From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 17 Apr 2017 18:46:43 +0200
Subject: [refpolicy] [PATCH] some userdomain patches
In-Reply-To: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au>
References: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au>
Message-ID: <59866FB2-2C7E-40DB-80E1-E4D9B81D945B@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello again. 

I was wondering what is causing the need for sysadm_t to read kmsg?

Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly...

Regards, 

Guido 



On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>Added mono_run for unconfined and also xserver_role and allow it to
>dbus
>chat with xdm.
>
>Allow sysadm_t to read kmsg.
>
>Allow user domains to dbus chat with kerneloops for the kerneloops
>desktop
>gui.  Also allow them to chat with devicekit disk and power daemons.
>
>Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
>
>Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
>+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
>@@ -121,6 +121,7 @@ optional_policy(`
> 
> optional_policy(`
> 	mono_domtrans(unconfined_t)
>+	mono_run(unconfined_t, unconfined_r)
> ')
> 
> optional_policy(`
>@@ -210,6 +211,11 @@ optional_policy(`
> 	wine_domtrans(unconfined_t)
> ')
> 
>+optional_policy(`
>+	xserver_role(unconfined_r, unconfined_t)
>+	xserver_dbus_chat_xdm(unconfined_t)
>+')
>+
> ########################################
> #
> # Unconfined Execmem Local policy
>Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
>+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
>@@ -351,6 +351,7 @@ optional_policy(`
> 
> optional_policy(`
> 	dmesg_exec(sysadm_t)
>+	dev_read_kmsg(sysadm_t)
> ')
> 
> optional_policy(`
>Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
>+++ refpolicy-2.20170417/policy/modules/system/userdomain.if
>@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
> 		# Allow making the stack executable via mprotect.
> 		allow $1_t self:process execstack;
> 	')
>+
>+	optional_policy(`
>+		kerneloops_dbus_chat($1_t)
>+	')
>+
>+	optional_policy(`
>+		devicekit_dbus_chat_disk($1_t)
>+		devicekit_dbus_chat_power($1_t)
>+	')
> ')
> 
> #######################################
>Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
>+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
>@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> 
>+# for /var/lib/gconf/defaults
>+files_read_var_lib_files(gconfd_t)
>+
>+# for /proc/filesystems
>+kernel_read_system_state(gconfd_t)
>+
> optional_policy(`
> 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
> 
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy