2017-04-17 12:34:34

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

Give sulogin some access it needs and dontaudit a nat_admin capability check
related to systemd for local_login_t.

Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
send dbus messages to all users.

Allow system_dbusd_t to access dri and input_dev devices, this is triggered
by gdm3.

Allow chkpwd_t to get selinux enforcing mode.

Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs to be
run as part of an X login session (as the parent of other user processes).

Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
@@ -33,6 +33,7 @@ role system_r types sulogin_t;
#

allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+dontaudit local_login_t self:capability net_admin;
allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)

auth_read_shadow(sulogin_t)
+auth_login_pgm_domain(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
+selinux_set_generic_booleans(sulogin_t)

init_getpgid_script(sulogin_t)

Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_

kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)

dev_read_urand(policykit_t)

@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)

userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dbus_send_all_users(policykit_t)

optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)

+# gdm3 causes system_dbusd_t to want this access
+dev_rw_dri(system_dbusd_t)
+dev_rw_input_dev(system_dbusd_t)
+
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)

Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)

domain_dontaudit_use_interactive_fds(chkpwd_t)

Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

+xdm_sigchld(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Index: refpolicy-2.20170417/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170417/policy/modules/services/xserver.if
@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:process sigchld;
+')


2017-04-17 13:06:55

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

Hello.

It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())...

Is such permission really critical for running gdm?

And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it.

The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled!

What is your experience, if any, with the latter?

Regards,

Guido

On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>Give sulogin some access it needs and dontaudit a nat_admin capability
>check
>related to systemd for local_login_t.
>
>Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
>send dbus messages to all users.
>
>Allow system_dbusd_t to access dri and input_dev devices, this is
>triggered
>by gdm3.
>
>Allow chkpwd_t to get selinux enforcing mode.
>
>Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs
>to be
>run as part of an X login session (as the parent of other user
>processes).
>
>Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
>+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
>@@ -33,6 +33,7 @@ role system_r types sulogin_t;
> #
>
>allow local_login_t self:capability { chown dac_override fowner fsetid
>kill setgid setuid sys_nice sys_resource sys_tty_config };
>+dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
>@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
> files_read_etc_files(sulogin_t)
>
> auth_read_shadow(sulogin_t)
>+auth_login_pgm_domain(sulogin_t)
>+kernel_read_crypto_sysctls(sulogin_t)
>+selinux_set_generic_booleans(sulogin_t)
>
> init_getpgid_script(sulogin_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
>+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
>@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>
> kernel_read_kernel_sysctls(policykit_t)
> kernel_read_system_state(policykit_t)
>+fs_getattr_tmpfs(policykit_t)
>+fs_getattr_cgroup(policykit_t)
>+dev_read_urand(policykit_t)
>
> dev_read_urand(policykit_t)
>
>@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
>
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
>+userdom_dbus_send_all_users(policykit_t)
>
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
>+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
>@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
> dev_read_urand(system_dbusd_t)
> dev_read_sysfs(system_dbusd_t)
>
>+# gdm3 causes system_dbusd_t to want this access
>+dev_rw_dri(system_dbusd_t)
>+dev_rw_input_dev(system_dbusd_t)
>+
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
>Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
>+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
>@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> kernel_read_crypto_sysctls(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>+selinux_get_enforce_mode(chkpwd_t)
>+selinux_getattr_fs(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
>+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
>@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
>+kernel_read_crypto_sysctls(gpg_t)
> kernel_read_sysctl(gpg_t)
> # read /proc/cpuinfo
> kernel_read_system_state(gpg_t)
>@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
>+xdm_sigchld(gpg_agent_t)
>+dbus_system_bus_client(gpg_agent_t)
>+auth_use_nsswitch(gpg_agent_t)
>+xserver_read_user_xauth(gpg_agent_t)
>+
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
>gpg_agent_tmp_t)
>Index: refpolicy-2.20170417/policy/modules/services/xserver.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
>+++ refpolicy-2.20170417/policy/modules/services/xserver.if
>@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
>+
>+########################################
>+## <summary>
>+## Allow domain to send sigchld to xdm_t
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`xdm_sigchld',`
>+ gen_require(`
>+ type xdm_t;
>+ ')
>+
>+ allow $1 xdm_t:process sigchld;
>+')
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-17 13:17:35

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via refpolicy wrote:
> Hello.
>
> It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())...
>
> Is such permission really critical for running gdm?

I suspect this is systemd specific (logind to be precise) but nowaday's all kinds of file descriptors seem to get passed through dbus

>
> And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it.
>
> The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled!
>
> What is your experience, if any, with the latter?
>
> Regards,
>
> Guido
>
> On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy <[email protected]> wrote:
> >Give sulogin some access it needs and dontaudit a nat_admin capability
> >check
> >related to systemd for local_login_t.
> >
> >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
> >send dbus messages to all users.
> >
> >Allow system_dbusd_t to access dri and input_dev devices, this is
> >triggered
> >by gdm3.
> >
> >Allow chkpwd_t to get selinux enforcing mode.
> >
> >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs
> >to be
> >run as part of an X login session (as the parent of other user
> >processes).
> >
> >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
> >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
> >@@ -33,6 +33,7 @@ role system_r types sulogin_t;
> > #
> >
> >allow local_login_t self:capability { chown dac_override fowner fsetid
> >kill setgid setuid sys_nice sys_resource sys_tty_config };
> >+dontaudit local_login_t self:capability net_admin;
> > allow local_login_t self:process { setexec setrlimit setsched };
> > allow local_login_t self:fd use;
> > allow local_login_t self:fifo_file rw_fifo_file_perms;
> >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
> > files_read_etc_files(sulogin_t)
> >
> > auth_read_shadow(sulogin_t)
> >+auth_login_pgm_domain(sulogin_t)
> >+kernel_read_crypto_sysctls(sulogin_t)
> >+selinux_set_generic_booleans(sulogin_t)
> >
> > init_getpgid_script(sulogin_t)
> >
> >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
> >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
> >
> > kernel_read_kernel_sysctls(policykit_t)
> > kernel_read_system_state(policykit_t)
> >+fs_getattr_tmpfs(policykit_t)
> >+fs_getattr_cgroup(policykit_t)
> >+dev_read_urand(policykit_t)
> >
> > dev_read_urand(policykit_t)
> >
> >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
> >
> > userdom_getattr_all_users(policykit_t)
> > userdom_read_all_users_state(policykit_t)
> >+userdom_dbus_send_all_users(policykit_t)
> >
> > optional_policy(`
> > dbus_system_domain(policykit_t, policykit_exec_t)
> >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
> >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
> > dev_read_urand(system_dbusd_t)
> > dev_read_sysfs(system_dbusd_t)
> >
> >+# gdm3 causes system_dbusd_t to want this access
> >+dev_rw_dri(system_dbusd_t)
> >+dev_rw_input_dev(system_dbusd_t)
> >+
> > domain_use_interactive_fds(system_dbusd_t)
> > domain_read_all_domains_state(system_dbusd_t)
> >
> >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
> >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
> >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> > kernel_read_crypto_sysctls(chkpwd_t)
> > # is_selinux_enabled
> > kernel_read_system_state(chkpwd_t)
> >+selinux_get_enforce_mode(chkpwd_t)
> >+selinux_getattr_fs(chkpwd_t)
> >
> > domain_dontaudit_use_interactive_fds(chkpwd_t)
> >
> >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
> >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
> >
> >+kernel_read_crypto_sysctls(gpg_t)
> > kernel_read_sysctl(gpg_t)
> > # read /proc/cpuinfo
> > kernel_read_system_state(gpg_t)
> >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >
> >+xdm_sigchld(gpg_agent_t)
> >+dbus_system_bus_client(gpg_agent_t)
> >+auth_use_nsswitch(gpg_agent_t)
> >+xserver_read_user_xauth(gpg_agent_t)
> >+
> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> >gpg_agent_tmp_t)
> >Index: refpolicy-2.20170417/policy/modules/services/xserver.if
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
> >+++ refpolicy-2.20170417/policy/modules/services/xserver.if
> >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> > typeattribute $1 x_domain;
> > typeattribute $1 xserver_unconfined_type;
> > ')
> >+
> >+########################################
> >+## <summary>
> >+## Allow domain to send sigchld to xdm_t
> >+## </summary>
> >+## <param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+## </param>
> >+#
> >+interface(`xdm_sigchld',`
> >+ gen_require(`
> >+ type xdm_t;
> >+ ')
> >+
> >+ allow $1 xdm_t:process sigchld;
> >+')
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170417/17ee4955/attachment.bin

2017-04-17 13:26:14

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote:
> It is not clear to me the reason why a daemon such as the system dbus
> instance needs to write the DRI graphical devices (dev_rw_dri())...

