From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 21:28:34 -0400 Subject: [refpolicy] [PATCH] devicekit, mount, xserver, and selinuxutil In-Reply-To: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au> References: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 08:22 AM, Russell Coker via refpolicy wrote: > Allow devicekit_power_t to chat to xdm via dbus and log via syslog. > > Allow mount_t to do more with it's runtime files and stat more filesystem > types. > > Allow xauth to send sigchld to xdm. > > Allow semanage to search policy_src_t dirs and read /dev/urandom. Merged with some line moving. > Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te > +++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te > @@ -56,6 +56,10 @@ optional_policy(` > ') > > optional_policy(` > + xserver_dbus_chat_xdm(devicekit_power_t) > +') > + > +optional_policy(` > udev_read_db(devicekit_t) > ') > > @@ -65,6 +69,7 @@ optional_policy(` > # > > allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio }; > +allow devicekit_disk_t self:capability2 wake_alarm; > allow devicekit_disk_t self:process { getsched signal_perms }; > allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; > allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; > @@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek > init_read_utmp(devicekit_power_t) > init_search_run(devicekit_power_t) > > +logging_send_syslog_msg(devicekit_power_t) > + > miscfiles_read_localization(devicekit_power_t) > > sysnet_domtrans_ifconfig(devicekit_power_t) > Index: refpolicy-2.20170417/policy/modules/system/mount.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/mount.te > +++ refpolicy-2.20170417/policy/modules/system/mount.te > @@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t) > > files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) > > -create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) > -create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) > +manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) > +manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) > rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) > files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount") > > @@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo > files_dontaudit_setattr_all_mountpoints(mount_t) > > fs_getattr_xattr_fs(mount_t) > +fs_getattr_tmpfs(mount_t) > +fs_getattr_rpc_pipefs(mount_t) > fs_getattr_cifs(mount_t) > +fs_getattr_nfs(mount_t) > fs_mount_all_fs(mount_t) > fs_unmount_all_fs(mount_t) > fs_remount_all_fs(mount_t) > Index: refpolicy-2.20170417/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20170417/policy/modules/services/xserver.te > @@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t > > allow xdm_t xauth_home_t:file manage_file_perms; > userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) > +allow xauth_t xdm_t:process sigchld; > > allow xauth_t xdm_t:fd use; > allow xauth_t xdm_t:fifo_file { getattr read }; > @@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s > > allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; > dontaudit xserver_t self:capability chown; > +allow xserver_t self:capability2 wake_alarm; > allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow xserver_t self:fd use; > allow xserver_t self:fifo_file rw_fifo_file_perms; > Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te > @@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw > > filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules") > > +allow semanage_t policy_src_t:dir search; > + > allow semanage_t semanage_tmp_t:dir manage_dir_perms; > allow semanage_t semanage_tmp_t:file manage_file_perms; > files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) > @@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_ > kernel_dontaudit_list_all_sysctls(setfiles_t) > kernel_getattr_debugfs(setfiles_t) > > +dev_read_urand(setfiles_t) > dev_relabel_all_dev_nodes(setfiles_t) > # to handle when /dev/console needs to be relabeled > dev_rw_generic_chr_files(setfiles_t) -- Chris PeBenito