From: dac.override@gmail.com (Dominick Grift) Date: Sun, 21 Aug 2016 20:49:51 +0200 Subject: [refpolicy] [PATCH v3] Update for the gnome policy and file contexts In-Reply-To: <1471704772.17584.9.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> Message-ID: <9d30fc6e-3ffa-b966-7bd0-d9bd8c881f4d@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote: > Update for the gnome module: > > - target the dconf daemon, the gsettings user application, the > gnome-settings-daemon and the at-spi daemon with all the > needed domain transitions; > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for chat over dbus in the gconfd domain and in the > new domains (dconf, gsettings, etc); > - add support for a few needed fs and kernel permissions. > - add support for reading the colord related files in the home > directories (such as the ICC EDID profiles): requires the > recent colord patch; > - add support for for reading the colord related files in the home > directories in the common user domain template; > - add support for a new mime_info_t type to be used in the home > directories; > - includes minor modifications to the consolekit, dbus and > policykit modules to support the new targeted gnome daemons > and applications; > - modifies the pulseaudio module to introduce new interfaces to > read and write pulseaudio tmpfs files and to use the pulseaudio > file descriptor. > > The support for Gnome2/ORBit-2 (version 2) has been dropped. if you want me to review this then you have to split this patch into smaller patches > > This patch depends on the recent colord patch. > > Recent changes to the pulseaudio module depends on this patch ! > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/colord.if | 41 +++ > policy/modules/contrib/colord.te | 4 > policy/modules/contrib/consolekit.te | 4 > policy/modules/contrib/dbus.te | 9 > policy/modules/contrib/gnome.fc | 19 + > policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++- > policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++ > policy/modules/contrib/policykit.fc | 2 > policy/modules/contrib/policykit.if | 20 + > policy/modules/contrib/policykit.te | 1 > policy/modules/contrib/pulseaudio.if | 77 ++++++ > policy/modules/contrib/pulseaudio.te | 5 > policy/modules/system/userdomain.if | 4 > 13 files changed, 876 insertions(+), 3 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200 > @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',` > files_search_var_lib($1) > read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) > ') > + > +###################################### > +## > +## Read colord home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`colord_read_home_files',` > + gen_require(` > + type colord_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + read_files_pattern($1, colord_home_t, colord_home_t) > +') > + > +###################################### > +## > +## Create, read, write, and delete > +## colord home content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`colord_manage_home_files',` > + gen_require(` > + type colord_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + manage_files_pattern($1, colord_home_t, colord_home_t) > +') > --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200 > @@ -123,6 +136,10 @@ optional_policy(` > ') > > optional_policy(` > + gnome_settings_daemon_use_fds(colord_t) > +') > + > +optional_policy(` > policykit_dbus_chat(colord_t) > policykit_domtrans_auth(colord_t) > policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200 > @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + gnome_read_settings_daemon_files(consolekit_t) > +') > + > +optional_policy(` > dbus_read_lib_files(consolekit_t) > dbus_system_domain(consolekit_t, consolekit_exec_t) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200 > @@ -148,6 +148,15 @@ optional_policy(` > ') > > optional_policy(` > + colord_read_home_files(system_dbusd_t) > +') > + > +optional_policy(` > + gnome_read_settings_daemon_files(system_dbusd_t) > + gnome_settings_daemon_use_fds(system_dbusd_t) > +') > + > +optional_policy(` > policykit_read_lib(system_dbusd_t) > ') > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200 > @@ -1,16 +1,33 @@ > +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) > +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) > +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) > HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) > HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) > HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0) > + > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) > > /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0) > /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0) > +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0) > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) > +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) > + > +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200 > @@ -43,14 +43,40 @@ interface(`gnome_role',` > template(`gnome_role_template',` > gen_require(` > attribute gnomedomain, gkeyringd_domain; > + attribute_role dconf_roles; > + attribute_role at_spi_roles; > attribute_role gconfd_roles; > - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; > + attribute_role gnome_settings_roles; > + attribute_role