From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 21 Apr 2017 14:06:29 +0200
Subject: [refpolicy] [PATCH] login related stuff take 2
In-Reply-To: <CAJ2a_DeH7JyD3MWY+tys7bTjXX=6vFi1hzprNjmuF7_JbxjcxA@mail.gmail.com>
References: <20170421091025.kwn5wmevhmoyidj3@athena.coker.com.au>
	<CAJ2a_DeH7JyD3MWY+tys7bTjXX=6vFi1hzprNjmuF7_JbxjcxA@mail.gmail.com>
Message-ID: <D0F8ACB8-5B55-40E7-9131-2C77D8706BB2@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On the 21st of April 2017 13:57:11 CEST, "Christian G?ttsche via refpolicy" <refpolicy@oss.tresys.com> wrote:
>On 21 Apr 2017 11:10 am, "Russell Coker via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>I put a ifdef wrapper around the GDM access that was contentious. 
>Please
>consider this for inclusion now.
>
>Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
>+++ refpolicy-2.20170421/policy/modules/system/locallogin.te
>@@ -33,6 +33,7 @@ role system_r types sulogin_t;
> #
>
> allow local_login_t self:capability { chown dac_override fowner fsetid
>kill setgid setuid sys_nice sys_resource sys_tty_config };
>+dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
>@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
> files_read_etc_files(sulogin_t)
>
> auth_read_shadow(sulogin_t)
>+auth_login_pgm_domain(sulogin_t)
>+kernel_read_crypto_sysctls(sulogin_t)
>+selinux_set_generic_booleans(sulogin_t)
>
>What usage need this access?

They are dangerous permissions, especially the one that allows to set the SELinux booleans! 

Only the system administrator should be permitted to set the booleans interactively through the application... 

> init_getpgid_script(sulogin_t)
>
>Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
>+++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
>@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>
> kernel_read_kernel_sysctls(policykit_t)
> kernel_read_system_state(policykit_t)
>+fs_getattr_tmpfs(policykit_t)
>+fs_getattr_cgroup(policykit_t)
>+dev_read_urand(policykit_t)
>
> dev_read_urand(policykit_t)
>
>@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
>
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
>+userdom_dbus_send_all_users(policykit_t)
>
> optional_policy(`
>        dbus_system_domain(policykit_t, policykit_exec_t)
>Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
>+++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
>@@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
> dev_read_urand(system_dbusd_t)
> dev_read_sysfs(system_dbusd_t)
>
>+ifdef(`init_systemd', `
>+       # gdm3 causes system_dbusd_t to want this access
>+       dev_rw_dri(system_dbusd_t)
>+       dev_rw_input_dev(system_dbusd_t)
>+')
>+
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
>Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
>+++ refpolicy-2.20170421/policy/modules/system/authlogin.te
>@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> kernel_read_crypto_sysctls(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>+selinux_get_enforce_mode(chkpwd_t)
>+selinux_getattr_fs(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
>Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
>===================================================================
>--- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
>+++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
>@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
>+kernel_read_crypto_sysctls(gpg_t)
> kernel_read_sysctl(gpg_t)
> # read /proc/cpuinfo
> kernel_read_system_state(gpg_t)
>@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
>+xserver_sigchld_xdm(gpg_agent_t)
>+dbus_system_bus_client(gpg_agent_t)
>+auth_use_nsswitch(gpg_agent_t)
>+xserver_read_user_xauth(gpg_agent_t)
>+
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
>gpg_agent_tmp_t)
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy