From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 Aug 2016 22:09:29 +0200 (CEST) Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> Message-ID: <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick, thanks for getting back on this. > On the 13th of August 2016 at 16.51 Dominick Grift > wrote: > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 > > 16:02:14.949814288 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 > > 16:30:32.175198600 +0200 > > @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste > > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > > HOME_DIR/\.gnome2/keyrings(/.*)? > > gen_context(system_u:object_r:gnome_keyring_home_t,s0) > > HOME_DIR/\.gnome2_private(/.*)? > > gen_context(system_u:object_r:gnome_home_t,s0) > > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > > > @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > > /usr/bin/mate-keyring-daemon -- > > gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > > > /usr/lib/[^/]*/gconf/gconfd-2 -- > > gen_context(system_u:object_r:gconfd_exec_t,s0) > > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > > + > > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > > + > > +/var/run/user/[^/]*/orcexec\..* > > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > +/var/run/user/%{USERID}/orcexec\..* > > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > these are files so you can be more specific about it: > > /var/run/user/[^/]*/orcexec\..* -- > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > /var/run/user/%{USERID}/orcexec\..* -- > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) Thanks for pointing it out, I have now amended it. > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 > > 16:02:14.950814302 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 > > 00:55:24.980149003 +0200 > > @@ -1,4 +1,4 @@ > > -## GNU network object model environment. > > + > > > > ######################################## > > ## > > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms > > manage_sock_file_perms }; > > > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > > + userdom_manage_user_home_content_files($1_gkeyringd_t) > > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > > + > I don't like this, and I dont understand it I will double check it. Hopefully, I won't forget about that, with the many other modules that are being changed... > > ps_process_pattern($3, $1_gkeyringd_t) > > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > > + > > corecmd_bin_domtrans($1_gkeyringd_t, $3) > > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > > > @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho > > > > ######################################## > > ## > > +## Create objects in user home > > +## directories with the gstreamer > > +## orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_home_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > +######################################## > > +## > > ## Create objects in gnome gconf home > > ## directories with a private type. > > ## > > @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` > > ') > > > > ######################################## > > +## > > +## Create objects in the user > > +## runtime directories with the > > +## gstreamer orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > + > > +######################################## > > +## > > +## Create objects in the tmp > > +## directories with the gstreamer > > +## orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > If you're not going to support that file in /tmp then this is not needed Removed. > > +######################################## > > ## > > ## Read generic gnome keyring home files. > > ## > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 > > 16:02:14.951814316 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 > > 13:45:54.704254788 +0200 > > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > > type gnome_keyring_tmp_t; > > userdom_user_tmp_file(gnome_keyring_tmp_t) > > > > +type gstreamer_orcexec_t; > > +application_executable_file(gstreamer_orcexec_t) > > it is not an applications executable file It's very similar to it or, in other words, it is equivalent to it. I could find a better interface to describe it. But if you have other constructive ideas, please let me know and I will test them out... > > + > > ############################## > > # > > # Common local Policy > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > > +kernel_dontaudit_read_system_state(gconfd_t) > > + > > +fs_getattr_xattr_fs(gconfd_t) > > + > > userdom_manage_user_tmp_dirs(gconfd_t) > > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > +userdom_manage_user_tmp_sockets(gconfd_t) > > What is going on there and why did you choose this? I think it's to support sockets in /tmp/orbit-USER/linc-.* They are created by ORBit2. It's a library and some gnome components are linked against it. I am now working on a new revised version of this patch which introduces specific support for ORBit temporary files. > > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > > > optional_policy(` > > _______________________________________________ Best regards, Guido