From: russell@coker.com.au (Russell Coker) Date: Mon, 17 Apr 2017 23:35:33 +1000 Subject: [refpolicy] [PATCH] some userdomain patches Message-ID: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Added mono_run for unconfined and also xserver_role and allow it to dbus chat with xdm. Allow sysadm_t to read kmsg. Allow user domains to dbus chat with kerneloops for the kerneloops desktop gui. Also allow them to chat with devicekit disk and power daemons. Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems Index: refpolicy-2.20170417/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20170417/policy/modules/system/unconfined.te @@ -121,6 +121,7 @@ optional_policy(` optional_policy(` mono_domtrans(unconfined_t) + mono_run(unconfined_t, unconfined_r) ') optional_policy(` @@ -210,6 +211,11 @@ optional_policy(` wine_domtrans(unconfined_t) ') +optional_policy(` + xserver_role(unconfined_r, unconfined_t) + xserver_dbus_chat_xdm(unconfined_t) +') + ######################################## # # Unconfined Execmem Local policy Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te @@ -351,6 +351,7 @@ optional_policy(` optional_policy(` dmesg_exec(sysadm_t) + dev_read_kmsg(sysadm_t) ') optional_policy(` Index: refpolicy-2.20170417/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170417/policy/modules/system/userdomain.if @@ -117,6 +117,15 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + kerneloops_dbus_chat($1_t) + ') + + optional_policy(` + devicekit_dbus_chat_disk($1_t) + devicekit_dbus_chat_power($1_t) + ') ') ####################################### Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te =================================================================== --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) +# for /var/lib/gconf/defaults +files_read_var_lib_files(gconfd_t) + +# for /proc/filesystems +kernel_read_system_state(gconfd_t) + optional_policy(` dbus_all_session_domain(gconfd_t, gconfd_exec_t)