2016-05-27 20:36:23

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 1/7] consolekit: allow managing user runtime dirs

---
consolekit.te | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/consolekit.te b/consolekit.te
index 050c5c5..001ba77 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#

-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };

@@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)

fs_list_inotifyfs(consolekit_t)
+fs_mount_tmpfs(consolekit_t)
+fs_unmount_tmpfs(consolekit_t)
+fs_relabelfrom_tmpfs(consolekit_t)

mcs_ptrace_all(consolekit_t)

+seutil_libselinux_linked(consolekit_t)
+seutil_read_file_contexts(consolekit_t)
+
term_use_all_terms(consolekit_t)

auth_use_nsswitch(consolekit_t)
@@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t)

userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_manage_user_runtime_root_dirs(consolekit_t)
+userdom_manage_user_runtime_dirs(consolekit_t)
+userdom_mounton_user_runtime_dirs(consolekit_t)
+userdom_relabelto_user_runtime_dirs(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
+userdom_user_runtime_root_filetrans_user_runtime_dirs(consolekit_t, dir)

tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
--
2.7.3


2016-05-27 20:36:24

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 2/7] pulseaudio: fcontext and filetrans for /run/user/ID/pulse/

---
pulseaudio.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pulseaudio.te b/pulseaudio.te
index 169d0bc..bfdf36d 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,9 @@ optional_policy(`
#

allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;

-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;

read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +230,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)

userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_dir_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)

tunable_policy(`use_nfs_home_dirs',`
--
2.7.3

2016-05-27 20:36:25

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 3/7] ftp: Add filetrans from user_runtime_dir

---
ftp.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/ftp.te b/ftp.te
index 774bc9e..6d70878 100644
--- a/ftp.te
+++ b/ftp.te
@@ -318,9 +318,11 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(ftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(ftpd_t, { dir file })
')

tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -457,9 +459,11 @@ tunable_policy(`sftpd_enable_homedirs',`
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(sftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_dir_filetrans_user_tmp(sftpd_t, { dir file })
')

tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
--
2.7.3

2016-05-27 20:36:26

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 4/7] gnome: Add filetrans from user_runtime_dir

---
gnome.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/gnome.te b/gnome.te
index c4746b6..a2300f9 100644
--- a/gnome.te
+++ b/gnome.te
@@ -89,6 +89,7 @@ userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })

userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_user_runtime_dir_filetrans_user_tmp(gconfd_t, dir)

optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
--
2.7.3

2016-05-27 20:36:27

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 5/7] mplayer: Add filetrans from user_runtime_dir

---
mplayer.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..5d68c06 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -201,6 +201,7 @@ userdom_use_user_terminals(mplayer_t)
userdom_manage_user_tmp_dirs(mplayer_t)
userdom_manage_user_tmp_files(mplayer_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_dir_filetrans_user_tmp(mplayer_t, { dir file })

userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
--
2.7.3

2016-05-27 20:36:28

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 6/7] userhelper: Add filetrans from user_runtime_dir

---
userhelper.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/userhelper.te b/userhelper.te
index 8dadb4b..1ceef0a 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -68,6 +68,7 @@ userdom_use_user_terminals(consolehelper_type)
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_dir_filetrans_user_tmp(consolehelper_type, { dir file })

tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
--
2.7.3

2016-05-27 20:36:29

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 7/7] wm: Add filetrans from user_runtime_dir

---
wm.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/wm.te b/wm.te
index a3861e9..1a3f218 100644
--- a/wm.te
+++ b/wm.te
@@ -40,6 +40,7 @@ miscfiles_read_localization(wm_domain)

userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_dir_filetrans_user_tmp(wm_domain, sock_file)

userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
--
2.7.3

2016-05-28 10:14:37

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 2/7] pulseaudio: fcontext and filetrans for /run/user/ID/pulse/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/27/2016 10:36 PM, Jason Zaman wrote:
> --- pulseaudio.te | 5 ++++- 1 file changed, 4 insertions(+), 1
> deletion(-)
>
> diff --git a/pulseaudio.te b/pulseaudio.te index 169d0bc..bfdf36d
> 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -56,6 +56,7 @@
> manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t) manage_files_pattern(pulseaudio_t,
> pulseaudio_tmp_t, pulseaudio_tmp_t)
> manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t) files_tmp_filetrans(pulseaudio_t,
> pulseaudio_tmp_t, dir)
> +userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> dir) userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> file, "autospawn.lock") userdom_user_tmp_filetrans(pulseaudio_t,
> pulseaudio_tmp_t, file, "pid")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> sock_file, "dbus-socket") @@ -203,8 +204,9 @@ optional_policy(` #
>
> allow pulseaudio_client self:unix_dgram_socket sendto; +allow
> pulseaudio_client self:process signull;
>
> -allow pulseaudio_client pulseaudio_client:process signull; +allow
> pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;

