From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 17 Apr 2017 18:46:43 +0200 Subject: [refpolicy] [PATCH] some userdomain patches In-Reply-To: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> References: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> Message-ID: <59866FB2-2C7E-40DB-80E1-E4D9B81D945B@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. I was wondering what is causing the need for sysadm_t to read kmsg? Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly... Regards, Guido On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy wrote: >Added mono_run for unconfined and also xserver_role and allow it to >dbus >chat with xdm. > >Allow sysadm_t to read kmsg. > >Allow user domains to dbus chat with kerneloops for the kerneloops >desktop >gui. Also allow them to chat with devicekit disk and power daemons. > >Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems > >Index: refpolicy-2.20170417/policy/modules/system/unconfined.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te >+++ refpolicy-2.20170417/policy/modules/system/unconfined.te >@@ -121,6 +121,7 @@ optional_policy(` > > optional_policy(` > mono_domtrans(unconfined_t) >+ mono_run(unconfined_t, unconfined_r) > ') > > optional_policy(` >@@ -210,6 +211,11 @@ optional_policy(` > wine_domtrans(unconfined_t) > ') > >+optional_policy(` >+ xserver_role(unconfined_r, unconfined_t) >+ xserver_dbus_chat_xdm(unconfined_t) >+') >+ > ######################################## > # > # Unconfined Execmem Local policy >Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te >+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te >@@ -351,6 +351,7 @@ optional_policy(` > > optional_policy(` > dmesg_exec(sysadm_t) >+ dev_read_kmsg(sysadm_t) > ') > > optional_policy(` >Index: refpolicy-2.20170417/policy/modules/system/userdomain.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if >+++ refpolicy-2.20170417/policy/modules/system/userdomain.if >@@ -117,6 +117,15 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') >+ >+ optional_policy(` >+ kerneloops_dbus_chat($1_t) >+ ') >+ >+ optional_policy(` >+ devicekit_dbus_chat_disk($1_t) >+ devicekit_dbus_chat_power($1_t) >+ ') > ') > > ####################################### >Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te >+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te >@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > >+# for /var/lib/gconf/defaults >+files_read_var_lib_files(gconfd_t) >+ >+# for /proc/filesystems >+kernel_read_system_state(gconfd_t) >+ > optional_policy(` > dbus_all_session_domain(gconfd_t, gconfd_exec_t) > >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy