From: russell@coker.com.au (Russell Coker) Date: Mon, 17 Apr 2017 22:22:51 +1000 Subject: [refpolicy] [PATCH] devicekit, mount, xserver, and selinuxutil Message-ID: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Allow devicekit_power_t to chat to xdm via dbus and log via syslog. Allow mount_t to do more with it's runtime files and stat more filesystem types. Allow xauth to send sigchld to xdm. Allow semanage to search policy_src_t dirs and read /dev/urandom. Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te +++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te @@ -56,6 +56,10 @@ optional_policy(` ') optional_policy(` + xserver_dbus_chat_xdm(devicekit_power_t) +') + +optional_policy(` udev_read_db(devicekit_t) ') @@ -65,6 +69,7 @@ optional_policy(` # allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability2 wake_alarm; allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek init_read_utmp(devicekit_power_t) init_search_run(devicekit_power_t) +logging_send_syslog_msg(devicekit_power_t) + miscfiles_read_localization(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) Index: refpolicy-2.20170417/policy/modules/system/mount.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/system/mount.te +++ refpolicy-2.20170417/policy/modules/system/mount.te @@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) -create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) -create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) +manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) +manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount") @@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo files_dontaudit_setattr_all_mountpoints(mount_t) fs_getattr_xattr_fs(mount_t) +fs_getattr_tmpfs(mount_t) +fs_getattr_rpc_pipefs(mount_t) fs_getattr_cifs(mount_t) +fs_getattr_nfs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) Index: refpolicy-2.20170417/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/services/xserver.te +++ refpolicy-2.20170417/policy/modules/services/xserver.te @@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t allow xdm_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +allow xauth_t xdm_t:process sigchld; allow xauth_t xdm_t:fd use; allow xauth_t xdm_t:fifo_file { getattr read }; @@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; dontaudit xserver_t self:capability chown; +allow xserver_t self:capability2 wake_alarm; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te @@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules") +allow semanage_t policy_src_t:dir search; + allow semanage_t semanage_tmp_t:dir manage_dir_perms; allow semanage_t semanage_tmp_t:file manage_file_perms; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) @@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_ kernel_dontaudit_list_all_sysctls(setfiles_t) kernel_getattr_debugfs(setfiles_t) +dev_read_urand(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) # to handle when /dev/console needs to be relabeled dev_rw_generic_chr_files(setfiles_t)