From: dac.override@gmail.com (Dominick Grift) Date: Mon, 17 Apr 2017 15:17:35 +0200 Subject: [refpolicy] [PATCH] login related stuff In-Reply-To: <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net> References: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au> <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net> Message-ID: <20170417131735.GA11930@markus> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via refpolicy wrote: > Hello. > > It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())... > > Is such permission really critical for running gdm? I suspect this is systemd specific (logind to be precise) but nowaday's all kinds of file descriptors seem to get passed through dbus > > And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it. > > The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled! > > What is your experience, if any, with the latter? > > Regards, > > Guido > > On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy wrote: > >Give sulogin some access it needs and dontaudit a nat_admin capability > >check > >related to systemd for local_login_t. > > > >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and > >send dbus messages to all users. > > > >Allow system_dbusd_t to access dri and input_dev devices, this is > >triggered > >by gdm3. > > > >Allow chkpwd_t to get selinux enforcing mode. > > > >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs > >to be > >run as part of an X login session (as the parent of other user > >processes). > > > >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te > >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te > >@@ -33,6 +33,7 @@ role system_r types sulogin_t; > > # > > > >allow local_login_t self:capability { chown dac_override fowner fsetid > >kill setgid setuid sys_nice sys_resource sys_tty_config }; > >+dontaudit local_login_t self:capability net_admin; > > allow local_login_t self:process { setexec setrlimit setsched }; > > allow local_login_t self:fd use; > > allow local_login_t self:fifo_file rw_fifo_file_perms; > >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) > > files_read_etc_files(sulogin_t) > > > > auth_read_shadow(sulogin_t) > >+auth_login_pgm_domain(sulogin_t) > >+kernel_read_crypto_sysctls(sulogin_t) > >+selinux_set_generic_booleans(sulogin_t) > > > > init_getpgid_script(sulogin_t) > > > >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te > >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te > >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > > > kernel_read_kernel_sysctls(policykit_t) > > kernel_read_system_state(policykit_t) > >+fs_getattr_tmpfs(policykit_t) > >+fs_getattr_cgroup(policykit_t) > >+dev_read_urand(policykit_t) > > > > dev_read_urand(policykit_t) > > > >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) > > > > userdom_getattr_all_users(policykit_t) > > userdom_read_all_users_state(policykit_t) > >+userdom_dbus_send_all_users(policykit_t) > > > > optional_policy(` > > dbus_system_domain(policykit_t, policykit_exec_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te > >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te > >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) > > dev_read_urand(system_dbusd_t) > > dev_read_sysfs(system_dbusd_t) > > > >+# gdm3 causes system_dbusd_t to want this access > >+dev_rw_dri(system_dbusd_t) > >+dev_rw_input_dev(system_dbusd_t) > >+ > > domain_use_interactive_fds(system_dbusd_t) > > domain_read_all_domains_state(system_dbusd_t) > > > >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te > >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te > >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > > kernel_read_crypto_sysctls(chkpwd_t) > > # is_selinux_enabled > > kernel_read_system_state(chkpwd_t) > >+selinux_get_enforce_mode(chkpwd_t) > >+selinux_getattr_fs(chkpwd_t) > > > > domain_dontaudit_use_interactive_fds(chkpwd_t) > > > >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te > >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te > >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > > >+kernel_read_crypto_sysctls(gpg_t) > > kernel_read_sysctl(gpg_t) > > # read /proc/cpuinfo > > kernel_read_system_state(gpg_t) > >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g > > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > >+xdm_sigchld(gpg_agent_t) > >+dbus_system_bus_client(gpg_agent_t) > >+auth_use_nsswitch(gpg_agent_t) > >+xserver_read_user_xauth(gpg_agent_t) > >+ > > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > >gpg_agent_tmp_t) > >Index: refpolicy-2.20170417/policy/modules/services/xserver.if > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if > >+++ refpolicy-2.20170417/policy/modules/services/xserver.if > >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > > typeattribute $1 x_domain; > > typeattribute $1 xserver_unconfined_type; > > ') > >+ > >+######################################## > >+## > >+## Allow domain to send sigchld to xdm_t > >+## > >+## > >+## > >+## Domain allowed access. > >+## > >+## > >+# > >+interface(`xdm_sigchld',` > >+ gen_require(` > >+ type xdm_t; > >+ ') > >+ > >+ allow $1 xdm_t:process sigchld; > >+') > >_______________________________________________ > >refpolicy mailing list > >refpolicy at oss.tresys.com > >http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170417/17ee4955/attachment.bin