From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 21:42:08 -0400 Subject: [refpolicy] [PATCH] some userdomain patches In-Reply-To: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> References: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> Message-ID: <22b0d668-34b9-1797-ec94-8d5692c5cdb9@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 09:35 AM, Russell Coker via refpolicy wrote: > Added mono_run for unconfined and also xserver_role and allow it to dbus > chat with xdm. > > Allow sysadm_t to read kmsg. > > Allow user domains to dbus chat with kerneloops for the kerneloops desktop > gui. Also allow them to chat with devicekit disk and power daemons. > > Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems Merged, except for the kmsg part. > Index: refpolicy-2.20170417/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20170417/policy/modules/system/unconfined.te > @@ -121,6 +121,7 @@ optional_policy(` > > optional_policy(` > mono_domtrans(unconfined_t) > + mono_run(unconfined_t, unconfined_r) > ') > > optional_policy(` > @@ -210,6 +211,11 @@ optional_policy(` > wine_domtrans(unconfined_t) > ') > > +optional_policy(` > + xserver_role(unconfined_r, unconfined_t) > + xserver_dbus_chat_xdm(unconfined_t) > +') > + > ######################################## > # > # Unconfined Execmem Local policy > Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te > @@ -351,6 +351,7 @@ optional_policy(` > > optional_policy(` > dmesg_exec(sysadm_t) > + dev_read_kmsg(sysadm_t) > ') > > optional_policy(` > Index: refpolicy-2.20170417/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170417/policy/modules/system/userdomain.if > @@ -117,6 +117,15 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + optional_policy(` > + kerneloops_dbus_chat($1_t) > + ') > + > + optional_policy(` > + devicekit_dbus_chat_disk($1_t) > + devicekit_dbus_chat_power($1_t) > + ') > ') > > ####################################### > Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te > +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te > @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > +# for /var/lib/gconf/defaults > +files_read_var_lib_files(gconfd_t) > + > +# for /proc/filesystems > +kernel_read_system_state(gconfd_t) > + > optional_policy(` > dbus_all_session_domain(gconfd_t, gconfd_exec_t) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito