Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
@@ -121,6 +121,7 @@ optional_policy(`
optional_policy(`
mono_domtrans(unconfined_t)
+ mono_run(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -210,6 +211,11 @@ optional_policy(`
wine_domtrans(unconfined_t)
')
+optional_policy(`
+ xserver_role(unconfined_r, unconfined_t)
+ xserver_dbus_chat_xdm(unconfined_t)
+')
+
########################################
#
# Unconfined Execmem Local policy
Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
@@ -351,6 +351,7 @@ optional_policy(`
optional_policy(`
dmesg_exec(sysadm_t)
+ dev_read_kmsg(sysadm_t)
')
optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170417/policy/modules/system/userdomain.if
@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
+ kerneloops_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk($1_t)
+ devicekit_dbus_chat_power($1_t)
+ ')
')
#######################################
Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
Hello again.
I was wondering what is causing the need for sysadm_t to read kmsg?
Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly...
Regards,
Guido
On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>Added mono_run for unconfined and also xserver_role and allow it to
>dbus
>chat with xdm.
>
>Allow sysadm_t to read kmsg.
>
>Allow user domains to dbus chat with kerneloops for the kerneloops
>desktop
>gui. Also allow them to chat with devicekit disk and power daemons.
>
>Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
>
>Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
>+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
>@@ -121,6 +121,7 @@ optional_policy(`
>
> optional_policy(`
> mono_domtrans(unconfined_t)
>+ mono_run(unconfined_t, unconfined_r)
> ')
>
> optional_policy(`
>@@ -210,6 +211,11 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
>+optional_policy(`
>+ xserver_role(unconfined_r, unconfined_t)
>+ xserver_dbus_chat_xdm(unconfined_t)
>+')
>+
> ########################################
> #
> # Unconfined Execmem Local policy
>Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
>+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
>@@ -351,6 +351,7 @@ optional_policy(`
>
> optional_policy(`
> dmesg_exec(sysadm_t)
>+ dev_read_kmsg(sysadm_t)
> ')
>
> optional_policy(`
>Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
>+++ refpolicy-2.20170417/policy/modules/system/userdomain.if
>@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
>+
>+ optional_policy(`
>+ kerneloops_dbus_chat($1_t)
>+ ')
>+
>+ optional_policy(`
>+ devicekit_dbus_chat_disk($1_t)
>+ devicekit_dbus_chat_power($1_t)
>+ ')
> ')
>
> #######################################
>Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
>+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
>@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>
>+# for /var/lib/gconf/defaults
>+files_read_var_lib_files(gconfd_t)
>+
>+# for /proc/filesystems
>+kernel_read_system_state(gconfd_t)
>+
> optional_policy(`
> dbus_all_session_domain(gconfd_t, gconfd_exec_t)
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
On 04/17/2017 09:35 AM, Russell Coker via refpolicy wrote:
> Added mono_run for unconfined and also xserver_role and allow it to dbus
> chat with xdm.
>
> Allow sysadm_t to read kmsg.
>
> Allow user domains to dbus chat with kerneloops for the kerneloops desktop
> gui. Also allow them to chat with devicekit disk and power daemons.
>
> Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
Merged, except for the kmsg part.
> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te
> @@ -121,6 +121,7 @@ optional_policy(`
>
> optional_policy(`
> mono_domtrans(unconfined_t)
> + mono_run(unconfined_t, unconfined_r)
> ')
>
> optional_policy(`
> @@ -210,6 +211,11 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
> +optional_policy(`
> + xserver_role(unconfined_r, unconfined_t)
> + xserver_dbus_chat_xdm(unconfined_t)
> +')
> +
> ########################################
> #
> # Unconfined Execmem Local policy
> Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
> @@ -351,6 +351,7 @@ optional_policy(`
>
> optional_policy(`
> dmesg_exec(sysadm_t)
> + dev_read_kmsg(sysadm_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170417/policy/modules/system/userdomain.if
> @@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
> +
> + optional_policy(`
> + kerneloops_dbus_chat($1_t)
> + ')
> +
> + optional_policy(`
> + devicekit_dbus_chat_disk($1_t)
> + devicekit_dbus_chat_power($1_t)
> + ')
> ')
>
> #######################################
> Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
> +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
> @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>
> +# for /var/lib/gconf/defaults
> +files_read_var_lib_files(gconfd_t)
> +
> +# for /proc/filesystems
> +kernel_read_system_state(gconfd_t)
> +
> optional_policy(`
> dbus_all_session_domain(gconfd_t, gconfd_exec_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On 04/17/2017 12:46 PM, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> I was wondering what is causing the need for sysadm_t to read kmsg?
>
> Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly...
A variation on the question, is there a reason not to change sysadm to
transition to dmesg_t?
> On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>> Added mono_run for unconfined and also xserver_role and allow it to
>> dbus
>> chat with xdm.
>>
>> Allow sysadm_t to read kmsg.
>>
>> Allow user domains to dbus chat with kerneloops for the kerneloops
>> desktop
>> gui. Also allow them to chat with devicekit disk and power daemons.
>>
>> Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
>>
>> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
>> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te
>> @@ -121,6 +121,7 @@ optional_policy(`
>>
>> optional_policy(`
>> mono_domtrans(unconfined_t)
>> + mono_run(unconfined_t, unconfined_r)
>> ')
>>
>> optional_policy(`
>> @@ -210,6 +211,11 @@ optional_policy(`
>> wine_domtrans(unconfined_t)
>> ')
>>
>> +optional_policy(`
>> + xserver_role(unconfined_r, unconfined_t)
>> + xserver_dbus_chat_xdm(unconfined_t)
>> +')
>> +
>> ########################################
>> #
>> # Unconfined Execmem Local policy
>> Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
>> +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
>> @@ -351,6 +351,7 @@ optional_policy(`
>>
>> optional_policy(`
>> dmesg_exec(sysadm_t)
>> + dev_read_kmsg(sysadm_t)
>> ')
>>
>> optional_policy(`
>> Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
>> +++ refpolicy-2.20170417/policy/modules/system/userdomain.if
>> @@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
>> # Allow making the stack executable via mprotect.
>> allow $1_t self:process execstack;
>> ')
>> +
>> + optional_policy(`
>> + kerneloops_dbus_chat($1_t)
>> + ')
>> +
>> + optional_policy(`
>> + devicekit_dbus_chat_disk($1_t)
>> + devicekit_dbus_chat_power($1_t)
>> + ')
>> ')
>>
>> #######################################
>> Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
>> +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
>> @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>
>> +# for /var/lib/gconf/defaults
>> +files_read_var_lib_files(gconfd_t)
>> +
>> +# for /proc/filesystems
>> +kernel_read_system_state(gconfd_t)
>> +
>> optional_policy(`
>> dbus_all_session_domain(gconfd_t, gconfd_exec_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito