[refpolicy] [PATCH] login related stuff

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] login related stuff
Date: Mon, 17 Apr 2017 15:17:35 +0200	[thread overview]
Message-ID: <20170417131735.GA11930@markus> (raw)
In-Reply-To: <49A9D7B2-DEA1-408C-8A1A-3DBF3CE5C8E0@trentalancia.net>

On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via refpolicy wrote:
> Hello. 
> 
> It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())...
> 
> Is such permission really critical for running gdm?

I suspect this is systemd specific (logind to be precise) but nowaday's all kinds of file descriptors seem to get passed through dbus

> 
> And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it.
> 
> The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled! 
> 
> What is your experience, if any, with the latter? 
> 
> Regards, 
> 
> Guido 
> 
> On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
> >Give sulogin some access it needs and dontaudit a nat_admin capability
> >check
> >related to systemd for local_login_t.
> >
> >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
> >send dbus messages to all users.
> >
> >Allow system_dbusd_t to access dri and input_dev devices, this is
> >triggered
> >by gdm3.
> >
> >Allow chkpwd_t to get selinux enforcing mode.
> >
> >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs
> >to be
> >run as part of an X login session (as the parent of other user
> >processes).
> >
> >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
> >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
> >@@ -33,6 +33,7 @@ role system_r types sulogin_t;
> > #
> > 
> >allow local_login_t self:capability { chown dac_override fowner fsetid
> >kill setgid setuid sys_nice sys_resource sys_tty_config };
> >+dontaudit local_login_t self:capability net_admin;
> > allow local_login_t self:process { setexec setrlimit setsched };
> > allow local_login_t self:fd use;
> > allow local_login_t self:fifo_file rw_fifo_file_perms;
> >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
> > files_read_etc_files(sulogin_t)
> > 
> > auth_read_shadow(sulogin_t)
> >+auth_login_pgm_domain(sulogin_t)
> >+kernel_read_crypto_sysctls(sulogin_t)
> >+selinux_set_generic_booleans(sulogin_t)
> > 
> > init_getpgid_script(sulogin_t)
> > 
> >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
> >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
> > 
> > kernel_read_kernel_sysctls(policykit_t)
> > kernel_read_system_state(policykit_t)
> >+fs_getattr_tmpfs(policykit_t)
> >+fs_getattr_cgroup(policykit_t)
> >+dev_read_urand(policykit_t)
> > 
> > dev_read_urand(policykit_t)
> > 
> >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
> > 
> > userdom_getattr_all_users(policykit_t)
> > userdom_read_all_users_state(policykit_t)
> >+userdom_dbus_send_all_users(policykit_t)
> > 
> > optional_policy(`
> > 	dbus_system_domain(policykit_t, policykit_exec_t)
> >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
> >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
> > dev_read_urand(system_dbusd_t)
> > dev_read_sysfs(system_dbusd_t)
> > 
> >+# gdm3 causes system_dbusd_t to want this access
> >+dev_rw_dri(system_dbusd_t)
> >+dev_rw_input_dev(system_dbusd_t)
> >+
> > domain_use_interactive_fds(system_dbusd_t)
> > domain_read_all_domains_state(system_dbusd_t)
> > 
> >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
> >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
> >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
> > kernel_read_crypto_sysctls(chkpwd_t)
> > # is_selinux_enabled
> > kernel_read_system_state(chkpwd_t)
> >+selinux_get_enforce_mode(chkpwd_t)
> >+selinux_getattr_fs(chkpwd_t)
> > 
> > domain_dontaudit_use_interactive_fds(chkpwd_t)
> > 
> >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
> >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
> >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
> > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
> > 
> >+kernel_read_crypto_sysctls(gpg_t)
> > kernel_read_sysctl(gpg_t)
> > # read /proc/cpuinfo
> > kernel_read_system_state(gpg_t)
> >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > 
> >+xdm_sigchld(gpg_agent_t)
> >+dbus_system_bus_client(gpg_agent_t)
> >+auth_use_nsswitch(gpg_agent_t)
> >+xserver_read_user_xauth(gpg_agent_t)
> >+
> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> >gpg_agent_tmp_t)
> >Index: refpolicy-2.20170417/policy/modules/services/xserver.if
> >===================================================================
> >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
> >+++ refpolicy-2.20170417/policy/modules/services/xserver.if
> >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> > 	typeattribute $1 x_domain;
> > 	typeattribute $1 xserver_unconfined_type;
> > ')
> >+
> >+########################################
> >+## <summary>
> >+##	Allow domain to send sigchld to xdm_t
> >+## </summary>
> >+## <param name="domain">
> >+##	<summary>
> >+##	Domain allowed access.
> >+##	</summary>
> >+## </param>
> >+#
> >+interface(`xdm_sigchld',`
> >+	gen_require(`
> >+		type xdm_t;
> >+	')
> >+
> >+	allow $1 xdm_t:process sigchld;
> >+')
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170417/17ee4955/attachment.bin