LinuxLists.cc - [refpolicy] [PATCH 2/3-v4] Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content

2017-12-12 02:15:24

Subject: [refpolicy] [PATCH 2/3-v4] Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type)

Setup type xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc: denied { write } for pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc: denied { add_name } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc: denied { read write open } for pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc: denied { read write } for pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc: denied { open } for pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc: denied { read write } for pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc: denied { open } for pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc: denied { read write } for pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc: denied { open } for pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/xserver.te | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 21547ab2..66c33984 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -186,6 +186,10 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)

+# type for /run/user/%{USERID}/*
+type xdm_runtime_t;
+userdom_user_runtime_content(xdm_runtime_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
@@ -345,6 +349,10 @@ files_lock_filetrans(xdm_t, xdm_lock_t, file)
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)

+# files in /run/user/%{USERID}/*
+manage_dirs_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+manage_files_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -493,6 +501,7 @@ userdom_create_all_users_keys(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_user_runtime_filetrans(xdm_t, xdm_runtime_t, dir)

# for .dmrc: this was used by the Gnome Display Manager (gdm)
# and it is now obsolete in Gnome3
--
2.13.6

2017-12-13 01:19:39

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/3-v4] Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type)

On 12/11/2017 09:15 PM, David Sugar via refpolicy wrote:
> Setup type xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.
>
> type=AVC msg=audit(1511962167.495:64): avc: denied { write } for pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
> type=AVC msg=audit(1511962167.495:64): avc: denied { add_name } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
> type=AVC msg=audit(1511962167.495:64): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
> type=AVC msg=audit(1511962167.495:65): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962167.495:65): avc: denied { read write open } for pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962199.010:144): avc: denied { read write } for pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962199.010:144): avc: denied { open } for pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962947.864:350): avc: denied { read write } for pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962947.864:350): avc: denied { open } for pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962981.011:440): avc: denied { read write } for pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
> type=AVC msg=audit(1511962981.011:440): avc: denied { open } for pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/xserver.te | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 21547ab2..66c33984 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -186,6 +186,10 @@ files_type(xdm_var_lib_t)
> type xdm_var_run_t;
> files_pid_file(xdm_var_run_t)
>
> +# type for /run/user/%{USERID}/*
> +type xdm_runtime_t;
> +userdom_user_runtime_content(xdm_runtime_t)
> +
> type xdm_tmp_t;
> files_tmp_file(xdm_tmp_t)
> typealias xdm_tmp_t alias ice_tmp_t;
> @@ -345,6 +349,10 @@ files_lock_filetrans(xdm_t, xdm_lock_t, file)
> # this is ugly, daemons should not create files under /etc!
> manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
>
> +# files in /run/user/%{USERID}/*
> +manage_dirs_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
> +manage_files_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
> +
> manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
> manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
> manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
> @@ -493,6 +501,7 @@ userdom_create_all_users_keys(xdm_t)
> # Search /proc for any user domain processes.
> userdom_read_all_users_state(xdm_t)
> userdom_signal_all_users(xdm_t)
> +userdom_user_runtime_filetrans(xdm_t, xdm_runtime_t, dir)
>
> # for .dmrc: this was used by the Gnome Display Manager (gdm)
> # and it is now obsolete in Gnome3

Merged.

--
Chris PeBenito