* [refpolicy] [PATCH] login related stuff
@ 2017-04-17 12:34 Russell Coker
2017-04-17 13:06 ` Guido Trentalancia
0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2017-04-17 12:34 UTC (permalink / raw)
To: refpolicy
Give sulogin some access it needs and dontaudit a nat_admin capability check
related to systemd for local_login_t.
Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and
send dbus messages to all users.
Allow system_dbusd_t to access dri and input_dev devices, this is triggered
by gdm3.
Allow chkpwd_t to get selinux enforcing mode.
Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs to be
run as part of an X login session (as the parent of other user processes).
Index: refpolicy-2.20170417/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170417/policy/modules/system/locallogin.te
@@ -33,6 +33,7 @@ role system_r types sulogin_t;
#
allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+dontaudit local_login_t self:capability net_admin;
allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
auth_read_shadow(sulogin_t)
+auth_login_pgm_domain(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
+selinux_set_generic_booleans(sulogin_t)
init_getpgid_script(sulogin_t)
Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)
dev_read_urand(policykit_t)
@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dbus_send_all_users(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te
@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
+# gdm3 causes system_dbusd_t to want this access
+dev_rw_dri(system_dbusd_t)
+dev_rw_input_dev(system_dbusd_t)
+
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
Index: refpolicy-2.20170417/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170417/policy/modules/system/authlogin.te
@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te
+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+xdm_sigchld(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Index: refpolicy-2.20170417/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170417/policy/modules/services/xserver.if
@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:process sigchld;
+')
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [PATCH] login related stuff 2017-04-17 12:34 [refpolicy] [PATCH] login related stuff Russell Coker @ 2017-04-17 13:06 ` Guido Trentalancia 2017-04-17 13:17 ` Dominick Grift 2017-04-17 13:26 ` Russell Coker 0 siblings, 2 replies; 6+ messages in thread From: Guido Trentalancia @ 2017-04-17 13:06 UTC (permalink / raw) To: refpolicy Hello. It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())... Is such permission really critical for running gdm? And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it. The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled! What is your experience, if any, with the latter? Regards, Guido On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote: >Give sulogin some access it needs and dontaudit a nat_admin capability >check >related to systemd for local_login_t. > >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and >send dbus messages to all users. > >Allow system_dbusd_t to access dri and input_dev devices, this is >triggered >by gdm3. > >Allow chkpwd_t to get selinux enforcing mode. > >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs >to be >run as part of an X login session (as the parent of other user >processes). > >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te >@@ -33,6 +33,7 @@ role system_r types sulogin_t; > # > >allow local_login_t self:capability { chown dac_override fowner fsetid >kill setgid setuid sys_nice sys_resource sys_tty_config }; >+dontaudit local_login_t self:capability net_admin; > allow local_login_t self:process { setexec setrlimit setsched }; > allow local_login_t self:fd use; > allow local_login_t self:fifo_file rw_fifo_file_perms; >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) > files_read_etc_files(sulogin_t) > > auth_read_shadow(sulogin_t) >+auth_login_pgm_domain(sulogin_t) >+kernel_read_crypto_sysctls(sulogin_t) >+selinux_set_generic_booleans(sulogin_t) > > init_getpgid_script(sulogin_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > kernel_read_kernel_sysctls(policykit_t) > kernel_read_system_state(policykit_t) >+fs_getattr_tmpfs(policykit_t) >+fs_getattr_cgroup(policykit_t) >+dev_read_urand(policykit_t) > > dev_read_urand(policykit_t) > >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) > > userdom_getattr_all_users(policykit_t) > userdom_read_all_users_state(policykit_t) >+userdom_dbus_send_all_users(policykit_t) > > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) > dev_read_urand(system_dbusd_t) > dev_read_sysfs(system_dbusd_t) > >+# gdm3 causes system_dbusd_t to want this access >+dev_rw_dri(system_dbusd_t) >+dev_rw_input_dev(system_dbusd_t) >+ > domain_use_interactive_fds(system_dbusd_t) > domain_read_all_domains_state(system_dbusd_t) > >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > kernel_read_crypto_sysctls(chkpwd_t) > # is_selinux_enabled > kernel_read_system_state(chkpwd_t) >+selinux_get_enforce_mode(chkpwd_t) >+selinux_getattr_fs(chkpwd_t) > > domain_dontaudit_use_interactive_fds(chkpwd_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > >+kernel_read_crypto_sysctls(gpg_t) > kernel_read_sysctl(gpg_t) > # read /proc/cpuinfo > kernel_read_system_state(gpg_t) >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > >+xdm_sigchld(gpg_agent_t) >+dbus_system_bus_client(gpg_agent_t) >+auth_use_nsswitch(gpg_agent_t) >+xserver_read_user_xauth(gpg_agent_t) >+ > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, >gpg_agent_tmp_t) >Index: refpolicy-2.20170417/policy/modules/services/xserver.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if >+++ refpolicy-2.20170417/policy/modules/services/xserver.if >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') >+ >+######################################## >+## <summary> >+## Allow domain to send sigchld to xdm_t >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`xdm_sigchld',` >+ gen_require(` >+ type xdm_t; >+ ') >+ >+ allow $1 xdm_t:process sigchld; >+') >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] login related stuff 2017-04-17 13:06 ` Guido Trentalancia @ 2017-04-17 13:17 ` Dominick Grift 2017-04-17 13:39 ` Guido Trentalancia 2017-04-17 13:26 ` Russell Coker 1 sibling, 1 reply; 6+ messages in thread From: Dominick Grift @ 2017-04-17 13:17 UTC (permalink / raw) To: refpolicy On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via refpolicy wrote: > Hello. > > It is not clear to me the reason why a daemon such as the system dbus instance needs to write the DRI graphical devices (dev_rw_dri())... > > Is such permission really critical for running gdm? I suspect this is systemd specific (logind to be precise) but nowaday's all kinds of file descriptors seem to get passed through dbus > > And, by the way, I am aware of the fact that gnome-session also requires such permission, although it does not fail to run without it. > > The point is that, on one hand gnome-session runs as user_u and therefore it might not be advisable to let user_u write the DRI device, but on the other hand I suppose gnome-session checks for accelerated graphical capabilities and therefore a failure to write the DRI device might imply that the accelerated graphical capabilities are always disabled! > > What is your experience, if any, with the latter? > > Regards, > > Guido > > On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote: > >Give sulogin some access it needs and dontaudit a nat_admin capability > >check > >related to systemd for local_login_t. > > > >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, and > >send dbus messages to all users. > > > >Allow system_dbusd_t to access dri and input_dev devices, this is > >triggered > >by gdm3. > > > >Allow chkpwd_t to get selinux enforcing mode. > > > >Allow gpg to read crypto sysctls, and give gpg_agent_t access it needs > >to be > >run as part of an X login session (as the parent of other user > >processes). > > > >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te > >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te > >@@ -33,6 +33,7 @@ role system_r types sulogin_t; > > # > > > >allow local_login_t self:capability { chown dac_override fowner fsetid > >kill setgid setuid sys_nice sys_resource sys_tty_config }; > >+dontaudit local_login_t self:capability net_admin; > > allow local_login_t self:process { setexec setrlimit setsched }; > > allow local_login_t self:fd use; > > allow local_login_t self:fifo_file rw_fifo_file_perms; > >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) > > files_read_etc_files(sulogin_t) > > > > auth_read_shadow(sulogin_t) > >+auth_login_pgm_domain(sulogin_t) > >+kernel_read_crypto_sysctls(sulogin_t) > >+selinux_set_generic_booleans(sulogin_t) > > > > init_getpgid_script(sulogin_t) > > > >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te > >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te > >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ > > > > kernel_read_kernel_sysctls(policykit_t) > > kernel_read_system_state(policykit_t) > >+fs_getattr_tmpfs(policykit_t) > >+fs_getattr_cgroup(policykit_t) > >+dev_read_urand(policykit_t) > > > > dev_read_urand(policykit_t) > > > >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) > > > > userdom_getattr_all_users(policykit_t) > > userdom_read_all_users_state(policykit_t) > >+userdom_dbus_send_all_users(policykit_t) > > > > optional_policy(` > > dbus_system_domain(policykit_t, policykit_exec_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te > >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te > >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) > > dev_read_urand(system_dbusd_t) > > dev_read_sysfs(system_dbusd_t) > > > >+# gdm3 causes system_dbusd_t to want this access > >+dev_rw_dri(system_dbusd_t) > >+dev_rw_input_dev(system_dbusd_t) > >+ > > domain_use_interactive_fds(system_dbusd_t) > > domain_read_all_domains_state(system_dbusd_t) > > > >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te > >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te > >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) > > kernel_read_crypto_sysctls(chkpwd_t) > > # is_selinux_enabled > > kernel_read_system_state(chkpwd_t) > >+selinux_get_enforce_mode(chkpwd_t) > >+selinux_getattr_fs(chkpwd_t) > > > > domain_dontaudit_use_interactive_fds(chkpwd_t) > > > >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te > >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te > >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) > > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > > >+kernel_read_crypto_sysctls(gpg_t) > > kernel_read_sysctl(gpg_t) > > # read /proc/cpuinfo > > kernel_read_system_state(gpg_t) > >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g > > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > >+xdm_sigchld(gpg_agent_t) > >+dbus_system_bus_client(gpg_agent_t) > >+auth_use_nsswitch(gpg_agent_t) > >+xserver_read_user_xauth(gpg_agent_t) > >+ > > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > >gpg_agent_tmp_t) > >Index: refpolicy-2.20170417/policy/modules/services/xserver.if > >=================================================================== > >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if > >+++ refpolicy-2.20170417/policy/modules/services/xserver.if > >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > > typeattribute $1 x_domain; > > typeattribute $1 xserver_unconfined_type; > > ') > >+ > >+######################################## > >+## <summary> > >+## Allow domain to send sigchld to xdm_t > >+## </summary> > >+## <param name="domain"> > >+## <summary> > >+## Domain allowed access. > >+## </summary> > >+## </param> > >+# > >+interface(`xdm_sigchld',` > >+ gen_require(` > >+ type xdm_t; > >+ ') > >+ > >+ allow $1 xdm_t:process sigchld; > >+') > >_______________________________________________ > >refpolicy mailing list > >refpolicy at oss.tresys.com > >http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170417/17ee4955/attachment.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] login related stuff 2017-04-17 13:17 ` Dominick Grift @ 2017-04-17 13:39 ` Guido Trentalancia 0 siblings, 0 replies; 6+ messages in thread From: Guido Trentalancia @ 2017-04-17 13:39 UTC (permalink / raw) To: refpolicy Hello. If it only applies to systemd setups, then please use the appropriate ifdef statement to avoid spreading the permission to every setup. Thanks, Guido Il 17 aprile 2017 15:17:35 CEST, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> ha scritto: >On Mon, Apr 17, 2017 at 03:06:55PM +0200, Guido Trentalancia via >refpolicy wrote: >> Hello. >> >> It is not clear to me the reason why a daemon such as the system dbus >instance needs to write the DRI graphical devices (dev_rw_dri())... >> >> Is such permission really critical for running gdm? > >I suspect this is systemd specific (logind to be precise) but nowaday's >all kinds of file descriptors seem to get passed through dbus > >> >> And, by the way, I am aware of the fact that gnome-session also >requires such permission, although it does not fail to run without it. >> >> The point is that, on one hand gnome-session runs as user_u and >therefore it might not be advisable to let user_u write the DRI device, >but on the other hand I suppose gnome-session checks for accelerated >graphical capabilities and therefore a failure to write the DRI device >might imply that the accelerated graphical capabilities are always >disabled! >> >> What is your experience, if any, with the latter? >> >> Regards, >> >> Guido >> >> On the 17th April 2017 14:34:34 CEST, Russell Coker via refpolicy ><refpolicy@oss.tresys.com> wrote: >> >Give sulogin some access it needs and dontaudit a nat_admin >capability >> >check >> >related to systemd for local_login_t. >> > >> >Allow policykit to stat tmpfs and cgroup filesystems, read urandom, >and >> >send dbus messages to all users. >> > >> >Allow system_dbusd_t to access dri and input_dev devices, this is >> >triggered >> >by gdm3. >> > >> >Allow chkpwd_t to get selinux enforcing mode. >> > >> >Allow gpg to read crypto sysctls, and give gpg_agent_t access it >needs >> >to be >> >run as part of an X login session (as the parent of other user >> >processes). >> > >> >Index: refpolicy-2.20170417/policy/modules/system/locallogin.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/system/locallogin.te >> >+++ refpolicy-2.20170417/policy/modules/system/locallogin.te >> >@@ -33,6 +33,7 @@ role system_r types sulogin_t; >> > # >> > >> >allow local_login_t self:capability { chown dac_override fowner >fsetid >> >kill setgid setuid sys_nice sys_resource sys_tty_config }; >> >+dontaudit local_login_t self:capability net_admin; >> > allow local_login_t self:process { setexec setrlimit setsched }; >> > allow local_login_t self:fd use; >> > allow local_login_t self:fifo_file rw_fifo_file_perms; >> >@@ -237,6 +238,9 @@ fs_rw_tmpfs_chr_files(sulogin_t) >> > files_read_etc_files(sulogin_t) >> > >> > auth_read_shadow(sulogin_t) >> >+auth_login_pgm_domain(sulogin_t) >> >+kernel_read_crypto_sysctls(sulogin_t) >> >+selinux_set_generic_booleans(sulogin_t) >> > >> > init_getpgid_script(sulogin_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/contrib/policykit.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/policykit.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/policykit.te >> >@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_ >> > >> > kernel_read_kernel_sysctls(policykit_t) >> > kernel_read_system_state(policykit_t) >> >+fs_getattr_tmpfs(policykit_t) >> >+fs_getattr_cgroup(policykit_t) >> >+dev_read_urand(policykit_t) >> > >> > dev_read_urand(policykit_t) >> > >> >@@ -101,6 +104,7 @@ auth_use_nsswitch(policykit_t) >> > >> > userdom_getattr_all_users(policykit_t) >> > userdom_read_all_users_state(policykit_t) >> >+userdom_dbus_send_all_users(policykit_t) >> > >> > optional_policy(` >> > dbus_system_domain(policykit_t, policykit_exec_t) >> >Index: refpolicy-2.20170417/policy/modules/contrib/dbus.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/dbus.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/dbus.te >> >@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t) >> > dev_read_urand(system_dbusd_t) >> > dev_read_sysfs(system_dbusd_t) >> > >> >+# gdm3 causes system_dbusd_t to want this access >> >+dev_rw_dri(system_dbusd_t) >> >+dev_rw_input_dev(system_dbusd_t) >> >+ >> > domain_use_interactive_fds(system_dbusd_t) >> > domain_read_all_domains_state(system_dbusd_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/system/authlogin.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/system/authlogin.te >> >+++ refpolicy-2.20170417/policy/modules/system/authlogin.te >> >@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t) >> > kernel_read_crypto_sysctls(chkpwd_t) >> > # is_selinux_enabled >> > kernel_read_system_state(chkpwd_t) >> >+selinux_get_enforce_mode(chkpwd_t) >> >+selinux_getattr_fs(chkpwd_t) >> > >> > domain_dontaudit_use_interactive_fds(chkpwd_t) >> > >> >Index: refpolicy-2.20170417/policy/modules/contrib/gpg.te >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/contrib/gpg.te >> >+++ refpolicy-2.20170417/policy/modules/contrib/gpg.te >> >@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) >> > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) >> > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) >> > >> >+kernel_read_crypto_sysctls(gpg_t) >> > kernel_read_sysctl(gpg_t) >> > # read /proc/cpuinfo >> > kernel_read_system_state(gpg_t) >> >@@ -214,6 +215,11 @@ manage_sock_files_pattern(gpg_agent_t, g >> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) >> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) >> > >> >+xdm_sigchld(gpg_agent_t) >> >+dbus_system_bus_client(gpg_agent_t) >> >+auth_use_nsswitch(gpg_agent_t) >> >+xserver_read_user_xauth(gpg_agent_t) >> >+ >> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) >> >manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, >> >gpg_agent_tmp_t) >> >Index: refpolicy-2.20170417/policy/modules/services/xserver.if >> >=================================================================== >> >--- refpolicy-2.20170417.orig/policy/modules/services/xserver.if >> >+++ refpolicy-2.20170417/policy/modules/services/xserver.if >> >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` >> > typeattribute $1 x_domain; >> > typeattribute $1 xserver_unconfined_type; >> > ') >> >+ >> >+######################################## >> >+## <summary> >> >+## Allow domain to send sigchld to xdm_t >> >+## </summary> >> >+## <param name="domain"> >> >+## <summary> >> >+## Domain allowed access. >> >+## </summary> >> >+## </param> >> >+# >> >+interface(`xdm_sigchld',` >> >+ gen_require(` >> >+ type xdm_t; >> >+ ') >> >+ >> >+ allow $1 xdm_t:process sigchld; >> >+') >> >_______________________________________________ >> >refpolicy mailing list >> >refpolicy at oss.tresys.com >> >http://oss.tresys.com/mailman/listinfo/refpolicy >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] login related stuff 2017-04-17 13:06 ` Guido Trentalancia 2017-04-17 13:17 ` Dominick Grift @ 2017-04-17 13:26 ` Russell Coker 2017-04-17 13:54 ` Guido Trentalancia 1 sibling, 1 reply; 6+ messages in thread From: Russell Coker @ 2017-04-17 13:26 UTC (permalink / raw) To: refpolicy On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote: > It is not clear to me the reason why a daemon such as the system dbus > instance needs to write the DRI graphical devices (dev_rw_dri())... It always seemed strange to me too. > Is such permission really critical for running gdm? My recollection is that the last time I tested it aborted when it didn't have such access. > And, by the way, I am aware of the fact that gnome-session also requires > such permission, although it does not fail to run without it. > > The point is that, on one hand gnome-session runs as user_u and therefore > it might not be advisable to let user_u write the DRI device, but on the > other hand I suppose gnome-session checks for accelerated graphical > capabilities and therefore a failure to write the DRI device might imply > that the accelerated graphical capabilities are always disabled! > > What is your experience, if any, with the latter? I don't have a lot of experience with it, I prefer not to use GNOME. Sddm is the dm I recommend for use in Debian, but I put in a minimal effort to get others working too. If the general feeling is against that part of the patch then I'll just drop it and let someone else who uses gdm take it up at some future time. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] login related stuff 2017-04-17 13:26 ` Russell Coker @ 2017-04-17 13:54 ` Guido Trentalancia 0 siblings, 0 replies; 6+ messages in thread From: Guido Trentalancia @ 2017-04-17 13:54 UTC (permalink / raw) To: refpolicy Hi. Thanks for getting back. Sounds like a bug triggered by systems that use systemd. As a first precaution, please enclose it within the appropriate ifdef statement (systemd) in the policy. Apart from that, it shouldn't happen, but without testing it more carefully, I don't know what else to say... How about the other issue that I mentioned to you? Have you ever experienced the same permission request from gnome-session? I suspect denying it, might prevent the use of accelerated graphical capabilities for every session. But, as already explained, we are limited by gnome-session running in the user domain (already discussed not long time ago). Regards, Guido On the 17th of April 2017 15:26:14 CEST, Russell Coker <russell@coker.com.au> wrote: >On Mon, 17 Apr 2017 11:06:55 PM Guido Trentalancia via refpolicy wrote: >> It is not clear to me the reason why a daemon such as the system dbus >> instance needs to write the DRI graphical devices (dev_rw_dri())... > >It always seemed strange to me too. > >> Is such permission really critical for running gdm? > >My recollection is that the last time I tested it aborted when it >didn't have >such access. > >> And, by the way, I am aware of the fact that gnome-session also >requires >> such permission, although it does not fail to run without it. >> >> The point is that, on one hand gnome-session runs as user_u and >therefore >> it might not be advisable to let user_u write the DRI device, but on >the >> other hand I suppose gnome-session checks for accelerated graphical >> capabilities and therefore a failure to write the DRI device might >imply >> that the accelerated graphical capabilities are always disabled! >> >> What is your experience, if any, with the latter? > >I don't have a lot of experience with it, I prefer not to use GNOME. >Sddm is >the dm I recommend for use in Debian, but I put in a minimal effort to >get >others working too. > >If the general feeling is against that part of the patch then I'll just >drop >it and let someone else who uses gdm take it up at some future time. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-04-17 13:54 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-17 12:34 [refpolicy] [PATCH] login related stuff Russell Coker 2017-04-17 13:06 ` Guido Trentalancia 2017-04-17 13:17 ` Dominick Grift 2017-04-17 13:39 ` Guido Trentalancia 2017-04-17 13:26 ` Russell Coker 2017-04-17 13:54 ` Guido Trentalancia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.