From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 23 Aug 2016 14:44:54 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> Message-ID: <1471956294.17467.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! Thanks for providing your valuable feedback. On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > Update for the gnome module: > > > > - target the dconf daemon, the gsettings user application, the > > ? gnome-settings-daemon and the at-spi daemon with all the > > ? needed domain transitions; > > - a new gstreamer_orcexec_t type and file context is introduced > > ? to support the OIL Runtime Compiler (ORC) optimized code > > ? execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > ? keyring domains; > > - add support for chat over dbus in the gconfd domain and in the > > ? new domains (dconf, gsettings, etc); > > - add support for a few needed fs and kernel permissions. > > - add support for reading the colord related files in the home > > ? directories (such as the ICC EDID profiles): requires the > > ? recent colord patch; > > - add support for for reading the colord related files in the home > > ? directories in the common user domain template; > > - add support for a new mime_info_t type to be used in the home > > ? directories; > > - includes minor modifications to the consolekit, dbus and > > ? policykit modules to support the new targeted gnome daemons > > ? and applications; > > - modifies the pulseaudio module to introduce new interfaces to > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > ? file descriptor; > > - provides better module encapsulation (i.e. dbus module). > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > This patch depends on the recent colord patch. > > > > Recent changes to the pulseaudio module depends on this patch ! > > Unfortunately, as Dominick pointed out, you've gone to the other end > of? > the patch organization spectrum and made too large of a patch.??If > you? > split it up into individual commits, git format-patch and git send- > email? > will make it easy to send a series of patches in commit order.??So > all? > you have to do is create reasonably-sized and logically-organized > commits. > > > I did not review everything, but here are a few things I noticed: > > > > > +######################################## > > +## > > +## Make a domain transition from a > > +## given source domain to another > > +## specified target domain using > > +## the DBUS executable file type. > > +## > > +## > > +## > > +## Source domain. > > +## > > +## > > +# > > +interface(`dbus_domain_transition',` > > I'm not clear why this is necessary. To encapsulate dbus related types in their own module (i.e. the dbus module). > > + gen_require(` > > + type dbusd_exec_t; > > + ') > > + > > + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms }; > > Entrypoint should not be included here. I will check if this does not break the transition... > > + domtrans_pattern($1, dbusd_exec_t, $2) > > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if > > 2016-08-06 21:27:11.354094337 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2 > > 016-08-22 21:24:49.634876147 +0200 > > @@ -43,14 +43,39 @@ interface(`gnome_role',` > > ?template(`gnome_role_template',` > > ? gen_require(` > > ? attribute gnomedomain, gkeyringd_domain; > > + attribute_role dconf_roles; > > + attribute_role at_spi_roles; > > ? attribute_role gconfd_roles; > > - type gkeyringd_exec_t, gnome_keyring_home_t, > > gnome_keyring_tmp_t; > > + attribute_role gnome_settings_roles; > > + attribute_role gnome_settings_daemon_roles; > > Are all of these role attributes really necessary???Typically these > are? > only needed when there are long chains of transitions where the > original? > domain doesn't have any relation to latter domains.??For example: > > user_t ->??domain1_t -> domain2_t > > In this case, there is no link in the sources between user_t and? > domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's? > interfaces can collect up all the roles that run domain1 in a role? > attribute, and then use that attribute when running domain2. I will remove the roles which are not needed. > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > + type at_spi_t, at_spi_exec_t; > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > ? type gconf_home_t; > > + type gnome_settings_t, gnome_settings_exec_t; > > + type gnome_settings_daemon_t, > > gnome_settings_daemon_exec_t; > > + type gnome_settings_schemas_t; > > + type gkeyringd_exec_t, gnome_keyring_home_t, > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > + type mime_info_t; > > + type user_dbusd_t; > > This dbus type cannot be referenced directly in this module. If $1_dbusd_t is used to get the role/type prefix from the caller, then it doesn't compile for some reason which is not yet clear to me. Any idea ? > > > > ? optional_policy(` > > + dbus_connect_spec_session_bus(user, dconf_t) > > + dbus_connect_spec_session_bus(user, at_spi_t) > > + dbus_connect_spec_session_bus(user, > > gnome_settings_daemon_t) > > Prefixes can't be hardcoded like this. See above. > > > > + dbus_connect_system_bus(gnome_settings_daemon_t) > > + dbus_domain_transition(at_spi_t, user_dbusd_t) > > + dbus_domain_transition(gnome_settings_t, > > user_dbusd_t) > > + dbus_send_spec_session_bus(user, dconf_t) > > + dbus_send_spec_session_bus(user, at_spi_t) > > + dbus_send_spec_session_bus(user, > > gnome_settings_daemon_t) > > ? dbus_spec_session_domain($1, $1_gkeyringd_t, > > gkeyringd_exec_t) Best regards, Guido