From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 17 Apr 2017 15:06:55 +0200 Subject: [refpolicy] [PATCH] login related stuff In-Reply-To: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au> References: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au> Message-ID: <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())... Is such permission really critical for running gdm? And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it. The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled! What is your experience, if any, with the latter? Regards, Guido On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy wrote: >Give sulogin some access it needs and dontaudit a nat_admin capability >check >related to systemd for local_login_t. > >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and >send dbus messages to all users. > >Allow system_dbusd_t to access dri and input_dev devices, this is >triggered >by gdm3. > >Allow chkpwd_t to get selinux enforcing mode. > >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs >to be >run as part of an X login session (as the parent of other user >processes). > >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te >@@ -33,6 +33,7 @@ role system_r types sulogin_t; > # > >allow local_login_t self:capability { chown dac_override fowner fsetid >kill setgid setuid sys_nice sys_resource sys_tty_config }; >+dontaudit local_login_t self:capability net_admin; > allow local_login_t self:process { setexec setrlimit setsched }; > allow local_login_t self:fd use; > allow local_login_t self:fifo_file rw_fifo_file_perms; >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) > files_read_etc_files(sulogin_t) > > auth_read_shadow(sulogin_t) >+auth_login_pgm_domain(sulogin_t) >+kernel_read_crypto_sysctls(sulogin_t) >+selinux_set_generic_booleans(sulogin_t) > > init_getpgid_script(sulogin_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > kernel_read_kernel_sysctls(policykit_t) > kernel_read_system_state(policykit_t) >+fs_getattr_tmpfs(policykit_t) >+fs_getattr_cgroup(policykit_t) >+dev_read_urand(policykit_t) > > dev_read_urand(policykit_t) > >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) > > userdom_getattr_all_users(policykit_t) > userdom_read_all_users_state(policykit_t) >+userdom_dbus_send_all_users(policykit_t) > > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) > dev_read_urand(system_dbusd_t) > dev_read_sysfs(system_dbusd_t) > >+# gdm3 causes system_dbusd_t to want this access >+dev_rw_dri(system_dbusd_t) >+dev_rw_input_dev(system_dbusd_t) >+ > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > kernel_read_crypto_sysctls(chkpwd_t) > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) >+selinux_get_enforce_mode(chkpwd_t) >+selinux_getattr_fs(chkpwd_t) > > domain_dontaudit_use_interactive_fds(chkpwd_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > >+kernel_read_crypto_sysctls(gpg_t) > kernel_read_sysctl(gpg_t) > # read /proc/cpuinfo > kernel_read_system_state(gpg_t) >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > >+xdm_sigchld(gpg_agent_t) >+dbus_system_bus_client(gpg_agent_t) >+auth_use_nsswitch(gpg_agent_t) >+xserver_read_user_xauth(gpg_agent_t) >+ > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, >gpg_agent_tmp_t) >Index: refpolicy-2.20170417/policy/modules/services/xserver.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if >+++ refpolicy-2.20170417/policy/modules/services/xserver.if >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') >+ >+######################################## >+## >+## Allow domain to send sigchld to xdm_t >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`xdm_sigchld',` >+ gen_require(` >+ type xdm_t; >+ ') >+ >+ allow $1 xdm_t:process sigchld; >+') >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy