From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 15 Aug 2016 23:33:31 +0200 Subject: [refpolicy] [PATCH v2] Update for the gnome policy and file contexts In-Reply-To: <1471099545.21480.27.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> Message-ID: <1471296811.28802.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update for the gnome module: - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for chat over dbus in the gconfd domain; - add support for a few needed fs and kernel permissions. Compared to the previous version of this patch, the support for Gnome2/ORBit-2 has been dropped. Recent changes to the pulseaudio module depends on this patch ! Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gnome.fc | 9 +++ policy/modules/contrib/gnome.if | 100 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 12 ++++ 3 files changed, 118 insertions(+), 3 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-15 17:06:46.933458938 +0200 @@ -4,6 +4,9 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -13,4 +16,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-15 19:18:12.011401521 +0200 @@ -1,4 +1,4 @@ -## GNU network object model environment. + ######################################## ## @@ -44,7 +44,7 @@ template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; ') @@ -100,9 +100,23 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) + + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh") + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) @@ -112,6 +126,7 @@ template(`gnome_role_template',` dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + gnome_dbus_chat_gconfd($3) gnome_dbus_chat_gkeyringd($1, $3) ') ') @@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Create objects in gnome gconf home ## directories with a private type. ## @@ -604,6 +649,36 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Read generic gnome keyring home files. ## ## @@ -622,6 +697,27 @@ interface(`gnome_read_keyring_home_files ') ######################################## +## +## Send and receive messages from +## the gconf daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## ## ## Send and receive messages from ## gnome keyring daemon over dbus. --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-15 21:09:21.914336714 +0200 @@ -43,9 +43,15 @@ application_executable_file(gkeyringd_ex type gnome_keyring_home_t; userdom_user_home_content(gnome_keyring_home_t) +type gnome_keyring_cache_home_t; +userdom_user_home_content(gnome_keyring_cache_home_t) + type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -87,6 +93,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +files_search_tmp(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)