From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 22:34:34 +1000
Subject: [refpolicy] [PATCH] login related stuff
Message-ID: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Give sulogin some access it needs and dontaudit a nat_admin capability check
related to systemd for local_login_t.

Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
send dbus messages to all users.

Allow system_dbusd_t to access dri and input_dev devices, this is triggered
by gdm3.

Allow chkpwd_t to get selinux enforcing mode.

Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs to be
run as part of an X login session (as the parent of other user processes).

Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
@@ -33,6 +33,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+dontaudit local_login_t self:capability net_admin;
 allow local_login_t self:process { setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
 files_read_etc_files(sulogin_t)
 
 auth_read_shadow(sulogin_t)
+auth_login_pgm_domain(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
+selinux_set_generic_booleans(sulogin_t)
 
 init_getpgid_script(sulogin_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
 
 kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)
 
 dev_read_urand(policykit_t)
 
@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
 
 userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
+userdom_dbus_send_all_users(policykit_t)
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
+# gdm3 causes system_dbusd_t to want this access
+dev_rw_dri(system_dbusd_t)
+dev_rw_input_dev(system_dbusd_t)
+
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
 
Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
 kernel_read_crypto_sysctls(chkpwd_t)
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 
+kernel_read_crypto_sysctls(gpg_t)
 kernel_read_sysctl(gpg_t)
 # read /proc/cpuinfo
 kernel_read_system_state(gpg_t)
@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+xdm_sigchld(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Index: refpolicy-2.20170417/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170417/policy/modules/services/xserver.if
@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process sigchld;
+')