From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 18 Apr 2017 21:28:34 -0400
Subject: [refpolicy] [PATCH] devicekit, mount, xserver, and selinuxutil
In-Reply-To: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au>
References: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au>
Message-ID: <f33d37fe-dc08-a349-65c1-f32940dec3f8@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/17/2017 08:22 AM, Russell Coker via refpolicy wrote:
> Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
>
> Allow mount_t to do more with it's runtime files and stat more filesystem
> types.
>
> Allow xauth to send sigchld to xdm.
>
> Allow semanage to search policy_src_t dirs and read /dev/urandom.

Merged with some line moving.


> Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te
> +++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te
> @@ -56,6 +56,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	xserver_dbus_chat_xdm(devicekit_power_t)
> +')
> +
> +optional_policy(`
>  	udev_read_db(devicekit_t)
>  ')
>
> @@ -65,6 +69,7 @@ optional_policy(`
>  #
>
>  allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
> +allow devicekit_disk_t self:capability2 wake_alarm;
>  allow devicekit_disk_t self:process { getsched signal_perms };
>  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
>  allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek
>  init_read_utmp(devicekit_power_t)
>  init_search_run(devicekit_power_t)
>
> +logging_send_syslog_msg(devicekit_power_t)
> +
>  miscfiles_read_localization(devicekit_power_t)
>
>  sysnet_domtrans_ifconfig(devicekit_power_t)
> Index: refpolicy-2.20170417/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20170417/policy/modules/system/mount.te
> @@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t)
>
>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> -create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> -create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> +manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> +manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
>  rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
>  files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
>
> @@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo
>  files_dontaudit_setattr_all_mountpoints(mount_t)
>
>  fs_getattr_xattr_fs(mount_t)
> +fs_getattr_tmpfs(mount_t)
> +fs_getattr_rpc_pipefs(mount_t)
>  fs_getattr_cifs(mount_t)
> +fs_getattr_nfs(mount_t)
>  fs_mount_all_fs(mount_t)
>  fs_unmount_all_fs(mount_t)
>  fs_remount_all_fs(mount_t)
> Index: refpolicy-2.20170417/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20170417/policy/modules/services/xserver.te
> @@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
>
>  allow xdm_t xauth_home_t:file manage_file_perms;
>  userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
> +allow xauth_t xdm_t:process sigchld;
>
>  allow xauth_t xdm_t:fd use;
>  allow xauth_t xdm_t:fifo_file { getattr read };
> @@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s
>
>  allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
>  dontaudit xserver_t self:capability chown;
> +allow xserver_t self:capability2 wake_alarm;
>  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>  allow xserver_t self:fd use;
>  allow xserver_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te
> @@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw
>
>  filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
>
> +allow semanage_t policy_src_t:dir search;
> +
>  allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>  allow semanage_t semanage_tmp_t:file manage_file_perms;
>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
> @@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_
>  kernel_dontaudit_list_all_sysctls(setfiles_t)
>  kernel_getattr_debugfs(setfiles_t)
>
> +dev_read_urand(setfiles_t)
>  dev_relabel_all_dev_nodes(setfiles_t)
>  # to handle when /dev/console needs to be relabeled
>  dev_rw_generic_chr_files(setfiles_t)


-- 
Chris PeBenito