From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 21:43:16 -0400 Subject: [refpolicy] [PATCH] some userdomain patches In-Reply-To: <59866FB2-2C7E-40DB-80E1-E4D9B81D945B@trentalancia.net> References: <20170417133533.gntsbm2n6cidlypm@athena.coker.com.au> <59866FB2-2C7E-40DB-80E1-E4D9B81D945B@trentalancia.net> Message-ID: <472565f4-46cd-aab2-205e-8adaba97bc0b@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 12:46 PM, Guido Trentalancia via refpolicy wrote: > Hello again. > > I was wondering what is causing the need for sysadm_t to read kmsg? > > Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly... A variation on the question, is there a reason not to change sysadm to transition to dmesg_t? > On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy wrote: >> Added mono_run for unconfined and also xserver_role and allow it to >> dbus >> chat with xdm. >> >> Allow sysadm_t to read kmsg. >> >> Allow user domains to dbus chat with kerneloops for the kerneloops >> desktop >> gui. Also allow them to chat with devicekit disk and power daemons. >> >> Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems >> >> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te >> =================================================================== >> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te >> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te >> @@ -121,6 +121,7 @@ optional_policy(` >> >> optional_policy(` >> mono_domtrans(unconfined_t) >> + mono_run(unconfined_t, unconfined_r) >> ') >> >> optional_policy(` >> @@ -210,6 +211,11 @@ optional_policy(` >> wine_domtrans(unconfined_t) >> ') >> >> +optional_policy(` >> + xserver_role(unconfined_r, unconfined_t) >> + xserver_dbus_chat_xdm(unconfined_t) >> +') >> + >> ######################################## >> # >> # Unconfined Execmem Local policy >> Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te >> =================================================================== >> --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te >> +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te >> @@ -351,6 +351,7 @@ optional_policy(` >> >> optional_policy(` >> dmesg_exec(sysadm_t) >> + dev_read_kmsg(sysadm_t) >> ') >> >> optional_policy(` >> Index: refpolicy-2.20170417/policy/modules/system/userdomain.if >> =================================================================== >> --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if >> +++ refpolicy-2.20170417/policy/modules/system/userdomain.if >> @@ -117,6 +117,15 @@ template(`userdom_base_user_template',` >> # Allow making the stack executable via mprotect. >> allow $1_t self:process execstack; >> ') >> + >> + optional_policy(` >> + kerneloops_dbus_chat($1_t) >> + ') >> + >> + optional_policy(` >> + devicekit_dbus_chat_disk($1_t) >> + devicekit_dbus_chat_power($1_t) >> + ') >> ') >> >> ####################################### >> Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te >> =================================================================== >> --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te >> +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te >> @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t) >> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >> >> +# for /var/lib/gconf/defaults >> +files_read_var_lib_files(gconfd_t) >> + >> +# for /proc/filesystems >> +kernel_read_system_state(gconfd_t) >> + >> optional_policy(` >> dbus_all_session_domain(gconfd_t, gconfd_exec_t) >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito