From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 22 Apr 2017 13:28:25 +0200 Subject: [refpolicy] [PATCH] login take 3 In-Reply-To: <20170422073418.rwwbu2nvewlujeae@athena.coker.com.au> References: <20170422073418.rwwbu2nvewlujeae@athena.coker.com.au> Message-ID: <7A12E640-9DE9-4A51-A0DB-B34DCCF8C5AB@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, this looks much safer than previous versions! On the 22nd of April 2017 09:34:18 CEST, Russell Coker via refpolicy wrote: >Here's another version without the sulogin patch. > >Index: refpolicy-2.20170421/policy/modules/system/locallogin.te >=================================================================== >--- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te >+++ refpolicy-2.20170421/policy/modules/system/locallogin.te >@@ -33,6 +33,7 @@ role system_r types sulogin_t; > # > >allow local_login_t self:capability { chown dac_override fowner fsetid >kill setgid setuid sys_nice sys_resource sys_tty_config }; >+dontaudit local_login_t self:capability net_admin; > allow local_login_t self:process { setexec setrlimit setsched }; > allow local_login_t self:fd use; > allow local_login_t self:fifo_file rw_fifo_file_perms; >Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te >=================================================================== >--- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te >+++ refpolicy-2.20170421/policy/modules/contrib/policykit.te >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > kernel_read_kernel_sysctls(policykit_t) > kernel_read_system_state(policykit_t) >+fs_getattr_tmpfs(policykit_t) >+fs_getattr_cgroup(policykit_t) >+dev_read_urand(policykit_t) > > dev_read_urand(policykit_t) > >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) > > userdom_getattr_all_users(policykit_t) > userdom_read_all_users_state(policykit_t) >+userdom_dbus_send_all_users(policykit_t) > > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) >Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te >=================================================================== >--- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te >+++ refpolicy-2.20170421/policy/modules/contrib/dbus.te >@@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t) > dev_read_urand(system_dbusd_t) > dev_read_sysfs(system_dbusd_t) > >+ifdef(`init_systemd', ` >+ # gdm3 causes system_dbusd_t to want this access >+ dev_rw_dri(system_dbusd_t) >+ dev_rw_input_dev(system_dbusd_t) >+') >+ > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > >Index: refpolicy-2.20170421/policy/modules/system/authlogin.te >=================================================================== >--- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te >+++ refpolicy-2.20170421/policy/modules/system/authlogin.te >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > kernel_read_crypto_sysctls(chkpwd_t) > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) >+selinux_get_enforce_mode(chkpwd_t) >+selinux_getattr_fs(chkpwd_t) > > domain_dontaudit_use_interactive_fds(chkpwd_t) > >Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te >=================================================================== >--- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te >+++ refpolicy-2.20170421/policy/modules/contrib/gpg.te >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > >+kernel_read_crypto_sysctls(gpg_t) > kernel_read_sysctl(gpg_t) > # read /proc/cpuinfo > kernel_read_system_state(gpg_t) >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > >+xserver_sigchld_xdm(gpg_agent_t) >+dbus_system_bus_client(gpg_agent_t) >+auth_use_nsswitch(gpg_agent_t) >+xserver_read_user_xauth(gpg_agent_t) >+ > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, >gpg_agent_tmp_t) >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy