[PATCH] wm domains and sddm fixes

* [PATCH] wm domains and sddm fixes
@ 2022-04-06 12:36 Russell Coker
  2022-04-25 13:31 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2022-04-06 12:36 UTC (permalink / raw)
  To: selinux-refpolicy

These patches make a sddm login with the $1_wm_t domain work.  Most of this
is for X11 but there is a bit for Wayland too.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220322/policy/modules/apps/wm.if
===================================================================

--- refpolicy-2.20220322.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20220322/policy/modules/apps/wm.if
@@ -61,6 +61,8 @@ template(`wm_role_template',`
 	allow $3 $1_wm_t:process { ptrace signal_perms };
 	ps_process_pattern($3, $1_wm_t)
 
+	kernel_read_kernel_sysctls($1_wm_t)
+
 	allow $1_wm_t $3:process { signull sigkill };
 
 	domtrans_pattern($3, wm_exec_t, $1_wm_t)
@@ -81,6 +83,10 @@ template(`wm_role_template',`
 
 	wm_write_pipes($1, $3)
 
+	tunable_policy(`wm_write_xdg_data', `
+		xdg_manage_data($1_wm_t)
+	')
+
 	optional_policy(`
 		dbus_connect_spec_session_bus($1, $1_wm_t)
 		dbus_spec_session_bus_client($1, $1_wm_t)
@@ -115,6 +121,17 @@ template(`wm_role_template',`
 	optional_policy(`
 		xdg_watch_config_files($1_wm_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind($1_wm_t)
+	')
+
+	optional_policy(`
+		xdg_read_data_files($1_wm_t)
+		xdg_manage_cache($1_wm_t)
+		xdg_manage_config($1_wm_t)
+		xdg_watch_data_files($1_wm_t)
+	')
 ')
 
 ########################################
Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
@@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/xfconf/xfconfd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/xfwm4/helper-dialog --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
 /usr/lib/[^/]+/tumbler-1/tumblerd --	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20220322/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20220322/policy/modules/system/unconfined.if
@@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',`
 	allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
 	allow $1 self:fifo_file manage_fifo_file_perms;
+	allow $1 self:system status;
 
 	# Manage most namespace capabilities
 	allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
Index: refpolicy-2.20220322/policy/modules/apps/gnome.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if
+++ refpolicy-2.20220322/policy/modules/apps/gnome.if
@@ -112,6 +112,10 @@ template(`gnome_role_template',`
 		')
 
 		optional_policy(`
+			systemd_dbus_chat_logind($1_gkeyringd_t)
+		')
+
+		optional_policy(`
 			wm_dbus_chat($1, $1_gkeyringd_t)
 		')
 	')
@@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec'
 
 	allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
 ')
+
+########################################
+## <summary>
+##	watch gnome_xdg_config_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_watch_xdg_config_dirs',`
+	gen_require(`
+		type gnome_xdg_config_t;
+	')
+
+	allow $1 gnome_xdg_config_t:dir watch;
+')
Index: refpolicy-2.20220322/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20220322/policy/modules/services/xserver.if
@@ -213,7 +213,7 @@ template(`xserver_role',`
 
 	xserver_read_xkb_libs($2)
 
-	allow $2 xdm_t:unix_stream_socket accept;
+	allow $2 xdm_t:unix_stream_socket { getattr accept };
 
 	optional_policy(`
 		systemd_user_app_status($1, xserver_t)
Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20220322/policy/modules/system/miscfiles.if
@@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization'
 		type locale_t;
 	')
 
+	allow $1 locale_t:dir watch;
 	allow $1 locale_t:file watch;
 ')
 
Index: refpolicy-2.20220322/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20220322/policy/modules/system/userdomain.if
@@ -121,6 +121,8 @@ template(`userdom_base_user_template',`
 	miscfiles_read_generic_certs($1_t)
 	miscfiles_watch_fonts_dirs($1_t)
 
+	userdom_write_user_runtime_sockets($1_t)
+
 	sysnet_read_config($1_t)
 
 	# kdeinit wants systemd status
@@ -960,6 +962,7 @@ template(`userdom_login_user_template',
 	userdom_exec_user_tmp_files($1_t)
 	userdom_exec_user_home_content_files($1_t)
 
+	userdom_execmod_user_tmpfs_files($1_t)
 	userdom_map_user_tmpfs_files($1_t)
 
 	userdom_change_password_template($1)
@@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template',
 	corenet_tcp_bind_xserver_port($1_t)
 
 	files_exec_usr_files($1_t)
+	files_watch_etc_symlinks($1_t)
 
 	miscfiles_manage_public_files($1_t)
+	miscfiles_watch_localization($1_t)
 	miscfiles_watch_public_dirs($1_t)
 
 	tunable_policy(`user_dmesg',`
@@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template',
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_generic_node($1_t)
 		corenet_tcp_bind_generic_port($1_t)
+		corenet_tcp_bind_all_unreserved_ports($1_t)
 	')
 
 	# Allow users to run UDP servers (bind to ports and accept connection from
@@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template',
 	tunable_policy(`user_udp_server',`
 		corenet_udp_bind_generic_node($1_t)
 		corenet_udp_bind_generic_port($1_t)
+		corenet_udp_bind_all_unreserved_ports($1_t)
 	')
 
 	optional_policy(`
@@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',`
 	xdg_manage_all_data($1_t)
 	xdg_relabel_all_data($1_t)
 	xdg_watch_all_data_dirs($1_t)
+	xdg_watch_all_data_files($1_t)
+	xdg_exec_data($1_t)
 
 	xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
 	xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
@@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f
 
 ########################################
 ## <summary>
+##	write user runtime sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_user_runtime_sockets',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:sock_file write;
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil
 ')
 
 ########################################
+## <summary>
+##	execute and execmod user tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_execmod_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:file { execute execmod };
+')
+
+########################################
 ## <summary>
 ##	Get the attributes of a user domain tty.
 ## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
@@ -222,6 +222,7 @@ optional_policy(`
 	systemd_read_logind_sessions_files(pulseaudio_t)
 	# for /run/systemd/users/$PID
 	systemd_read_logind_runtime_files(pulseaudio_t)
+	systemd_watch_logind_sessions_dirs(pulseaudio_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20220322/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20220322/policy/modules/system/xdg.if
@@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',`
 
 ########################################
 ## <summary>
+##	Watch the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_data_files',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	allow $1 xdg_data_t:file watch;
+')
+
+########################################
+## <summary>
 ##	Watch all the xdg data home directories
 ## </summary>
 ## <param name="domain">
@@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',`
 
 ########################################
 ## <summary>
+##	Watch all the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_data_files',`
+	gen_require(`
+		attribute xdg_data_type;
+	')
+
+	allow $1 xdg_data_type:file watch;
+')
+
+########################################
+## <summary>
 ##	Read the xdg data home files
 ## </summary>
 ## <param name="domain">
@@ -914,6 +950,24 @@ interface(`xdg_relabel_data',`
 ')
 
 ########################################
+## <summary>
+##	Allow domain to execute xdg_data_t, for some application config in kde
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	can_exec($1, xdg_data_t)
+')
+
+########################################
 ## <summary>
 ##	Allow relabeling the xdg data home files, regardless of their type
 ## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/wm.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/wm.te
+++ refpolicy-2.20220322/policy/modules/apps/wm.te
@@ -7,6 +7,14 @@ policy_module(wm)
 
 attribute wm_domain;
 
+
+## <desc>
+##      <p>
+##      Grant the window manager domains write access to xdg data
+##      </p>
+## </desc>
+gen_tunable(`wm_write_xdg_data', false)
+
 type wm_exec_t;
 corecmd_executable_file(wm_exec_t)
 
Index: refpolicy-2.20220322/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20220322/policy/modules/apps/chromium.te
@@ -275,6 +275,7 @@ optional_policy(`
 
 	optional_policy(`
 		gnome_dbus_chat_all_gkeyringd(chromium_t)
+		gnome_watch_xdg_config_dirs(chromium_t)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20220322/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20220322/policy/modules/services/xserver.fc
@@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/wayland-session --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)

^ permalink raw reply	[flat|nested] 2+ messages in thread