From: dac.override@gmail.com (Dominick Grift) Date: Mon, 8 Aug 2016 17:07:11 +0200 Subject: [refpolicy] [PATCH] staff: Allow dbus chat with accountsd_t for LightDM In-Reply-To: <1470643811-32586-1-git-send-email-jason@perfinion.com> References: <1470643811-32586-1-git-send-email-jason@perfinion.com> Message-ID: <100ba9a1-779f-8fa1-9012-9d1b17c655bc@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/08/2016 10:10 AM, Jason Zaman wrote: > LightDM is split into two parts: the main part and greeter. The greeter logs in > as root so switches to staff_t and is not in xdm_t anymore and needs to get the > list of users. It crashes and fails to start without this. I am not expecting any changes here but for the record i will still leave a comment. It is transitioning to the login shell domain because it is told to. In DSSP this is handled differently for the various login programs (except local login) Instead of telling it with pam_selinux to transition to the login shell domain , it is told to transition to a prefixed login program domain. In this scenario for example staff_xdmuser_t. The transition to the login shell domain happens based on the prefix when the actual login shell is run (probably after xsession). Using that approach the login shell does not end up with permissons a login shell does not need. All these permissions required because login programs transition too early to the login shell domain really add up Same with for example sshd, by transitioning too early you have to associate the permisisons that sshd needs for functionality such as X forwarding, tunnelling etc with the login shell domain. > > type=USER_AVC msg=audit(1470642176.704:342177): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.Accounts member=ListCachedUsers dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.705:342178): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.706:342179): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.709:342180): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.714:342181): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.DisplayManager spid=8833 tpid=4994 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.838:342182): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=signal interface=org.freedesktop.Accounts.User member=Changed dest=org.freedesktop.DBus spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.849:342183): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1470642176.851:342184): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' > --- > policy/modules/roles/staff.te | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > index 33c6993..448a83c 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) > # > > optional_policy(` > + accountsd_dbus_chat(staff_t) > +') > + > +optional_policy(` > apache_role(staff_r, staff_t) > ') > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160808/82c35e24/attachment.bin