It always seemed strange to me too.

> Is such permission really critical for running gdm?

My recollection is that the last time I tested it aborted when it didn't have
such access.

> And, by the way, I am aware of the fact that gnome-session also requires
> such permission, although it does not fail to run without it.
>
> The point is that, on one hand gnome-session runs as user_u and therefore
> it might not be advisable to let user_u write the DRI device, but on the
> other hand I suppose gnome-session checks for accelerated graphical
> capabilities and therefore a failure to write the DRI device might imply
> that the accelerated graphical capabilities are always disabled!
>
> What is your experience, if any, with the latter?

I don't have a lot of experience with it, I prefer not to use GNOME. Sddm is
the dm I recommend for use in Debian, but I put in a minimal effort to get
others working too.

If the general feeling is against that part of the patch then I'll just drop
it and let someone else who uses gdm take it up at some future time.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-17 13:39:12

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

Hello.

If it only applies to systemd setups, then please use the appropriate ifdef statement to avoid spreading the permission to every setup.

Thanks,

Guido

Il 17 aprile 2017 15:17:35 CEST, Dominick Grift via refpolicy <[email protected]> ha scritto:
>On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via
>refpolicy wrote:
>> Hello.
>>
>> It is not clear to me the reason why a daemon such as the system dbus
>instance needs to write the DRI graphical devices (dev_rw_dri())...
>>
>> Is such permission really critical for running gdm?
>
>I suspect this is systemd specific (logind to be precise) but nowaday's
>all kinds of file descriptors seem to get passed through dbus
>
>>
>> And, by the way, I am aware of the fact that gnome-session also
>requires such permission, although it does not fail to run without it.
>>
>> The point is that, on one hand gnome-session runs as user_u and
>therefore it might not be advisable to let user_u write the DRI device,
>but on the other hand I suppose gnome-session checks for accelerated
>graphical capabilities and therefore a failure to write the DRI device
>might imply that the accelerated graphical capabilities are always
>disabled!
>>
>> What is your experience, if any, with the latter?
>>
>> Regards,
>>
>> Guido
>>
>> On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy
><[email protected]> wrote:
>> >Give sulogin some access it needs and dontaudit a nat_admin
>capability
>> >check
>> >related to systemd for local_login_t.
>> >
>> >Allow policykit to stat tmpfs and cgroup filesystems, read urandom,
>and
>> >send dbus messages to all users.
>> >
>> >Allow system_dbusd_t to access dri and input_dev devices, this is
>> >triggered
>> >by gdm3.
>> >
>> >Allow chkpwd_t to get selinux enforcing mode.
>> >
>> >Allow gpg to read crypto sysctls, and give gpg_agent_t access it
>needs
>> >to be
>> >run as part of an X login session (as the parent of other user
>> >processes).
>> >
>> >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
>> >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
>> >@@ -33,6 +33,7 @@ role system_r types sulogin_t;
>> > #
>> >
>> >allow local_login_t self:capability { chown dac_override fowner
>fsetid
>> >kill setgid setuid sys_nice sys_resource sys_tty_config };
>> >+dontaudit local_login_t self:capability net_admin;
>> > allow local_login_t self:process { setexec setrlimit setsched };
>> > allow local_login_t self:fd use;
>> > allow local_login_t self:fifo_file rw_fifo_file_perms;
>> >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
>> > files_read_etc_files(sulogin_t)
>> >
>> > auth_read_shadow(sulogin_t)
>> >+auth_login_pgm_domain(sulogin_t)
>> >+kernel_read_crypto_sysctls(sulogin_t)
>> >+selinux_set_generic_booleans(sulogin_t)
>> >
>> > init_getpgid_script(sulogin_t)
>> >
>> >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
>> >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
>> >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>> >
>> > kernel_read_kernel_sysctls(policykit_t)
>> > kernel_read_system_state(policykit_t)
>> >+fs_getattr_tmpfs(policykit_t)
>> >+fs_getattr_cgroup(policykit_t)
>> >+dev_read_urand(policykit_t)
>> >
>> > dev_read_urand(policykit_t)
>> >
>> >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
>> >
>> > userdom_getattr_all_users(policykit_t)
>> > userdom_read_all_users_state(policykit_t)
>> >+userdom_dbus_send_all_users(policykit_t)
>> >
>> > optional_policy(`
>> > dbus_system_domain(policykit_t, policykit_exec_t)
>> >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
>> >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
>> >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
>> > dev_read_urand(system_dbusd_t)
>> > dev_read_sysfs(system_dbusd_t)
>> >
>> >+# gdm3 causes system_dbusd_t to want this access
>> >+dev_rw_dri(system_dbusd_t)
>> >+dev_rw_input_dev(system_dbusd_t)
>> >+
>> > domain_use_interactive_fds(system_dbusd_t)
>> > domain_read_all_domains_state(system_dbusd_t)
>> >
>> >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
>> >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
>> >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
>> > kernel_read_crypto_sysctls(chkpwd_t)
>> > # is_selinux_enabled
>> > kernel_read_system_state(chkpwd_t)
>> >+selinux_get_enforce_mode(chkpwd_t)
>> >+selinux_getattr_fs(chkpwd_t)
>> >
>> > domain_dontaudit_use_interactive_fds(chkpwd_t)
>> >
>> >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
>> >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
>> >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
>> > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
>> > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>> >
>> >+kernel_read_crypto_sysctls(gpg_t)
>> > kernel_read_sysctl(gpg_t)
>> > # read /proc/cpuinfo
>> > kernel_read_system_state(gpg_t)
>> >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
>> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>> >
>> >+xdm_sigchld(gpg_agent_t)
>> >+dbus_system_bus_client(gpg_agent_t)
>> >+auth_use_nsswitch(gpg_agent_t)
>> >+xserver_read_user_xauth(gpg_agent_t)
>> >+
>> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>> >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
>> >gpg_agent_tmp_t)
>> >Index: refpolicy-2.20170417/policy/modules/services/xserver.if
>> >===================================================================
>> >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
>> >+++ refpolicy-2.20170417/policy/modules/services/xserver.if
>> >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
>> > typeattribute $1 x_domain;
>> > typeattribute $1 xserver_unconfined_type;
>> > ')
>> >+
>> >+########################################
>> >+## <summary>
>> >+## Allow domain to send sigchld to xdm_t
>> >+## </summary>
>> >+## <param name="domain">
>> >+## <summary>
>> >+## Domain allowed access.
>> >+## </summary>
>> >+## </param>
>> >+#
>> >+interface(`xdm_sigchld',`
>> >+ gen_require(`
>> >+ type xdm_t;
>> >+ ')
>> >+
>> >+ allow $1 xdm_t:process sigchld;
>> >+')
>> >_______________________________________________
>> >refpolicy mailing list
>> >refpolicy at oss.tresys.com
>> >http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-17 13:54:18

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] login related stuff

Hi.

Thanks for getting back.

Sounds like a bug triggered by systems that use systemd.

As a first precaution, please enclose it within the appropriate ifdef statement (systemd) in the policy.

Apart from that, it shouldn't happen, but without testing it more carefully, I don't know what else to say...

How about the other issue that I mentioned to you? Have you ever experienced the same permission request from gnome-session? I suspect denying it, might prevent the use of accelerated graphical capabilities for every session. But, as already explained, we are limited by gnome-session running in the user domain (already discussed not long time ago).

Regards,

Guido

On the 17th of April 2017 15:26:14 CEST, Russell Coker <[email protected]> wrote:
>On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote:
>> It is not clear to me the reason why a daemon such as the system dbus
>> instance needs to write the DRI graphical devices (dev_rw_dri())...
>
>It always seemed strange to me too.
>
>> Is such permission really critical for running gdm?
>
>My recollection is that the last time I tested it aborted when it
>didn't have
>such access.
>
>> And, by the way, I am aware of the fact that gnome-session also
>requires
>> such permission, although it does not fail to run without it.
>>
>> The point is that, on one hand gnome-session runs as user_u and
>therefore
>> it might not be advisable to let user_u write the DRI device, but on
>the
>> other hand I suppose gnome-session checks for accelerated graphical
>> capabilities and therefore a failure to write the DRI device might
>imply
>> that the accelerated graphical capabilities are always disabled!
>>
>> What is your experience, if any, with the latter?
>
>I don't have a lot of experience with it, I prefer not to use GNOME.
>Sddm is
>the dm I recommend for use in Debian, but I put in a minimal effort to
>get
>others working too.
>
>If the general feeling is against that part of the patch then I'll just
>drop
>it and let someone else who uses gdm take it up at some future time.