gnome_settings_daemon_roles; > + type dconf_t, dconf_exec_t, dconf_home_t; > + type at_spi_t, at_spi_exec_t; > type gconfd_t, gconfd_exec_t, gconf_tmp_t; > type gconf_home_t; > + type gnome_settings_t, gnome_settings_exec_t; > + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; > + type gnome_settings_schemas_t; > + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > + type mime_info_t; > + type user_dbusd_t; > + type dbusd_exec_t; > ') > > ######################################## > # > + # Dconf declarations > + # > + > + roleattribute $2 dconf_roles; > + > + ######################################## > + # > + # At-spi declarations > + # > + > + roleattribute $2 at_spi_roles; > + > + ######################################## > + # > # Gconf declarations > # > > @@ -58,6 +84,20 @@ template(`gnome_role_template',` > > ######################################## > # > + # Gnome-settings declarations > + # > + > + roleattribute $2 gnome_settings_roles; > + > + ######################################## > + # > + # Gnome-settings-daemon declarations > + # > + > + roleattribute $2 gnome_settings_daemon_roles; > + > + ######################################## > + # > # Gkeyringd declarations > # > > @@ -69,6 +109,70 @@ template(`gnome_role_template',` > > ######################################## > # > + # Common policy > + # > + > + allow $3 dconf_home_t:dir manage_dir_perms; > + allow $3 dconf_home_t:file manage_file_perms; > + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms; > + > + allow $3 gnome_settings_schemas_t:dir list_dir_perms; > + allow $3 gnome_settings_schemas_t:file read_file_perms; > + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > + allow $3 mime_info_t:dir list_dir_perms; > + allow $3 mime_info_t:file read_file_perms; > + > + allow at_spi_t user_dbusd_t:process signal; > + > + allow user_dbusd_t self:process signal; > + > + allow user_dbusd_t bin_t:file entrypoint; > + > + allow user_dbusd_t dbusd_exec_t:file exec_file_perms; > + > + gnome_read_settings_files(user_dbusd_t) > + gnome_read_settings_daemon_files(user_dbusd_t) > + > + files_read_usr_files($3) > + > + kernel_read_system_state(user_dbusd_t) > + > + optional_policy(` > + xserver_read_user_xauth(user_dbusd_t) > + xserver_stream_connect(user_dbusd_t) > + ') > + > + ######################################## > + # > + # Dconf policy > + # > + > + allow dconf_t user_dbusd_t:unix_stream_socket connectto; > + > + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms }; > + > + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t) > + > + ######################################## > + # > + # At-spi policy > + # > + > + allow at_spi_t user_dbusd_t:unix_stream_socket connectto; > + > + allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms }; > + > + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms }; > + > + allow $3 at_spi_t:fd use; > + > + domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t) > + > + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t) > + > + ######################################## > + # > # Gconf policy > # > > @@ -84,6 +188,38 @@ template(`gnome_role_template',` > > ######################################## > # > + # Gnome-settings policy > + # > + > + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t) > + > + allow $3 gnome_settings_t:process { ptrace signal_perms }; > + ps_process_pattern($3, gnome_settings_t) > + > + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto; > + > + allow gnome_settings_t bin_t:file entrypoint; > + allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms }; > + > + # for dbus-launch > + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t) > + > + domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t) > + > + ######################################## > + # > + # Gnome-settings-daemon policy > + # > + > + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t) > + > + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto; > + > + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms }; > + ps_process_pattern($3, gnome_settings_daemon_t) > + > + ######################################## > + # > # Gkeyringd policy > # > > @@ -100,23 +236,85 @@ template(`gnome_role_template',` > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > + userdom_manage_user_home_content_files($1_gkeyringd_t) > + > + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) > + > + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file) > + > ps_process_pattern($3, $1_gkeyringd_t) > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > + > corecmd_bin_domtrans($1_gkeyringd_t, $3) > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > gnome_stream_connect_gkeyringd($1, $3) > > optional_policy(` > + dbus_connect_spec_session_bus(user, dconf_t) > + dbus_connect_spec_session_bus(user, at_spi_t) > + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) > + dbus_connect_system_bus(gnome_settings_daemon_t) > + dbus_send_spec_session_bus(user, dconf_t) > + dbus_send_spec_session_bus(user, at_spi_t) > + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) > dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) > > optional_policy(` > + gnome_dbus_chat_dconf($3) > + gnome_dbus_chat_dconf(gnome_settings_t) > + gnome_dbus_chat_at_spi($3) > + gnome_dbus_chat_gconfd($3) > + gnome_dbus_chat_gnome_settings(user_dbusd_t) > + gnome_dbus_chat_gnome_settings_daemon($3) > + gnome_dbus_chat_gnome_settings_daemon(at_spi_t) > gnome_dbus_chat_gkeyringd($1, $3) > ') > ') > ') > > +####################################### > +## > +## Read gnome-settings files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_read_settings_files',` > + gen_require(` > + type gnome_settings_t; > + ') > + > + read_files_pattern($1, gnome_settings_t, gnome_settings_t) > +') > + > +####################################### > +## > +## Read gnome-settings-daemon > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_read_settings_daemon_files',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t) > +') > + > ######################################## > ## > ## Execute gconf in the caller domain. > @@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ######################################## > ## > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > ## Create objects in gnome gconf home > ## directories with a private type. > ## > @@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',` > > ######################################## > ## > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > ## Read generic gnome keyring home files. > ## > ## > @@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files > > ######################################## > ## > +## Read mime info files in the home > +## directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_read_mime_info_home_files',` > + gen_require(` > + type mime_info_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + read_files_pattern($1, mime_info_t, mime_info_t) > +') > + > +######################################## > +## > +## Send and receive messages from > +## the dconf daemon over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dbus_chat_dconf',` > + gen_require(` > + type dconf_t; > + class dbus send_msg; > + ') > + > + allow $1 dconf_t:dbus send_msg; > + allow dconf_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## the at-spi daemon over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dbus_chat_at_spi',` > + gen_require(` > + type at_spi_t; > + class dbus send_msg; > + ') > + > + allow $1 at_spi_t:dbus send_msg; > + allow at_spi_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## the gconf daemon over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dbus_chat_gconfd',` > + gen_require(` > + type gconfd_t; > + class dbus send_msg; > + ') > + > + allow $1 gconfd_t:dbus send_msg; > + allow gconfd_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## gnome-settings over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dbus_chat_gnome_settings',` > + gen_require(` > + type gnome_settings_t; > + class dbus send_msg; > + ') > + > + allow $1 gnome_settings_t:dbus send_msg; > + allow gnome_settings_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## the gnome-settings-daemon over > +## dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dbus_chat_gnome_settings_daemon',` > + gen_require(` > + type gnome_settings_daemon_t; > + class dbus send_msg; > + ') > + > + allow $1 gnome_settings_daemon_t:dbus send_msg; > + allow gnome_settings_daemon_t $1:dbus send_msg; > +') > + > +######################################## > +## > ## Send and receive messages from > ## gnome keyring daemon over dbus. > ## > @@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey > files_search_tmp($1) > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) > ') > + > +######################################## > +## > +## Use file descriptors for > +## the gnome settings daemon. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_settings_daemon_use_fds',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + allow $1 gnome_settings_daemon_t:fd use; > +') > + > +######################################## > +## > +## Do not audit attempts to use the > +## file descriptors for the gnome > +## settings daemon. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_dontaudit_settings_daemon_use_fds',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + dontaudit $1 gnome_settings_daemon_t:fd use; > +') > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200 > @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1) > > attribute gkeyringd_domain; > attribute gnomedomain; > +attribute_role dconf_roles; > +attribute_role at_spi_roles; > attribute_role gconfd_roles; > +attribute_role gnome_settings_roles; > +attribute_role gnome_settings_daemon_roles; > + > +type dconf_t; > +type dconf_exec_t; > +userdom_user_application_domain(dconf_t, dconf_exec_t) > +role dconf_roles types dconf_t; > + > +type dconf_home_t; > +userdom_user_home_content(dconf_home_t) > + > +type at_spi_t; > +type at_spi_exec_t; > +userdom_user_application_domain(at_spi_t, at_spi_exec_t) > +role at_spi_roles types at_spi_t; > > type gconf_etc_t; > files_config_file(gconf_etc_t) > @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon > userdom_user_application_domain(gconfd_t, gconfd_exec_t) > role gconfd_roles types gconfd_t; > > +type gnome_settings_t; > +type gnome_settings_exec_t; > +userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t) > +role gnome_settings_roles types gnome_settings_t; > + > +type gnome_settings_daemon_t; > +type