From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 Aug 2016 16:45:45 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts Message-ID: <1471099545.21480.27.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update for the gnome module: - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for a few needed fs and kernel permissions. This patch should be applied before applying the pulseaudio patch. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gnome.fc | 7 ++ policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 8 +++ 3 files changed, 112 insertions(+), 2 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200 @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200 @@ -1,4 +1,4 @@ -## GNU network object model environment. + ######################################## ## @@ -100,9 +100,15 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + userdom_manage_user_home_content_sockets($1_gkeyringd_t) + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Create objects in gnome gconf home ## directories with a private type. ## @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` ') ######################################## +## +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + + +######################################## +## +## Create objects in the tmp +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## ## ## Read generic gnome keyring home files. ## --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200 @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +userdom_manage_user_tmp_sockets(gconfd_t) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) optional_policy(`