From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 22 Aug 2016 21:15:47 -0400
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <1471894798.19333.1.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
Message-ID: <e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/22/16 15:39, Guido Trentalancia wrote:
> Update for the gnome module:
>
> - target the dconf daemon, the gsettings user application, the
>   gnome-settings-daemon and the at-spi daemon with all the
>   needed domain transitions;
> - a new gstreamer_orcexec_t type and file context is introduced
>   to support the OIL Runtime Compiler (ORC) optimized code
>   execution (used for example by pulseaudio);
> - add support for more permissions needed in gconfd_t and gnome
>   keyring domains;
> - add support for chat over dbus in the gconfd domain and in the
>   new domains (dconf, gsettings, etc);
> - add support for a few needed fs and kernel permissions.
> - add support for reading the colord related files in the home
>   directories (such as the ICC EDID profiles): requires the
>   recent colord patch;
> - add support for for reading the colord related files in the home
>   directories in the common user domain template;
> - add support for a new mime_info_t type to be used in the home
>   directories;
> - includes minor modifications to the consolekit, dbus and
>   policykit modules to support the new targeted gnome daemons
>   and applications;
> - modifies the pulseaudio module to introduce new interfaces to
>   read and write pulseaudio tmpfs files and to use the pulseaudio
>   file descriptor;
> - provides better module encapsulation (i.e. dbus module).
>
> The support for Gnome2/ORBit-2 (version 2) has been dropped.
>
> This patch depends on the recent colord patch.
>
> Recent changes to the pulseaudio module depends on this patch !

Unfortunately, as Dominick pointed out, you've gone to the other end of 
the patch organization spectrum and made too large of a patch.  If you 
split it up into individual commits, git format-patch and git send-email 
will make it easy to send a series of patches in commit order.  So all 
you have to do is create reasonably-sized and logically-organized commits.


I did not review everything, but here are a few things I noticed:

> +########################################
> +## <summary>
> +##	Make a domain transition from a
> +##	given source domain to another
> +##	specified target domain using
> +##	the DBUS executable file type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Source domain.
> +##	</summary>
> +## </param>
> +#
> +interface(`dbus_domain_transition',`

I'm not clear why this is necessary.

> +	gen_require(`
> +		type dbusd_exec_t;
> +	')
> +
> +	allow $1 dbusd_exec_t:file { entrypoint exec_file_perms };

Entrypoint should not be included here.

> +	domtrans_pattern($1, dbusd_exec_t, $2)

> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if	2016-08-06 21:27:11.354094337 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if	2016-08-22 21:24:49.634876147 +0200
> @@ -43,14 +43,39 @@ interface(`gnome_role',`
>  template(`gnome_role_template',`
>  	gen_require(`
>  		attribute gnomedomain, gkeyringd_domain;
> +		attribute_role dconf_roles;
> +		attribute_role at_spi_roles;
>  		attribute_role gconfd_roles;
> -		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
> +		attribute_role gnome_settings_roles;
> +		attribute_role gnome_settings_daemon_roles;

Are all of these role attributes really necessary?  Typically these are 
only needed when there are long chains of transitions where the original 
domain doesn't have any relation to latter domains.  For example:

user_t ->  domain1_t -> domain2_t

In this case, there is no link in the sources between user_t and 
domain2_t, but domain2_t needs to be allowed user_r.  Domain1_t's 
interfaces can collect up all the roles that run domain1 in a role 
attribute, and then use that attribute when running domain2.


> +		type dconf_t, dconf_exec_t, dconf_home_t;
> +		type at_spi_t, at_spi_exec_t;
>  		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>  		type gconf_home_t;
> +		type gnome_settings_t, gnome_settings_exec_t;
> +		type gnome_settings_daemon_t, gnome_settings_daemon_exec_t;
> +		type gnome_settings_schemas_t;
> +		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> +		type mime_info_t;
> +		type user_dbusd_t;

This dbus type cannot be referenced directly in this module.


>  	optional_policy(`
> +		dbus_connect_spec_session_bus(user, dconf_t)
> +		dbus_connect_spec_session_bus(user, at_spi_t)
> +		dbus_connect_spec_session_bus(user, gnome_settings_daemon_t)

Prefixes can't be hardcoded like this.

> +		dbus_connect_system_bus(gnome_settings_daemon_t)
> +		dbus_domain_transition(at_spi_t, user_dbusd_t)
> +		dbus_domain_transition(gnome_settings_t, user_dbusd_t)
> +		dbus_send_spec_session_bus(user, dconf_t)
> +		dbus_send_spec_session_bus(user, at_spi_t)
> +		dbus_send_spec_session_bus(user, gnome_settings_daemon_t)
>  		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)


-- 
Chris PeBenito