gnome_settings_daemon_exec_t; > +userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t) > +role gnome_settings_daemon_roles types gnome_settings_daemon_t; > + > +type gnome_settings_schemas_t; > +files_config_file(gnome_settings_schemas_t) > + > type gnome_home_t; > typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; > typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; > @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex > type gnome_keyring_home_t; > userdom_user_home_content(gnome_keyring_home_t) > > +type gnome_keyring_cache_home_t; > +userdom_user_home_content(gnome_keyring_cache_home_t) > + > type gnome_keyring_tmp_t; > userdom_user_tmp_file(gnome_keyring_tmp_t) > > +type mime_info_t; > +files_config_file(mime_info_t) > + > +type gstreamer_orcexec_t; > +application_executable_file(gstreamer_orcexec_t) > + > ############################## > # > # Common local Policy > @@ -73,7 +112,62 @@ optional_policy(` > > ############################## > # > -# Conf daemon local Policy > +# DConf daemon local policy (Gnome3) > +# > + > +allow dconf_t self:process signal; > + > +allow dconf_t dconf_home_t:dir manage_dir_perms; > +allow dconf_t dconf_home_t:file manage_file_perms; > +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +userdom_search_user_home_content(dconf_t) > + > +fs_getattr_xattr_fs(dconf_t) > + > +kernel_read_system_state(dconf_t) > + > +selinux_getattr_fs(dconf_t) > + > +############################## > +# > +# At-spi local policy > +# > + > +allow at_spi_t self:process signal; > + > +allow at_spi_t dconf_home_t:dir manage_dir_perms; > +allow at_spi_t dconf_home_t:file manage_file_perms; > +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms; > +allow at_spi_t gnome_settings_schemas_t:file read_file_perms; > +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t) > + > +corecmd_search_bin(at_spi_t) > + > +files_read_usr_files(at_spi_t) > + > +fs_getattr_xattr_fs(at_spi_t) > + > +kernel_read_system_state(at_spi_t) > + > +selinux_getattr_fs(at_spi_t) > + > +# search in .cache > +userdom_search_user_home_dirs(at_spi_t) > +userdom_search_user_home_content(at_spi_t) > + > +optional_policy(` > + xserver_read_user_xauth(at_spi_t) > + xserver_stream_connect(at_spi_t) > +') > + > +############################## > +# > +# GConf daemon local Policy (Gnome2) > # > > allow gconfd_t gconf_etc_t:dir list_dir_perms; > @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > +kernel_dontaudit_read_system_state(gconfd_t) > + > +files_search_tmp(gconfd_t) > + > +fs_getattr_xattr_fs(gconfd_t) > + > userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > @@ -102,6 +202,171 @@ optional_policy(` > ') > > ############################## > +# > +# Gnome-settings local policy > +# > + > +allow gnome_settings_t self:dir list_dir_perms; > +allow gnome_settings_t self:file rw_file_perms; > +allow gnome_settings_t self:process { fork sigchld }; > +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms; > + > +allow gnome_settings_t dconf_home_t:dir manage_dir_perms; > +allow gnome_settings_t dconf_home_t:file manage_file_perms; > +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms; > +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms; > +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_t gnome_settings_exec_t:file entrypoint; > + > +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t) > + > +corecmd_exec_bin(gnome_settings_t) > +corecmd_search_bin(gnome_settings_t) > + > +dev_dontaudit_search_sysfs(gnome_settings_t) > +dev_list_all_dev_nodes(gnome_settings_t) > +dev_rw_null(gnome_settings_t) > +dev_search_sysfs(gnome_settings_t) > + > +files_list_root(gnome_settings_t) > +files_read_etc_files(gnome_settings_t) > +files_read_usr_files(gnome_settings_t) > +files_search_pids(gnome_settings_t) > + > +fs_getattr_xattr_fs(gnome_settings_t) > + > +init_sigchld(gnome_settings_t) > + > +kernel_read_system_state(gnome_settings_t) > + > +libs_use_ld_so(gnome_settings_t) > +libs_use_shared_libs(gnome_settings_t) > + > +miscfiles_read_localization(gnome_settings_t) > + > +selinux_getattr_fs(gnome_settings_t) > +selinux_dontaudit_search_fs(gnome_settings_t) > + > +### should create an xserver interface for writing .xsession-errors > +userdom_dontaudit_write_user_home_content_files(gnome_settings_t) > + > +# search in .cache > +userdom_search_user_home_dirs(gnome_settings_t) > +userdom_search_user_home_content(gnome_settings_t) > + > +optional_policy(` > + dbus_read_lib_files(gnome_settings_t) > +') > + > +optional_policy(` > + xserver_use_xdm_fds(gnome_settings_t) > +') > + > +############################## > +# > +# Gnome-settings-daemon local policy > +# > + > +allow gnome_settings_daemon_t self:dir list_dir_perms; > +allow gnome_settings_daemon_t self:file rw_file_perms; > +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_daemon_t self:process { fork sigchld signal }; > +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms; > +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms; > + > +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms; > +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms; > +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms; > +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms; > +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms }; > + > +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t) > + > +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t) > + > +cups_read_config(gnome_settings_daemon_t) > +cups_stream_connect(gnome_settings_daemon_t) > + > +dev_dontaudit_search_sysfs(gnome_settings_daemon_t) > +dev_read_urand(gnome_settings_daemon_t) > +dev_read_sysfs(gnome_settings_daemon_t) > +dev_rw_null(gnome_settings_daemon_t) > + > +files_list_root(gnome_settings_daemon_t) > +files_list_tmp(gnome_settings_daemon_t) > +files_read_etc_files(gnome_settings_daemon_t) > +files_read_usr_files(gnome_settings_daemon_t) > +files_search_tmp(gnome_settings_daemon_t) > + > +fs_getattr_tmpfs(gnome_settings_daemon_t) > +fs_getattr_xattr_fs(gnome_settings_daemon_t) > +fs_list_tmpfs(gnome_settings_daemon_t) > +fs_rw_tmpfs_files(gnome_settings_daemon_t) > + > +init_sigchld(gnome_settings_daemon_t) > + > +kernel_read_system_state(gnome_settings_daemon_t) > + > +libs_use_ld_so(gnome_settings_daemon_t) > +libs_use_shared_libs(gnome_settings_daemon_t) > + > +logging_search_logs(gnome_settings_daemon_t) > + > +miscfiles_read_fonts(gnome_settings_daemon_t) > +miscfiles_read_generic_certs(gnome_settings_daemon_t) > +miscfiles_read_localization(gnome_settings_daemon_t) > + > +selinux_getattr_fs(gnome_settings_daemon_t) > +selinux_dontaudit_search_fs(gnome_settings_daemon_t) > + > +### should create an xserver interface for writing .xsession-errors > +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t) > + > +userdom_list_user_home_dirs(gnome_settings_daemon_t) > +userdom_list_user_tmp(gnome_settings_daemon_t) > +userdom_search_user_home_dirs(gnome_settings_daemon_t) > +userdom_search_user_home_content(gnome_settings_daemon_t) > + > +optional_policy(` > + colord_dbus_chat(gnome_settings_daemon_t) > + colord_manage_home_files(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + devicekit_dbus_chat_power(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + policykit_dbus_chat(gnome_settings_daemon_t) > + policykit_domtrans(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + pulseaudio_read_home(gnome_settings_daemon_t) > + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t) > + pulseaudio_signull(gnome_settings_daemon_t) > + pulseaudio_stream_connect(gnome_settings_daemon_t) > + pulseaudio_use_fds(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + xserver_read_user_xauth(gnome_settings_daemon_t) > + xserver_stream_connect(gnome_settings_daemon_t) > +') > + > +############################## > # > # Keyring-daemon local policy > # > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200 > @@ -1,3 +1,5 @@ > +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0) > + > /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) > /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200 > @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',` > > ######################################## > ## > +## Execute a domain transition to > +## run polkit. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`policykit_domtrans',` > + gen_require(` > + type policykit_t, policykit_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, policykit_exec_t, policykit_t) > +') > + > +######################################## > +## > ## Execute a domain transition to run polkit_auth. > ## > ## > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200 > @@ -117,6 +118,7 @@ optional_policy(` > > optional_policy(` > gnome_read_generic_home_content(policykit_t) > + gnome_read_settings_daemon_files(policykit_t) > ') > > optional_policy(` > --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 > @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` > > typeattribute $1 pulseaudio_tmpfsfile; > ') > + > +####################################### > +## > +## Read pulseaudio tmpfs files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_read_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +####################################### > +## > +## Read and write pulseaudio tmpfs > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_rw_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +######################################## > +## > +## Use file descriptors for > +## pulseaudio. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + allow $1 pulseaudio_t:fd use; > +') > + > +######################################## > +## > +## Do not audit attempts to use the > +## file descriptors for pulseaudio. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_dontaudit_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + dontaudit $1 pulseaudio_t:fd use; > +') > --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200 > @@ -193,6 +193,11 @@ optional_policy(` > > optional_policy(` > gnome_stream_connect_gconf(pulseaudio_t) > + > + # OIL Runtime Compiler (ORC) optimized code execution > + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) > + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) > ') > > optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200 > +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200 > @@ -593,6 +593,10 @@ template(`userdom_common_user_template', > ') > > optional_policy(` > + colord_manage_home_files($1_t) > + ') > + > + optional_policy(` > dbus_system_bus_client($1_t) > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/4d08999f/attachment-0001.bin