From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 20 Aug 2016 16:52:52 +0200 Subject: [refpolicy] [PATCH v3] Update for the gnome policy and file contexts In-Reply-To: <1471296811.28802.0.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> Message-ID: <1471704772.17584.9.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update for the gnome module: - target the dconf daemon, the gsettings user application, the gnome-settings-daemon and the at-spi daemon with all the needed domain transitions; - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for chat over dbus in the gconfd domain and in the new domains (dconf, gsettings, etc); - add support for a few needed fs and kernel permissions. - add support for reading the colord related files in the home directories (such as the ICC EDID profiles): requires the recent colord patch; - add support for for reading the colord related files in the home directories in the common user domain template; - add support for a new mime_info_t type to be used in the home directories; - includes minor modifications to the consolekit, dbus and policykit modules to support the new targeted gnome daemons and applications; - modifies the pulseaudio module to introduce new interfaces to read and write pulseaudio tmpfs files and to use the pulseaudio file descriptor. The support for Gnome2/ORBit-2 (version 2) has been dropped. This patch depends on the recent colord patch. Recent changes to the pulseaudio module depends on this patch ! Signed-off-by: Guido Trentalancia --- policy/modules/contrib/colord.if | 41 +++ policy/modules/contrib/colord.te | 4 policy/modules/contrib/consolekit.te | 4 policy/modules/contrib/dbus.te | 9 policy/modules/contrib/gnome.fc | 19 + policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++ policy/modules/contrib/policykit.fc | 2 policy/modules/contrib/policykit.if | 20 + policy/modules/contrib/policykit.te | 1 policy/modules/contrib/pulseaudio.if | 77 ++++++ policy/modules/contrib/pulseaudio.te | 5 policy/modules/system/userdomain.if | 4 13 files changed, 876 insertions(+), 3 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200 @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') + +###################################### +## +## Read colord home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`colord_read_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, colord_home_t, colord_home_t) +') + +###################################### +## +## Create, read, write, and delete +## colord home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`colord_manage_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + manage_files_pattern($1, colord_home_t, colord_home_t) +') --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200 @@ -123,6 +136,10 @@ optional_policy(` ') optional_policy(` + gnome_settings_daemon_use_fds(colord_t) +') + +optional_policy(` policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200 @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + gnome_read_settings_daemon_files(consolekit_t) +') + +optional_policy(` dbus_read_lib_files(consolekit_t) dbus_system_domain(consolekit_t, consolekit_exec_t) --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200 @@ -148,6 +148,15 @@ optional_policy(` ') optional_policy(` + colord_read_home_files(system_dbusd_t) +') + +optional_policy(` + gnome_read_settings_daemon_files(system_dbusd_t) + gnome_settings_daemon_use_fds(system_dbusd_t) +') + +optional_policy(` policykit_read_lib(system_dbusd_t) ') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200 @@ -1,16 +1,33 @@ +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0) /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0) +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0) +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) + +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200 @@ -43,14 +43,40 @@ interface(`gnome_role',` template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; + attribute_role dconf_roles; + attribute_role at_spi_roles; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + attribute_role gnome_settings_roles; + attribute_role gnome_settings_daemon_roles; + type dconf_t, dconf_exec_t, dconf_home_t; + type at_spi_t, at_spi_exec_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; + type gnome_settings_t, gnome_settings_exec_t; + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; + type gnome_settings_schemas_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; + type mime_info_t; + type user_dbusd_t; + type dbusd_exec_t; ') ######################################## # + # Dconf declarations + # + + roleattribute $2 dconf_roles; + + ######################################## + # + # At-spi declarations + # + + roleattribute $2 at_spi_roles; + + ######################################## + # # Gconf declarations # @@ -58,6 +84,20 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings declarations + # + + roleattribute $2 gnome_settings_roles; + + ######################################## + # + # Gnome-settings-daemon declarations + # + + roleattribute $2 gnome_settings_daemon_roles; + + ######################################## + # # Gkeyringd declarations # @@ -69,6 +109,70 @@ template(`gnome_role_template',` ######################################## # + # Common policy + # + + allow $3 dconf_home_t:dir manage_dir_perms; + allow $3 dconf_home_t:file manage_file_perms; + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms; + + allow $3 gnome_settings_schemas_t:dir list_dir_perms; + allow $3 gnome_settings_schemas_t:file read_file_perms; + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + + allow $3 mime_info_t:dir list_dir_perms; + allow $3 mime_info_t:file read_file_perms; + + allow at_spi_t user_dbusd_t:process signal; + + allow user_dbusd_t self:process signal; + + allow user_dbusd_t bin_t:file entrypoint; + + allow user_dbusd_t dbusd_exec_t:file exec_file_perms; + + gnome_read_settings_files(user_dbusd_t) + gnome_read_settings_daemon_files(user_dbusd_t) + + files_read_usr_files($3) + + kernel_read_system_state(user_dbusd_t) + + optional_policy(` + xserver_read_user_xauth(user_dbusd_t) + xserver_stream_connect(user_dbusd_t) + ') + + ######################################## + # + # Dconf policy + # + + allow dconf_t user_dbusd_t:unix_stream_socket connectto; + + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms }; + + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t) + + ######################################## + # + # At-spi policy + # + + allow at_spi_t user_dbusd_t:unix_stream_socket connectto; + + allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms }; + + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms }; + + allow $3 at_spi_t:fd use; + + domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t) + + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t) + + ######################################## + # # Gconf policy # @@ -84,6 +188,38 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings policy + # + + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t) + + allow $3 gnome_settings_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_t) + + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto; + + allow gnome_settings_t bin_t:file entrypoint; + allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms }; + + # for dbus-launch + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t) + + domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t) + + ######################################## + # + # Gnome-settings-daemon policy + # + + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t) + + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto; + + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_daemon_t) + + ######################################## + # # Gkeyringd policy # @@ -100,23 +236,85 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) + + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file) + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) gnome_stream_connect_gkeyringd($1, $3) optional_policy(` + dbus_connect_spec_session_bus(user, dconf_t) + dbus_connect_spec_session_bus(user, at_spi_t) + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) + dbus_connect_system_bus(gnome_settings_daemon_t) + dbus_send_spec_session_bus(user, dconf_t) + dbus_send_spec_session_bus(user, at_spi_t) + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + gnome_dbus_chat_dconf($3) + gnome_dbus_chat_dconf(gnome_settings_t) + gnome_dbus_chat_at_spi($3) + gnome_dbus_chat_gconfd($3) + gnome_dbus_chat_gnome_settings(user_dbusd_t) + gnome_dbus_chat_gnome_settings_daemon($3) + gnome_dbus_chat_gnome_settings_daemon(at_spi_t) gnome_dbus_chat_gkeyringd($1, $3) ') ') ') +####################################### +## +## Read gnome-settings files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_settings_files',` + gen_require(` + type gnome_settings_t; + ') + + read_files_pattern($1, gnome_settings_t, gnome_settings_t) +') + +####################################### +## +## Read gnome-settings-daemon +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_settings_daemon_files',` + gen_require(` + type gnome_settings_daemon_t; + ') + + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t) +') + ######################################## ## ## Execute gconf in the caller domain. @@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Create objects in gnome gconf home ## directories with a private type. ## @@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Read generic gnome keyring home files. ## ## @@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files ######################################## ## +## Read mime info files in the home +## directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_mime_info_home_files',` + gen_require(` + type mime_info_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, mime_info_t, mime_info_t) +') + +######################################## +## +## Send and receive messages from +## the dconf daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_dconf',` + gen_require(` + type dconf_t; + class dbus send_msg; + ') + + allow $1 dconf_t:dbus send_msg; + allow dconf_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## the at-spi daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_at_spi',` + gen_require(` + type at_spi_t; + class dbus send_msg; + ') + + allow $1 at_spi_t:dbus send_msg; + allow at_spi_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## the gconf daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## gnome-settings over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gnome_settings',` + gen_require(` + type gnome_settings_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_t:dbus send_msg; + allow gnome_settings_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## the gnome-settings-daemon over +## dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gnome_settings_daemon',` + gen_require(` + type gnome_settings_daemon_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_daemon_t:dbus send_msg; + allow gnome_settings_daemon_t $1:dbus send_msg; +') + +######################################## +## ## Send and receive messages from ## gnome keyring daemon over dbus. ## @@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey files_search_tmp($1) stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') + +######################################## +## +## Use file descriptors for +## the gnome settings daemon. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + allow $1 gnome_settings_daemon_t:fd use; +') + +######################################## +## +## Do not audit attempts to use the +## file descriptors for the gnome +## settings daemon. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dontaudit_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + dontaudit $1 gnome_settings_daemon_t:fd use; +') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200 @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1) attribute gkeyringd_domain; attribute gnomedomain; +attribute_role dconf_roles; +attribute_role at_spi_roles; attribute_role gconfd_roles; +attribute_role gnome_settings_roles; +attribute_role gnome_settings_daemon_roles; + +type dconf_t; +type dconf_exec_t; +userdom_user_application_domain(dconf_t, dconf_exec_t) +role dconf_roles types dconf_t; + +type dconf_home_t; +userdom_user_home_content(dconf_home_t) + +type at_spi_t; +type at_spi_exec_t; +userdom_user_application_domain(at_spi_t, at_spi_exec_t) +role at_spi_roles types at_spi_t; type gconf_etc_t; files_config_file(gconf_etc_t) @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; +type gnome_settings_t; +type gnome_settings_exec_t; +userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t) +role gnome_settings_roles types gnome_settings_t; + +type gnome_settings_daemon_t; +type gnome_settings_daemon_exec_t; +userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t) +role gnome_settings_daemon_roles types gnome_settings_daemon_t; + +type gnome_settings_schemas_t; +files_config_file(gnome_settings_schemas_t) + type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex type gnome_keyring_home_t; userdom_user_home_content(gnome_keyring_home_t) +type gnome_keyring_cache_home_t; +userdom_user_home_content(gnome_keyring_cache_home_t) + type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type mime_info_t; +files_config_file(mime_info_t) + +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -73,7 +112,62 @@ optional_policy(` ############################## # -# Conf daemon local Policy +# DConf daemon local policy (Gnome3) +# + +allow dconf_t self:process signal; + +allow dconf_t dconf_home_t:dir manage_dir_perms; +allow dconf_t dconf_home_t:file manage_file_perms; +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms; + +userdom_search_user_home_content(dconf_t) + +fs_getattr_xattr_fs(dconf_t) + +kernel_read_system_state(dconf_t) + +selinux_getattr_fs(dconf_t) + +############################## +# +# At-spi local policy +# + +allow at_spi_t self:process signal; + +allow at_spi_t dconf_home_t:dir manage_dir_perms; +allow at_spi_t dconf_home_t:file manage_file_perms; +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms; +allow at_spi_t gnome_settings_schemas_t:file read_file_perms; +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t) + +corecmd_search_bin(at_spi_t) + +files_read_usr_files(at_spi_t) + +fs_getattr_xattr_fs(at_spi_t) + +kernel_read_system_state(at_spi_t) + +selinux_getattr_fs(at_spi_t) + +# search in .cache +userdom_search_user_home_dirs(at_spi_t) +userdom_search_user_home_content(at_spi_t) + +optional_policy(` + xserver_read_user_xauth(at_spi_t) + xserver_stream_connect(at_spi_t) +') + +############################## +# +# GConf daemon local Policy (Gnome2) # allow gconfd_t gconf_etc_t:dir list_dir_perms; @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +files_search_tmp(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) @@ -102,6 +202,171 @@ optional_policy(` ') ############################## +# +# Gnome-settings local policy +# + +allow gnome_settings_t self:dir list_dir_perms; +allow gnome_settings_t self:file rw_file_perms; +allow gnome_settings_t self:process { fork sigchld }; +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms; + +allow gnome_settings_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_t dconf_home_t:file manage_file_perms; +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_t gnome_settings_exec_t:file entrypoint; + +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t) + +corecmd_exec_bin(gnome_settings_t) +corecmd_search_bin(gnome_settings_t) + +dev_dontaudit_search_sysfs(gnome_settings_t) +dev_list_all_dev_nodes(gnome_settings_t) +dev_rw_null(gnome_settings_t) +dev_search_sysfs(gnome_settings_t) + +files_list_root(gnome_settings_t) +files_read_etc_files(gnome_settings_t) +files_read_usr_files(gnome_settings_t) +files_search_pids(gnome_settings_t) + +fs_getattr_xattr_fs(gnome_settings_t) + +init_sigchld(gnome_settings_t) + +kernel_read_system_state(gnome_settings_t) + +libs_use_ld_so(gnome_settings_t) +libs_use_shared_libs(gnome_settings_t) + +miscfiles_read_localization(gnome_settings_t) + +selinux_getattr_fs(gnome_settings_t) +selinux_dontaudit_search_fs(gnome_settings_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_t) + +# search