I suspect that above is redundant because it is probably already
allowed by:

userdom_user_runtime_dir_filetrans(pulseaudio_client,
pulseaudio_tmp_t, dir, "pulse")

>
> read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile
> pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
> delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile,
> pulseaudio_tmpfsfile) @@ -228,6 +230,7 @@
> pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file,
> ".pulse-cooki pulseaudio_signull(pulseaudio_client)
>
> userdom_read_user_tmpfs_files(pulseaudio_client)
> +userdom_user_runtime_dir_filetrans(pulseaudio_client,
> pulseaudio_tmp_t, dir, "pulse") #
> userdom_delete_user_tmpfs_files(pulseaudio_client)
>
> tunable_policy(`use_nfs_home_dirs',`
>


- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXSW+IAAoJECV0jlU3+UdpFQ8L/AohW5fWIc6w8I2Fmuos5SeM
GUFK4iFU9SB6bE6pLdvKVf+rueb6/74+Nj5YXmuxH4+by3TKqFb2tZk7qLO54h+F
mjNek2m6KE2CiaasZf64pejwnYklUJVZNQM5IlEyjqGLhIFGz11xjYH/DB8vvKym
rRc62NPXoFA3E9SBbi1Sidz+sICqnYu1bh9BnutQktk16k1sTrz6ehARMDyTmovx
luiWhU1EDXl4Sc7MwuxzV6I4Bc3POgd2ymGn557q4JeW+V5aiFwqXra+wfRkaDOS
4zc3GwXKu6NTTdA7QZLNPm09Qrm0YRhKEuofjcHJDMgtPFtfDcHnTT7ayxNBTNSC
RJCa29vPF6+np5UkaD7QM9+tk761PDpGpVfgCmNlcGZ6PEcMiTD7h0mENizJOTj7
sUPpY5C/KBz2hL42KJlS/WVY7UQCPeG3uTIvROHPvUpqeKl/3MYH+JWYE/L0RaI8
pVp1XVNoHxcyE5AtFgymhjTfaXUxSHo01vBgOt2c8Q==
=kX7F
-----END PGP SIGNATURE-----

2016-05-28 10:40:01

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 2/7] pulseaudio: fcontext and filetrans for /run/user/ID/pulse/

On Sat, May 28, 2016 at 12:14:37PM +0200, Dominick Grift wrote:
> On 05/27/2016 10:36 PM, Jason Zaman wrote:
> > --- pulseaudio.te | 5 ++++- 1 file changed, 4 insertions(+), 1
> > deletion(-)
> >
> > diff --git a/pulseaudio.te b/pulseaudio.te index 169d0bc..bfdf36d
> > 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -56,6 +56,7 @@
> > manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t) manage_files_pattern(pulseaudio_t,
> > pulseaudio_tmp_t, pulseaudio_tmp_t)
> > manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t) files_tmp_filetrans(pulseaudio_t,
> > pulseaudio_tmp_t, dir)
> > +userdom_user_runtime_dir_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> > dir) userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> > file, "autospawn.lock") userdom_user_tmp_filetrans(pulseaudio_t,
> > pulseaudio_tmp_t, file, "pid")
> > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> > sock_file, "dbus-socket") @@ -203,8 +204,9 @@ optional_policy(` #
> >
> > allow pulseaudio_client self:unix_dgram_socket sendto; +allow
> > pulseaudio_client self:process signull;
> >
> > -allow pulseaudio_client pulseaudio_client:process signull; +allow
> > pulseaudio_client pulseaudio_tmp_t:dir list_dir_perms;
>
> I suspect that above is redundant because it is probably already
> allowed by:
>
> userdom_user_runtime_dir_filetrans(pulseaudio_client,
> pulseaudio_tmp_t, dir, "pulse")

The filetrans interface gives pulse_tmp_t search perms but does not give
list. Pulse clients got really unhappy if they could not list the pulse
dir as well.
>
> >
> > read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile
> > pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
> > delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile,
> > pulseaudio_tmpfsfile) @@ -228,6 +230,7 @@
> > pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file,
> > ".pulse-cooki pulseaudio_signull(pulseaudio_client)
> >
> > userdom_read_user_tmpfs_files(pulseaudio_client)
> > +userdom_user_runtime_dir_filetrans(pulseaudio_client,
> > pulseaudio_tmp_t, dir, "pulse") #
> > userdom_delete_user_tmpfs_files(pulseaudio_client)
> >
> > tunable_policy(`use_nfs_home_dirs',`
> >
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy