can confine that and gconfd first so
we can get things working in general. If those work then the rest of the
parts of gnome would follow the same pattern.
-- Jason
> > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello Jason.
I have an update about the advice that you kindly provided...
On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote:
> On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via
> refpolicy wrote:
> >
> > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote:
> > >
> > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia
> > > wrote:
> > Who said that ? At-spi starts with Gnome from the xdg autostart
> > directory by default.
>
> What happens if you start dbus-daemon --session from xdg autostart
> too?
>
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > If you want to help implementing a patch, we need to
> > > > > > identify
> > > > > > the
> > > > > > code
> > > > > > where such policy is actually enforced, so that there we
> > > > > > can
> > > > > > track
> > > > > > the
> > > > > > calling user domain to choose the right type transition.
> > > > >
> > > > > We need to take a step back, there are too many issues mixed
> > > > > together
> > > > > with this patch. fixing the policy to allow conflicting types
> > > > > sounds
> > > > > like the wrong solution to whatever the problem is.
> > > >
> > > > At the moment, I still believe that is the optimal solution:
> > > > allowing
> > > > conflicts in the policy and resolving them at runtime by
> > > > exploiting
> > > > the
> > > > knowledge of the user and role parts of the context.
> >
> > The above is what is needed to achieve an optimal solution to the
> > problem that I encountered while developing this gnome patch.
>
> Again ... *what problem*? show me the error messages you get without
> this patch applied. You keep saying that what you have done is
> optimal
> to solve the problem but you have not explained what the problem is.
>
> Do you need atspi to be able to exec dbus-daemon? What happens if you
> start dbus-daemon before atspi?
>
> Why cant you just prefix the atspi domains too?
> type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
The latter (prefixing the other domains, such as at_spi, that at some
point need to transition back to the user domain) solved the problem
that I was experiencing !
Brilliant idea... Thanks very much for your advice !!
Unfortunately, I don't know if I can really update this patch for the
mailing list and resubmit it, because there are very strict
requirements on its length.
It's a shame, but I cannot split it in several parts because this patch
is made of highly interdependent bits...
Best regards,
Guido
> On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote:
> > Why cant you just prefix the atspi domains too?
> > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
>
> The latter (prefixing the other domains, such as at_spi, that at some
> point need to transition back to the user domain) solved the problem
> that I was experiencing !
>
> Brilliant idea... Thanks very much for your advice !!
>
> Unfortunately, I don't know if I can really update this patch for the
> mailing list and resubmit it, because there are very strict
> requirements on its length.
>
> It's a shame, but I cannot split it in several parts because this patch
> is made of highly interdependent bits...
Great that it works!
Can you rebase the patch on master then send me the file directly (not to
the list since it's big). Then I can take a look and comment.
If this works well for dbus session programs we probably want to make a few
templates to handle the common stuff first. Then we can do the specific
patches separately for atspi and the other programs afterwards. It's a big
change but I'm sure we can figure out a good way to organise it.
I use xfce so will check if there are more things that use dbus so we can
make the templates good for everything at the same time.
-- Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160906/6f094538/attachment.html
Hello Jason.
On Tue, 06/09/2016 at 17.18 +0800, Jason Zaman wrote:
> > On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote:
> > > Why cant you just prefix the atspi domains too?
> > > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t;
> > > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t;
> >
> > The latter (prefixing the other domains, such as at_spi, that at
> some
> > point need to transition back to the user domain) solved the
> problem
> > that I was experiencing !
> >
> > Brilliant idea... Thanks very much for your advice !!
> >
> > Unfortunately, I don't know if I can really update this patch for
> the
> > mailing list and resubmit it, because there are very strict
> > requirements on its length.
> >
> > It's a shame, but I cannot split it in several parts because this
> patch
> > is made of highly interdependent bits...
> Great that it works!
Yes, thanks very much to your advice !
> Can you rebase the patch on master then send me the file directly
> (not to the list since it's big). Then I can take a look and comment.
I am still completing it. There are still bits that are getting changed
and improved every now and then while it gets tested better.
> If this works well for dbus session programs we probably want to make
> a few templates to handle the common stuff first. Then we can do the
> specific patches separately for atspi and the other programs
> afterwards. It's a big change but I'm sure we can figure out a good
> way to organise it.
I really hope it will get committed.
> I use xfce so will check if there are more things that use dbus so we
> can make the templates good for everything at the same time.
There is only one strange thing happening: when I start gnome-terminal
from the gnome-shell menu (it executes /usr/bin/gnome-terminal, which
then executes /usr/libexec/gnome-terminal-server), it runs in the
$1_dbusd_t domain.
Other applications when are started from the gnome-shell menu do not
end up running in the $1_dbusd_t domain but in the user domain, as
desirable.
It am not sure why the above is happening. I can get it to transition
from $1_dbusd_t to $1_t, which sorts things out, but it would be better
if it was running in gnome_terminal_t and gnome_terminal_server_t
respectively.
Best regards,
Guido