in .cache +userdom_search_user_home_dirs(gnome_settings_t) +userdom_search_user_home_content(gnome_settings_t) + +optional_policy(` + dbus_read_lib_files(gnome_settings_t) +') + +optional_policy(` + xserver_use_xdm_fds(gnome_settings_t) +') + +############################## +# +# Gnome-settings-daemon local policy +# + +allow gnome_settings_daemon_t self:dir list_dir_perms; +allow gnome_settings_daemon_t self:file rw_file_perms; +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t self:process { fork sigchld signal }; +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms; +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms; +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms }; + +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t) + +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t) + +cups_read_config(gnome_settings_daemon_t) +cups_stream_connect(gnome_settings_daemon_t) + +dev_dontaudit_search_sysfs(gnome_settings_daemon_t) +dev_read_urand(gnome_settings_daemon_t) +dev_read_sysfs(gnome_settings_daemon_t) +dev_rw_null(gnome_settings_daemon_t) + +files_list_root(gnome_settings_daemon_t) +files_list_tmp(gnome_settings_daemon_t) +files_read_etc_files(gnome_settings_daemon_t) +files_read_usr_files(gnome_settings_daemon_t) +files_search_tmp(gnome_settings_daemon_t) + +fs_getattr_tmpfs(gnome_settings_daemon_t) +fs_getattr_xattr_fs(gnome_settings_daemon_t) +fs_list_tmpfs(gnome_settings_daemon_t) +fs_rw_tmpfs_files(gnome_settings_daemon_t) + +init_sigchld(gnome_settings_daemon_t) + +kernel_read_system_state(gnome_settings_daemon_t) + +libs_use_ld_so(gnome_settings_daemon_t) +libs_use_shared_libs(gnome_settings_daemon_t) + +logging_search_logs(gnome_settings_daemon_t) + +miscfiles_read_fonts(gnome_settings_daemon_t) +miscfiles_read_generic_certs(gnome_settings_daemon_t) +miscfiles_read_localization(gnome_settings_daemon_t) + +selinux_getattr_fs(gnome_settings_daemon_t) +selinux_dontaudit_search_fs(gnome_settings_daemon_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t) + +userdom_list_user_home_dirs(gnome_settings_daemon_t) +userdom_list_user_tmp(gnome_settings_daemon_t) +userdom_search_user_home_dirs(gnome_settings_daemon_t) +userdom_search_user_home_content(gnome_settings_daemon_t) + +optional_policy(` + colord_dbus_chat(gnome_settings_daemon_t) + colord_manage_home_files(gnome_settings_daemon_t) +') + +optional_policy(` + dbus_system_bus_client(gnome_settings_daemon_t) +') + +optional_policy(` + devicekit_dbus_chat_power(gnome_settings_daemon_t) +') + +optional_policy(` + policykit_dbus_chat(gnome_settings_daemon_t) + policykit_domtrans(gnome_settings_daemon_t) +') + +optional_policy(` + pulseaudio_read_home(gnome_settings_daemon_t) + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t) + pulseaudio_signull(gnome_settings_daemon_t) + pulseaudio_stream_connect(gnome_settings_daemon_t) + pulseaudio_use_fds(gnome_settings_daemon_t) +') + +optional_policy(` + xserver_read_user_xauth(gnome_settings_daemon_t) + xserver_stream_connect(gnome_settings_daemon_t) +') + +############################## # # Keyring-daemon local policy # --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200 @@ -1,3 +1,5 @@ +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0) + /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200 @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',` ######################################## ## +## Execute a domain transition to +## run polkit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_domtrans',` + gen_require(` + type policykit_t, policykit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_exec_t, policykit_t) +') + +######################################## +## ## Execute a domain transition to run polkit_auth. ## ## --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200 @@ -117,6 +118,7 @@ optional_policy(` optional_policy(` gnome_read_generic_home_content(policykit_t) + gnome_read_settings_daemon_files(policykit_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` typeattribute $1 pulseaudio_tmpfsfile; ') + +####################################### +## +## Read pulseaudio tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_read_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +####################################### +## +## Read and write pulseaudio tmpfs +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_rw_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +######################################## +## +## Use file descriptors for +## pulseaudio. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:fd use; +') + +######################################## +## +## Do not audit attempts to use the +## file descriptors for pulseaudio. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_dontaudit_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + dontaudit $1 pulseaudio_t:fd use; +') --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200 @@ -193,6 +193,11 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) ') optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200 +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200 @@ -593,6 +593,10 @@ template(`userdom_common_user_template', ') optional_policy(` + colord_manage_home_files($1_t) + ') + + optional_policy(` dbus_system_bus_client($1_t) optional_policy(`