From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 17 Apr 2017 15:39:12 +0200 Subject: [refpolicy] [PATCH] login related stuff In-Reply-To: <20170417131735.GA11930@markus> References: <20170417123434.ojcavxsul2qxj2dq@athena.coker.com.au> <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net> <20170417131735.GA11930@markus> Message-ID: <715B2DF4-E545-4565-A31D-C2D95E9EA91A@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. If it only applies to systemd setups, then please use the appropriate ifdef statement to avoid spreading the permission to every setup. Thanks, Guido Il 17 aprile 2017 15:17:35 CEST, Dominick Grift via refpolicy ha scritto: >On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via >refpolicy wrote: >> Hello. >> >> It is not clear to me the reason why a daemon such as the system dbus >instance needs to write the DRI graphical devices (dev_rw_dri())... >> >> Is such permission really critical for running gdm? > >I suspect this is systemd specific (logind to be precise) but nowaday's >all kinds of file descriptors seem to get passed through dbus > >> >> And, by the way, I am aware of the fact that gnome-session also >requires such permission, although it does not fail to run without it. >> >> The point is that, on one hand gnome-session runs as user_u and >therefore it might not be advisable to let user_u write the DRI device, >but on the other hand I suppose gnome-session checks for accelerated >graphical capabilities and therefore a failure to write the DRI device >might imply that the accelerated graphical capabilities are always >disabled! >> >> What is your experience, if any, with the latter? >> >> Regards, >> >> Guido >> >> On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy > wrote: >> >Give sulogin some access it needs and dontaudit a nat_admin >capability >> >check >> >related to systemd for local_login_t. >> > >> >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, >and >> >send dbus messages to all users. >> > >> >Allow system_dbusd_t to access dri and input_dev devices, this is >> >triggered >> >by gdm3. >> > >> >Allow chkpwd_t to get selinux enforcing mode. >> > >> >Allow gpg to read crypto sysctls, and give gpg_agent_t access it >needs >> >to be >> >run as part of an X login session (as the parent of other user >> >processes). >> > >> >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te >> >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te >> >@@ -33,6 +33,7 @@ role system_r types sulogin_t; >> > # >> > >> >allow local_login_t self:capability { chown dac_override fowner >fsetid >> >kill setgid setuid sys_nice sys_resource sys_tty_config }; >> >+dontaudit local_login_t self:capability net_admin; >> > allow local_login_t self:process { setexec setrlimit setsched }; >> > allow local_login_t self:fd use; >> > allow local_login_t self:fifo_file rw_fifo_file_perms; >> >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) >> > files_read_etc_files(sulogin_t) >> > >> > auth_read_shadow(sulogin_t) >> >+auth_login_pgm_domain(sulogin_t) >> >+kernel_read_crypto_sysctls(sulogin_t) >> >+selinux_set_generic_booleans(sulogin_t) >> > >> > init_getpgid_script(sulogin_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te >> >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ >> > >> > kernel_read_kernel_sysctls(policykit_t) >> > kernel_read_system_state(policykit_t) >> >+fs_getattr_tmpfs(policykit_t) >> >+fs_getattr_cgroup(policykit_t) >> >+dev_read_urand(policykit_t) >> > >> > dev_read_urand(policykit_t) >> > >> >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) >> > >> > userdom_getattr_all_users(policykit_t) >> > userdom_read_all_users_state(policykit_t) >> >+userdom_dbus_send_all_users(policykit_t) >> > >> > optional_policy(` >> > dbus_system_domain(policykit_t, policykit_exec_t) >> >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te >> >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) >> > dev_read_urand(system_dbusd_t) >> > dev_read_sysfs(system_dbusd_t) >> > >> >+# gdm3 causes system_dbusd_t to want this access >> >+dev_rw_dri(system_dbusd_t) >> >+dev_rw_input_dev(system_dbusd_t) >> >+ >> > domain_use_interactive_fds(system_dbusd_t) >> > domain_read_all_domains_state(system_dbusd_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te >> >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te >> >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) >> > kernel_read_crypto_sysctls(chkpwd_t) >> > # is_selinux_enabled >> > kernel_read_system_state(chkpwd_t) >> >+selinux_get_enforce_mode(chkpwd_t) >> >+selinux_getattr_fs(chkpwd_t) >> > >> > domain_dontaudit_use_interactive_fds(chkpwd_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te >> >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) >> > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) >> > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) >> > >> >+kernel_read_crypto_sysctls(gpg_t) >> > kernel_read_sysctl(gpg_t) >> > # read /proc/cpuinfo >> > kernel_read_system_state(gpg_t) >> >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g >> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) >> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) >> > >> >+xdm_sigchld(gpg_agent_t) >> >+dbus_system_bus_client(gpg_agent_t) >> >+auth_use_nsswitch(gpg_agent_t) >> >+xserver_read_user_xauth(gpg_agent_t) >> >+ >> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >> >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, >> >gpg_agent_tmp_t) >> >Index: refpolicy-2.20170417/policy/modules/services/xserver.if >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if >> >+++ refpolicy-2.20170417/policy/modules/services/xserver.if >> >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` >> > typeattribute $1 x_domain; >> > typeattribute $1 xserver_unconfined_type; >> > ') >> >+ >> >+######################################## >> >+## >> >+## Allow domain to send sigchld to xdm_t >> >+## >> >+## >> >+## >> >+## Domain allowed access. >> >+## >> >+## >> >+# >> >+interface(`xdm_sigchld',` >> >+ gen_require(` >> >+ type xdm_t; >> >+ ') >> >+ >> >+ allow $1 xdm_t:process sigchld; >> >+') >> >_______________________________________________ >> >refpolicy mailing list >> >refpolicy at oss.tresys.com >> >http://oss.tresys.com/mailman/listinfo/refpolicy >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy