From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 15 Aug 2016 16:08:34 -0400
Subject: [refpolicy] [PATCH v2] Update for the gnome policy and file
 contexts
In-Reply-To: <1471296811.28802.0.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
Message-ID: <9ad88624-faec-d9dc-f779-f1b8d9eba211@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/15/16 17:33, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - a new gstreamer_orcexec_t type and file context is introduced
>   to support the OIL Runtime Compiler (ORC) optimized code
>   execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
>   keyring domains;
> - add support for chat over dbus in the gconfd domain;
> - add support for a few needed fs and kernel permissions.
>
> Compared to the previous version of this patch, the support for
> Gnome2/ORBit-2 has been dropped.
>
> Recent changes to the pulseaudio module depends on this patch !
[...]

> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if	2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if	2016-08-15 19:18:12.011401521 +0200
> @@ -1,4 +1,4 @@
> -## <summary>GNU network object model environment.</summary>
> +

This was probably a mistake, but please don't remove the XML.


>  ########################################
>  ## <summary>
> @@ -44,7 +44,7 @@ template(`gnome_role_template',`
>  	gen_require(`
>  		attribute gnomedomain, gkeyringd_domain;
>  		attribute_role gconfd_roles;
> -		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
> +		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>  		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>  		type gconf_home_t;
>  	')
> @@ -100,9 +100,23 @@ template(`gnome_role_template',`
>
>  	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
>
> +	userdom_manage_user_home_content_dirs($1_gkeyringd_t)
> +	userdom_manage_user_home_content_files($1_gkeyringd_t)

This is discussed in another thread, I am concerned about these 
permissions for the same reason Dominick is.


> +	manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> +	userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir)
> +
> +	manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t)
> +	userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control")
> +	userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg")
> +	userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11")
> +	userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh")

I suspect putting the socket names is unnecessary.  It doesn't appear to 
create different types of sockets in the same directory.


>  	ps_process_pattern($3, $1_gkeyringd_t)
>  	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>
> +	kernel_read_kernel_sysctls($1_gkeyringd_t)
> +
>  	corecmd_bin_domtrans($1_gkeyringd_t, $3)
>  	corecmd_shell_domtrans($1_gkeyringd_t, $3)
>
> @@ -112,6 +126,7 @@ template(`gnome_role_template',`
>  		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
>
>  		optional_policy(`
> +			gnome_dbus_chat_gconfd($3)
>  			gnome_dbus_chat_gkeyringd($1, $3)
>  		')
>  	')
> @@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho
>
>  ########################################
>  ## <summary>
> +##	Create objects in user home
> +##	directories with the gstreamer
> +##	orcexec type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`gnome_home_filetrans_gstreamer_orcexec',`

This should be gnome_user_home_dir_filetrans_orcexec() or 
gnome_user_home_dir_filetrans_gstreamer() orcexec

[...]

> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> +	gen_require(`
> +		type gstreamer_orcexec_t;
> +	')
> +
> +	userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')

Right naming scheme, but if you drop the "gstreamer" out of the previous 
interface name, do the same here.





-- 
Chris PeBenito