From: dac.override@gmail.com (Dominick Grift) Date: Fri, 23 Feb 2018 08:25:10 +0100 Subject: [refpolicy] [PATCH] misc dbus patches In-Reply-To: <2087459.qDY3ImaCar@liv> References: <20180213003649.GA17327@xev> <2087459.qDY3ImaCar@liv> Message-ID: <20180223072510.GA3931@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: > On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > > On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > > > Here is a collection of dbus policy patches, all fairly simple. > > > > > > Chris please merge the ones you like and we can discuss any you don't like > > > afterwards. > > > > I merged everything except for the user/groupadd ones, which need > > explanation: what are they doing with dbus exactly? > > sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t > \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ > systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 > \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s > \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", > iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, > msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 > > The above is from a strace of "groupadd zzz2". It is sending a message to > systemd to lookup dynamic users. I can't find where in the groupadd code it > does this though. I checked the pam configuration and that doesn't appear to > have it. this is nss_systemd. it is an optional systemd nss module. from that perspective one might consider adding it to auth_use_nsswitch() > > > > Index: refpolicy-2.20180211/policy/modules/contrib/apt.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/apt.te > > > @@ -148,6 +148,11 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + # for packagekitd > > > + policykit_dbus_chat(apt_t) > > > +') > > > + > > > +optional_policy(` > > > > > > # rkhunter trigger > > > rkhunter_domtrans(apt_t) > > > > > > ') > > > > > > @@ -159,4 +164,5 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > unconfined_domain(apt_t) > > > > > > + unconfined_dbus_send(apt_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te > > > @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) > > > > > > init_all_labeled_script_domtrans(system_dbusd_t) > > > init_start_system(system_dbusd_t) # needed by dbus-broker > > > > > > +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* > > > +libs_exec_lib_files(system_dbusd_t) > > > + > > > > > > logging_send_audit_msgs(system_dbusd_t) > > > logging_send_syslog_msg(system_dbusd_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > > @@ -194,6 +194,11 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + # gwenview triggers the need for this > > > + xserver_dbus_chat_xdm(devicekit_disk_t) > > > +') > > > + > > > +optional_policy(` > > > > > > virt_manage_images(devicekit_disk_t) > > > > > > ') > > > > > > @@ -287,6 +292,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > dbus_system_bus_client(devicekit_power_t) > > > > > > + init_dbus_chat(devicekit_power_t) > > > > > > allow devicekit_power_t devicekit_t:dbus send_msg; > > > > > > Index: refpolicy-2.20180211/policy/modules/system/init.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/init.te > > > +++ refpolicy-2.20180211/policy/modules/system/init.te > > > @@ -509,6 +509,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > unconfined_domain(init_t) > > > > > > + unconfined_dbus_send(init_t) > > > > > > ') > > > > > > ######################################## > > > > > > Index: refpolicy-2.20180211/policy/modules/system/systemd.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te > > > +++ refpolicy-2.20180211/policy/modules/system/systemd.te > > > @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho > > > > > > optional_policy(` > > > > > > dbus_connect_system_bus(systemd_hostnamed_t) > > > dbus_system_bus_client(systemd_hostnamed_t) > > > > > > + init_dbus_chat(systemd_hostnamed_t) > > > > > > ') > > > > > > optional_policy(` > > > > > > @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy > > > > > > userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) > > > userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) > > > userdom_delete_all_user_runtime_symlinks(systemd_logind_t) > > > > > > +# user_tmp_t is for the dbus-1 directory > > > +userdom_list_user_tmp(systemd_logind_t) > > > > > > userdom_manage_user_runtime_dirs(systemd_logind_t) > > > userdom_manage_user_runtime_root_dirs(systemd_logind_t) > > > userdom_mounton_user_runtime_dirs(systemd_logind_t) > > > > > > @@ -482,6 +485,9 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > networkmanager_dbus_chat(systemd_logind_t) > > > > > > ') > > > > > > +optional_policy(` > > > + modemmanager_dbus_chat(systemd_logind_t) > > > +') > > > > > > optional_policy(` > > > > > > policykit_dbus_chat(systemd_logind_t) > > > > > > @@ -753,6 +759,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + unconfined_dbus_send(systemd_machined_t) > > > +') > > > + > > > +optional_policy(` > > > > > > virt_manage_virt_content(systemd_nspawn_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > > @@ -222,6 +222,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) > > > > > > + init_dbus_chat(NetworkManager_t) > > > > > > optional_policy(` > > > > > > avahi_dbus_chat(NetworkManager_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/system/locallogin.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te > > > +++ refpolicy-2.20180211/policy/modules/system/locallogin.te > > > @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi > > > > > > ifdef(`init_systemd',` > > > > > > auth_manage_faillog(local_login_t) > > > > > > + init_dbus_chat(local_login_t) > > > > > > systemd_dbus_chat_logind(local_login_t) > > > systemd_use_logind_fds(local_login_t) > > > systemd_manage_logind_pid_pipes(local_login_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te > > > +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te > > > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > > > > > > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > > > > > optional_policy(` > > > > > > + dbus_system_bus_client(groupadd_t) > > > +') > > > + > > > +optional_policy(` > > > > > > dpkg_use_fds(groupadd_t) > > > dpkg_rw_pipes(groupadd_t) > > > > > > ') > > > > > > @@ -538,6 +542,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + dbus_system_bus_client(useradd_t) > > > +') > > > + > > > +optional_policy(` > > > > > > dpkg_use_fds(useradd_t) > > > dpkg_rw_pipes(useradd_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/system/unconfined.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te > > > +++ refpolicy-2.20180211/policy/modules/system/unconfined.te > > > @@ -116,6 +116,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + modemmanager_dbus_chat(unconfined_t) > > > +') > > > + > > > +optional_policy(` > > > > > > modutils_run(unconfined_t, unconfined_r) > > > > > > ') > > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180223/e531058d/attachment.bin