From: dac.override@gmail.com (Dominick Grift) Date: Sat, 13 Aug 2016 16:51:41 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: <1471099545.21480.27.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > Update for the gnome module: > > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for a few needed fs and kernel permissions. > > This patch should be applied before applying the pulseaudio patch. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gnome.fc | 7 ++ > policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++- > policy/modules/contrib/gnome.te | 8 +++ > 3 files changed, 112 insertions(+), 2 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200 > @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) these are files so you can be more specific about it: /var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200 > @@ -1,4 +1,4 @@ > -## GNU network object model environment. > + > > ######################################## > ## > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > + userdom_manage_user_home_content_files($1_gkeyringd_t) > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > + I don't like this, and I dont understand it > ps_process_pattern($3, $1_gkeyringd_t) > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > + > corecmd_bin_domtrans($1_gkeyringd_t, $3) > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ######################################## > ## > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_home_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > ## Create objects in gnome gconf home > ## directories with a private type. > ## > @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` > ') > > ######################################## > +## > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > + > +######################################## > +## > +## Create objects in the tmp > +## directories with the gstreamer > +## orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + If you're not going to support that file in /tmp then this is not needed > +######################################## > ## > ## Read generic gnome keyring home files. > ## > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200 > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > type gnome_keyring_tmp_t; > userdom_user_tmp_file(gnome_keyring_tmp_t) > > +type gstreamer_orcexec_t; > +application_executable_file(gstreamer_orcexec_t) it is not an applications executable file > + > ############################## > # > # Common local Policy > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > +kernel_dontaudit_read_system_state(gconfd_t) > + > +fs_getattr_xattr_fs(gconfd_t) > + > userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > +userdom_manage_user_tmp_sockets(gconfd_t) What is going on there and why did you choose this? > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/d4f48b93/attachment.bin