Here's another version without the sulogin patch.
Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170421/policy/modules/system/locallogin.te
@@ -33,6 +33,7 @@ role system_r types sulogin_t;
#
allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+dontaudit local_login_t self:capability net_admin;
allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)
dev_read_urand(policykit_t)
@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dbus_send_all_users(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
@@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
+ifdef(`init_systemd', `
+ # gdm3 causes system_dbusd_t to want this access
+ dev_rw_dri(system_dbusd_t)
+ dev_rw_input_dev(system_dbusd_t)
+')
+
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170421/policy/modules/system/authlogin.te
@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
+++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+xserver_sigchld_xdm(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Yes, this looks much safer than previous versions!
On the 22nd of April 2017 09:34:18 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>Here's another version without the sulogin patch.
>
>Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
>+++ refpolicy-2.20170421/policy/modules/system/locallogin.te
>@@ -33,6 +33,7 @@ role system_r types sulogin_t;
> #
>
>allow local_login_t self:capability { chown dac_override fowner fsetid
>kill setgid setuid sys_nice sys_resource sys_tty_config };
>+dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
>Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
>+++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
>@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>
> kernel_read_kernel_sysctls(policykit_t)
> kernel_read_system_state(policykit_t)
>+fs_getattr_tmpfs(policykit_t)
>+fs_getattr_cgroup(policykit_t)
>+dev_read_urand(policykit_t)
>
> dev_read_urand(policykit_t)
>
>@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
>
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
>+userdom_dbus_send_all_users(policykit_t)
>
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
>Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
>+++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
>@@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
> dev_read_urand(system_dbusd_t)
> dev_read_sysfs(system_dbusd_t)
>
>+ifdef(`init_systemd', `
>+ # gdm3 causes system_dbusd_t to want this access
>+ dev_rw_dri(system_dbusd_t)
>+ dev_rw_input_dev(system_dbusd_t)
>+')
>+
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
>Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
>+++ refpolicy-2.20170421/policy/modules/system/authlogin.te
>@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> kernel_read_crypto_sysctls(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>+selinux_get_enforce_mode(chkpwd_t)
>+selinux_getattr_fs(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
>Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
>+++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
>@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
>+kernel_read_crypto_sysctls(gpg_t)
> kernel_read_sysctl(gpg_t)
> # read /proc/cpuinfo
> kernel_read_system_state(gpg_t)
>@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
>+xserver_sigchld_xdm(gpg_agent_t)
>+dbus_system_bus_client(gpg_agent_t)
>+auth_use_nsswitch(gpg_agent_t)
>+xserver_read_user_xauth(gpg_agent_t)
>+
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
>gpg_agent_tmp_t)
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
On 04/22/2017 03:34 AM, Russell Coker via refpolicy wrote:
> Here's another version without the sulogin patch.
>
> Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170421/policy/modules/system/locallogin.te
> @@ -33,6 +33,7 @@ role system_r types sulogin_t;
> #
>
> allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> +dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
> +++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
> @@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>
> kernel_read_kernel_sysctls(policykit_t)
> kernel_read_system_state(policykit_t)
> +fs_getattr_tmpfs(policykit_t)
> +fs_getattr_cgroup(policykit_t)
> +dev_read_urand(policykit_t)
>
> dev_read_urand(policykit_t)
>
> @@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
>
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
> +userdom_dbus_send_all_users(policykit_t)
>
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
> Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
> +++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
> @@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
> dev_read_urand(system_dbusd_t)
> dev_read_sysfs(system_dbusd_t)
>
> +ifdef(`init_systemd', `
> + # gdm3 causes system_dbusd_t to want this access
> + dev_rw_dri(system_dbusd_t)
> + dev_rw_input_dev(system_dbusd_t)
> +')
> +
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
> Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20170421/policy/modules/system/authlogin.te
> @@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> kernel_read_crypto_sysctls(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
> +selinux_get_enforce_mode(chkpwd_t)
> +selinux_getattr_fs(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
> +++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
> @@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> +kernel_read_crypto_sysctls(gpg_t)
> kernel_read_sysctl(gpg_t)
> # read /proc/cpuinfo
> kernel_read_system_state(gpg_t)
> @@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
> +xserver_sigchld_xdm(gpg_agent_t)
> +dbus_system_bus_client(gpg_agent_t)
> +auth_use_nsswitch(gpg_agent_t)
> +xserver_read_user_xauth(gpg_agent_t)
I think these should likely be optional, at least the dbus and xserver
access. I would fix it myself, but I don't know how the rules relate to
each other (e.g. does one or many optionals make sense)
--
Chris PeBenito