From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 26 Apr 2017 06:43:57 -0400 Subject: [refpolicy] [PATCH] login take 4 In-Reply-To: <20170423143029.ylkrxohg7gpbijd6@athena.coker.com.au> References: <20170423143029.ylkrxohg7gpbijd6@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/23/2017 10:30 AM, Russell Coker via refpolicy wrote: > I have used optional sections for dbus and xserver as requested and also > fixed a minor issue of a rule not being in the correct section. > > Please merge this. > > Index: refpolicy-2.20170421/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20170421/policy/modules/system/locallogin.te > @@ -33,6 +33,7 @@ role system_r types sulogin_t; > # > > allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; > +dontaudit local_login_t self:capability net_admin; > allow local_login_t self:process { setexec setrlimit setsched }; > allow local_login_t self:fd use; > allow local_login_t self:fifo_file rw_fifo_file_perms; > Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te > +++ refpolicy-2.20170421/policy/modules/contrib/policykit.te > @@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > kernel_read_kernel_sysctls(policykit_t) > kernel_read_system_state(policykit_t) > +fs_getattr_tmpfs(policykit_t) > +fs_getattr_cgroup(policykit_t) > +dev_read_urand(policykit_t) > > dev_read_urand(policykit_t) > > @@ -104,6 +107,7 @@ userdom_read_all_users_state(policykit_t > > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) > + userdom_dbus_send_all_users(policykit_t) > > optional_policy(` > consolekit_dbus_chat(policykit_t) > Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te > +++ refpolicy-2.20170421/policy/modules/contrib/dbus.te > @@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t) > dev_read_urand(system_dbusd_t) > dev_read_sysfs(system_dbusd_t) > > +ifdef(`init_systemd', ` > + # gdm3 causes system_dbusd_t to want this access > + dev_rw_dri(system_dbusd_t) > + dev_rw_input_dev(system_dbusd_t) > +') > + > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > > Index: refpolicy-2.20170421/policy/modules/system/authlogin.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te > +++ refpolicy-2.20170421/policy/modules/system/authlogin.te > @@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > kernel_read_crypto_sysctls(chkpwd_t) > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) > +selinux_get_enforce_mode(chkpwd_t) > +selinux_getattr_fs(chkpwd_t) > > domain_dontaudit_use_interactive_fds(chkpwd_t) > > Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te > +++ refpolicy-2.20170421/policy/modules/contrib/gpg.te > @@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > +kernel_read_crypto_sysctls(gpg_t) > kernel_read_sysctl(gpg_t) > # read /proc/cpuinfo > kernel_read_system_state(gpg_t) > @@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent > kernel_read_core_if(gpg_agent_t) > kernel_read_system_state(gpg_agent_t) > > +auth_use_nsswitch(gpg_agent_t) > + > corecmd_exec_bin(gpg_agent_t) > corecmd_exec_shell(gpg_agent_t) > > @@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + dbus_system_bus_client(gpg_agent_t) > +') > + > +optional_policy(` > mozilla_dontaudit_rw_user_home_files(gpg_agent_t) > ') > > @@ -279,6 +286,11 @@ optional_policy(` > pcscd_stream_connect(gpg_agent_t) > ') > > +optional_policy(` > + xserver_sigchld_xdm(gpg_agent_t) > + xserver_read_user_xauth(gpg_agent_t) > +') > + > ############################## > # > # Pinentry local policy Merged, though I moved a few lines. -- Chris PeBenito