[refpolicy] [PATCH] Update the policy and file contexts for the xserver module

[refpolicy] [PATCH] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm;
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   21 +++++++++++++++++++++
 policy/modules/services/xserver.te |    4 ++++
 3 files changed, 26 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 01:46:34.809322974 +0200
@@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib(64)?/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
@@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_dbus_chat',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
@@ -507,6 +507,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 

[refpolicy] [PATCH] Update the policy and file contexts for the xserver module

[Dominick Grift]

On 08/13/2016 03:27 PM, Guido Trentalancia wrote:
> Update for the xserver module:
> 
> - updated the file contexts for the Xsession script;
> - created an interface for chatting over dbus with
>   xdm;
> - added permission to chat over dbus with colord.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    1 +
>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>  policy/modules/services/xserver.te |    4 ++++
>  3 files changed, 26 insertions(+)
> 
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 01:46:34.809322974 +0200
> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib(64)?/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)

Not sure but I do not think that the (64)? is needed anymore as per:

https://github.com/TresysTechnology/refpolicy/blob/master/config/file_contexts.subs_dist#L18

>  
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>  	typeattribute $1 x_domain;
>  	typeattribute $1 xserver_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Send and receive messages from
> +##	xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdm_dbus_chat',`
> +	gen_require(`
> +		type xdm_t;
> +		class dbus send_msg;
> +        ')
> +
> +	allow $1 xdm_t:dbus send_msg;
> +	allow xdm_t $1:dbus send_msg;
> +')
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
> @@ -507,6 +507,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	colord_dbus_chat(xdm_t)
> +')
> +
> +optional_policy(`
>  	consolekit_dbus_chat(xdm_t)
>  ')
>  
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/b42f0b58/attachment-0001.bin 

[refpolicy] [PATCH] Update the policy and file contexts for the xserver module

[Chris PeBenito]

On 08/13/16 09:31, Dominick Grift wrote:
> On 08/13/2016 03:27 PM, Guido Trentalancia wrote:
>> Update for the xserver module:
>>
>> - updated the file contexts for the Xsession script;
>> - created an interface for chatting over dbus with
>>   xdm;
>> - added permission to chat over dbus with colord.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/services/xserver.fc |    1 +
>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>  policy/modules/services/xserver.te |    4 ++++
>>  3 files changed, 26 insertions(+)
>>
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 01:46:34.809322974 +0200
>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>> +/usr/lib(64)?/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
> Not sure but I do not think that the (64)? is needed anymore as per:
>
> https://github.com/TresysTechnology/refpolicy/blob/master/config/file_contexts.subs_dist#L18

That should be the case.

-- 
Chris PeBenito

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm;
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   21 +++++++++++++++++++++
 policy/modules/services/xserver.te |    4 ++++
 3 files changed, 26 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
@@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
@@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_dbus_chat',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
@@ -507,6 +507,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Chris PeBenito]

On 08/13/16 10:23, Guido Trentalancia wrote:
> Update for the xserver module:
>
> - updated the file contexts for the Xsession script;
> - created an interface for chatting over dbus with
>   xdm;
> - added permission to chat over dbus with colord.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    1 +
>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>  policy/modules/services/xserver.te |    4 ++++
>  3 files changed, 26 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>  	typeattribute $1 x_domain;
>  	typeattribute $1 xserver_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Send and receive messages from
> +##	xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdm_dbus_chat',`

Why does this interface need to be added, if it isn't going to be used 
(it's not used below).

If it is still needed, then the interface should be xserver_dbus_chat_xdm()


> +	gen_require(`
> +		type xdm_t;
> +		class dbus send_msg;
> +        ')
> +
> +	allow $1 xdm_t:dbus send_msg;
> +	allow xdm_t $1:dbus send_msg;
> +')
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
> @@ -507,6 +507,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	colord_dbus_chat(xdm_t)
> +')
> +
> +optional_policy(`
>  	consolekit_dbus_chat(xdm_t)
>  ')


-- 
Chris PeBenito

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Dominick Grift]

On 08/14/2016 08:24 PM, Chris PeBenito wrote:
> On 08/13/16 10:23, Guido Trentalancia wrote:
>> Update for the xserver module:
>>
>> - updated the file contexts for the Xsession script;
>> - created an interface for chatting over dbus with
>>   xdm;
>> - added permission to chat over dbus with colord.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/services/xserver.fc |    1 +
>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>  policy/modules/services/xserver.te |    4 ++++
>>  3 files changed, 26 insertions(+)
>>
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>>
>>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>>
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>  	typeattribute $1 x_domain;
>>  	typeattribute $1 xserver_unconfined_type;
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	Send and receive messages from
>> +##	xdm over dbus.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`xdm_dbus_chat',`
> 
> Why does this interface need to be added, if it isn't going to be used 
> (it's not used below).
> 
> If it is still needed, then the interface should be xserver_dbus_chat_xdm()
> 
> 

Seems to be used here though:

http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html

>> +	gen_require(`
>> +		type xdm_t;
>> +		class dbus send_msg;
>> +        ')
>> +
>> +	allow $1 xdm_t:dbus send_msg;
>> +	allow xdm_t $1:dbus send_msg;
>> +')
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
>> @@ -507,6 +507,10 @@ optional_policy(`
>>  ')
>>
>>  optional_policy(`
>> +	colord_dbus_chat(xdm_t)
>> +')
>> +
>> +optional_policy(`
>>  	consolekit_dbus_chat(xdm_t)
>>  ')
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/bf78ff42/attachment.bin 

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Dominick Grift]

On 08/14/2016 08:24 PM, Chris PeBenito wrote:
> On 08/13/16 10:23, Guido Trentalancia wrote:
>> Update for the xserver module:
>>
>> - updated the file contexts for the Xsession script;
>> - created an interface for chatting over dbus with
>>   xdm;
>> - added permission to chat over dbus with colord.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/services/xserver.fc |    1 +
>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>  policy/modules/services/xserver.te |    4 ++++
>>  3 files changed, 26 insertions(+)
>>
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>>
>>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>>
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>  	typeattribute $1 x_domain;
>>  	typeattribute $1 xserver_unconfined_type;
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	Send and receive messages from
>> +##	xdm over dbus.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`xdm_dbus_chat',`
> 
> Why does this interface need to be added, if it isn't going to be used 
> (it's not used below).
> 
> If it is still needed, then the interface should be xserver_dbus_chat_xdm()

Also IMHO this should ideally have been split out of xserver module. You
dont need a desktop manager for xserver (startx). That xserver module,
and the xdm domain are big enough on their own.

> 
> 
>> +	gen_require(`
>> +		type xdm_t;
>> +		class dbus send_msg;
>> +        ')
>> +
>> +	allow $1 xdm_t:dbus send_msg;
>> +	allow xdm_t $1:dbus send_msg;
>> +')
>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
>> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
>> @@ -507,6 +507,10 @@ optional_policy(`
>>  ')
>>
>>  optional_policy(`
>> +	colord_dbus_chat(xdm_t)
>> +')
>> +
>> +optional_policy(`
>>  	consolekit_dbus_chat(xdm_t)
>>  ')
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/a4ad082b/attachment.bin 

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello Chris !

On Sun, 14/08/2016 at 14.24 -0400, Chris PeBenito wrote:
> On 08/13/16 10:23, Guido Trentalancia wrote:
> > Update for the xserver module:
> > 
> > - updated the file contexts for the Xsession script;
> > - created an interface for chatting over dbus with
> > ? xdm;
> > - added permission to chat over dbus with colord.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/services/xserver.fc |????1 +
> > ?policy/modules/services/xserver.if |???21 +++++++++++++++++++++
> > ?policy/modules/services/xserver.te |????4 ++++
> > ?3 files changed, 26 insertions(+)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	
> > 2016-08-06 21:26:43.295774282 +0200
> > +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	
> > 2016-08-13 16:20:35.731361535 +0200
> > @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_cont
> > ext(s
> > ?/usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:obj
> > ect_r:xserver_exec_t,s0)
> > ?/usr/lib/xorg-server/Xorg	--	gen_context(system_u:ob
> > ject_r:xserver_exec_t,s0)
> > ?/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(syste
> > m_u:object_r:xserver_exec_t,s0)
> > +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:ob
> > ject_r:xsession_exec_t,s0)
> > 
> > ?/usr/sbin/lightdm	--	gen_context(system_u:object_r:x
> > dm_exec_t,s0)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	
> > 2016-08-06 21:26:43.295774282 +0200
> > +++ refpolicy-git-06082016/policy/modules/services/xserver.if	
> > 2016-08-13 15:01:34.028150851 +0200
> > @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
> > ?	typeattribute $1 x_domain;
> > ?	typeattribute $1 xserver_unconfined_type;
> > ?')
> > +
> > +########################################
> > +## <summary>
> > +##	Send and receive messages from
> > +##	xdm over dbus.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`xdm_dbus_chat',`
> 
> Why does this interface need to be added, if it isn't going to be
> used?
> (it's not used below).
> 
> If it is still needed, then the interface should be
> xserver_dbus_chat_xdm()

Thanks for pointing this out. It's used by userdomain.if
(userdom_common_user_template). Please not that you already merged the
userdomain patch.

I am now going to rename it, resubmit this patch and submit a short
patch to rename it in userdomain which you already merged.

Best regards,

Guido

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Chris PeBenito]

On 08/14/16 14:26, Dominick Grift wrote:
> On 08/14/2016 08:24 PM, Chris PeBenito wrote:
>> On 08/13/16 10:23, Guido Trentalancia wrote:
>>> Update for the xserver module:
>>>
>>> - updated the file contexts for the Xsession script;
>>> - created an interface for chatting over dbus with
>>>   xdm;
>>> - added permission to chat over dbus with colord.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/services/xserver.fc |    1 +
>>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>>  policy/modules/services/xserver.te |    4 ++++
>>>  3 files changed, 26 insertions(+)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
>>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>>>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>>> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>>>
>>>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-13 15:01:34.028150851 +0200
>>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>>  	typeattribute $1 x_domain;
>>>  	typeattribute $1 xserver_unconfined_type;
>>>  ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +##	Send and receive messages from
>>> +##	xdm over dbus.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`xdm_dbus_chat',`
>>
>> Why does this interface need to be added, if it isn't going to be used
>> (it's not used below).
>>
>> If it is still needed, then the interface should be xserver_dbus_chat_xdm()
>>
>>
>
> Seems to be used here though:
>
> http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html

You're right.  With all of the patches, I missed this connection.

-- 
Chris PeBenito

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Dominick Grift]

On 08/14/2016 09:05 PM, Chris PeBenito wrote:
> On 08/14/16 14:26, Dominick Grift wrote:
>> On 08/14/2016 08:24 PM, Chris PeBenito wrote:
>>> On 08/13/16 10:23, Guido Trentalancia wrote:
>>>> Update for the xserver module:
>>>>
>>>> - updated the file contexts for the Xsession script;
>>>> - created an interface for chatting over dbus with
>>>>   xdm;
>>>> - added permission to chat over dbus with colord.
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/services/xserver.fc |    1 +
>>>>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>>>>  policy/modules/services/xserver.te |    4 ++++
>>>>  3 files changed, 26 insertions(+)
>>>>
>>>> ---
>>>> refpolicy-git-06082016-orig/policy/modules/services/xserver.fc   
>>>> 2016-08-06 21:26:43.295774282 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc   
>>>> 2016-08-13 16:20:35.731361535 +0200
>>>> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*    --    gen_context(s
>>>>  /usr/lib/xorg/Xorg\.wrap    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>>  /usr/lib/xorg-server/Xorg    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>>  /usr/lib/xorg-server/Xorg\.wrap    --   
>>>> gen_context(system_u:object_r:xserver_exec_t,s0)
>>>> +/usr/lib/X11/xdm/Xsession    --   
>>>> gen_context(system_u:object_r:xsession_exec_t,s0)
>>>>
>>>>  /usr/sbin/lightdm    --   
>>>> gen_context(system_u:object_r:xdm_exec_t,s0)
>>>>
>>>> ---
>>>> refpolicy-git-06082016-orig/policy/modules/services/xserver.if   
>>>> 2016-08-06 21:26:43.295774282 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if   
>>>> 2016-08-13 15:01:34.028150851 +0200
>>>> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>>>>      typeattribute $1 x_domain;
>>>>      typeattribute $1 xserver_unconfined_type;
>>>>  ')
>>>> +
>>>> +########################################
>>>> +## <summary>
>>>> +##    Send and receive messages from
>>>> +##    xdm over dbus.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##    <summary>
>>>> +##    Domain allowed access.
>>>> +##    </summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`xdm_dbus_chat',`
>>>
>>> Why does this interface need to be added, if it isn't going to be used
>>> (it's not used below).
>>>
>>> If it is still needed, then the interface should be
>>> xserver_dbus_chat_xdm()
>>>
>>>
>>
>> Seems to be used here though:
>>
>> http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html
> 
> You're right.  With all of the patches, I missed this connection.
> 

Yes. Too much. There are some other things that slipped through that
should'nt have.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/096b8e89/attachment-0001.bin 

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm (currently used by the userdomain module in
  the common user template);
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   21 +++++++++++++++++++++
 policy/modules/services/xserver.te |    4 ++++
 3 files changed, 26 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
@@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-14 21:04:33.812531119 +0200
@@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
--- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
+++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
@@ -507,6 +507,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 

[refpolicy] [PATCH v2] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello Dominick and Chris.

On Sun, 14/08/2016 at 21.06 +0200, Dominick Grift wrote:
> On 08/14/2016 09:05 PM, Chris PeBenito wrote:
> > On 08/14/16 14:26, Dominick Grift wrote:
> > > On 08/14/2016 08:24 PM, Chris PeBenito wrote:
> > > > On 08/13/16 10:23, Guido Trentalancia wrote:

[...]

> > > > > refpolicy-git-06082016-
> > > > > orig/policy/modules/services/xserver.if???
> > > > > 2016-08-06 21:26:43.295774282 +0200
> > > > > +++ refpolicy-git-
> > > > > 06082016/policy/modules/services/xserver.if???
> > > > > 2016-08-13 15:01:34.028150851 +0200
> > > > > @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
> > > > > ?????typeattribute $1 x_domain;
> > > > > ?????typeattribute $1 xserver_unconfined_type;
> > > > > ?')
> > > > > +
> > > > > +########################################
> > > > > +## <summary>
> > > > > +##????Send and receive messages from
> > > > > +##????xdm over dbus.
> > > > > +## </summary>
> > > > > +## <param name="domain">
> > > > > +##????<summary>
> > > > > +##????Domain allowed access.
> > > > > +##????</summary>
> > > > > +## </param>
> > > > > +#
> > > > > +interface(`xdm_dbus_chat',`
> > > > 
> > > > Why does this interface need to be added, if it isn't going to
> > > > be used
> > > > (it's not used below).
> > > > 
> > > > If it is still needed, then the interface should be
> > > > xserver_dbus_chat_xdm()
> > > > 
> > > > 
> > > 
> > > Seems to be used here though:
> > > 
> > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008213.html
> > 
> > You're right.??With all of the patches, I missed this connection.
> > 
> 
> Yes. Too much. There are some other things that slipped through that
> should'nt have.

They are all very small patches, but they bring a lot of improvement in
terms of usability ! The Reference Policy is substantially improved
after the changes have been merged.

Also, I believe only the gnome patch is missing to complete the job.

Best regards,

Guido

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Chris PeBenito]

On 08/14/16 15:09, Guido Trentalancia wrote:
> Update for the xserver module:
>
> - updated the file contexts for the Xsession script;
> - created an interface for chatting over dbus with
>   xdm (currently used by the userdomain module in
>   the common user template);
> - added permission to chat over dbus with colord.

Merged, though I moved the interface up.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    1 +
>  policy/modules/services/xserver.if |   21 +++++++++++++++++++++
>  policy/modules/services/xserver.te |    4 ++++
>  3 files changed, 26 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.fc	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.fc	2016-08-13 16:20:35.731361535 +0200
> @@ -74,6 +74,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/X11/xdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if	2016-08-06 21:26:43.295774282 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.if	2016-08-14 21:04:33.812531119 +0200
> @@ -1291,3 +1291,24 @@ interface(`xserver_unconfined',`
>  	typeattribute $1 x_domain;
>  	typeattribute $1 xserver_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Send and receive messages from
> +##	xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_dbus_chat_xdm',`
> +	gen_require(`
> +		type xdm_t;
> +		class dbus send_msg;
> +        ')
> +
> +	allow $1 xdm_t:dbus send_msg;
> +	allow xdm_t $1:dbus send_msg;
> +')
> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.te	2016-08-06 21:26:43.296774294 +0200
> +++ refpolicy-git-06082016/policy/modules/services/xserver.te	2016-08-13 12:48:32.475827426 +0200
> @@ -507,6 +507,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	colord_dbus_chat(xdm_t)
> +')
> +
> +optional_policy(`
>  	consolekit_dbus_chat(xdm_t)
>  ')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello Chris.

On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
> On 08/14/16 15:09, Guido Trentalancia wrote:
> > Update for the xserver module:
> > 
> > - updated the file contexts for the Xsession script;
> > - created an interface for chatting over dbus with
> > ? xdm (currently used by the userdomain module in
> > ? the common user template);
> > - added permission to chat over dbus with colord.
> 
> Merged, though I moved the interface up.

Excellent.

This is what is missing now:

- the gnome module: this is very important, I am now improving it as
suggested by Dominick Grift;
- the dbus patch for binary execution (otherwise it refuses to start);
- the new fc_sort patch if you like the idea of installing it system-
wide to avoid execution permission problems (e.g. in /usr/src);
- a patch to make use of the new module_load permission to load kernel
module (problem of the appropriate location for modules_object_t).

It's all about patches that are being reviewed, there are no other
patches...

Regards,

Guido

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Chris PeBenito]

On 08/14/16 15:48, Guido Trentalancia wrote:
> Hello Chris.
>
> On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
>> On 08/14/16 15:09, Guido Trentalancia wrote:
>>> Update for the xserver module:
>>>
>>> - updated the file contexts for the Xsession script;
>>> - created an interface for chatting over dbus with
>>>   xdm (currently used by the userdomain module in
>>>   the common user template);
>>> - added permission to chat over dbus with colord.
>>
>> Merged, though I moved the interface up.
>
> Excellent.
>
> This is what is missing now:
>
> - the gnome module: this is very important, I am now improving it as
> suggested by Dominick Grift;
> - the dbus patch for binary execution (otherwise it refuses to start);
> - the new fc_sort patch if you like the idea of installing it system-
> wide to avoid execution permission problems (e.g. in /usr/src);
> - a patch to make use of the new module_load permission to load kernel
> module (problem of the appropriate location for modules_object_t).
>
> It's all about patches that are being reviewed, there are no other
> patches...

In the future I'd ask that you post related patches as a series, so we 
can see that patches are related.

I've pushed all of the merged changes, plus my modifications.  Please 
rebase any remaining patches.

-- 
Chris PeBenito

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Jason Zaman]

On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote:
> On 08/14/16 15:48, Guido Trentalancia wrote:
> > Hello Chris.
> >
> > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
> >> On 08/14/16 15:09, Guido Trentalancia wrote:
> >>> Update for the xserver module:
> >>>
> >>> - updated the file contexts for the Xsession script;
> >>> - created an interface for chatting over dbus with
> >>>   xdm (currently used by the userdomain module in
> >>>   the common user template);
> >>> - added permission to chat over dbus with colord.
> >>
> >> Merged, though I moved the interface up.
> >
> > Excellent.

What distro (or version of distro) are you on?

> > This is what is missing now:
> >
> > - the gnome module: this is very important, I am now improving it as
> > suggested by Dominick Grift;
> > - the dbus patch for binary execution (otherwise it refuses to start);

I have the same file on gentoo and dbus all starts fine. In general
things marked bin_t are not terrible so I'm not hugely against adding
the perm. Is this for a new version of dbus or something?
I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the
code its calling that and that would give more insight to why.
/bin/false is frequently used in /etc/passwd so it might be something to
do with that?

> > - the new fc_sort patch if you like the idea of installing it system-
> > wide to avoid execution permission problems (e.g. in /usr/src);

sysadm_t has full permissions in to src_t already? otherwise compiling
the kernel wouldnt work either since it has many scripts it needs to run
too.
How are you installing the sources? in general the package manager
should be force-resetting the labels on the files as it merges them into
the main FS.

> > - a patch to make use of the new module_load permission to load kernel
> > module (problem of the appropriate location for modules_object_t).

I got a report on gentoo about things failing on kernel 4.7. I think
this one is requried to fix it.

> >
> > It's all about patches that are being reviewed, there are no other
> > patches...
> 
> In the future I'd ask that you post related patches as a series, so we 
> can see that patches are related.

Seconded, this makes it easier to follow.
$ git format-patch origin/master..mybranch
$ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch
the --compose switch will open an editor so you can write a short message
about the series and then all the other patches are replies to that. 

-- Jason

> I've pushed all of the merged changes, plus my modifications.  Please 
> rebase any remaining patches.
> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello Jason.

Thanks for getting back on this.

On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote:
> On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote:
> > On 08/14/16 15:48, Guido Trentalancia wrote:
> > > Hello Chris.
> > > 
> > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
> > > > On 08/14/16 15:09, Guido Trentalancia wrote:
> > > > > Update for the xserver module:
> > > > > 
> > > > > - updated the file contexts for the Xsession script;
> > > > > - created an interface for chatting over dbus with
> > > > > ? xdm (currently used by the userdomain module in
> > > > > ? the common user template);
> > > > > - added permission to chat over dbus with colord.
> > > > 
> > > > Merged, though I moved the interface up.
> > > 
> > > Excellent.
> 
> What distro (or version of distro) are you on?

It's not a distribution, but rather just Linux and GNU stuff built from
scratch. It's not Linuxfromscratch, as I do not follow their way of
building stuff, but similar to it.

It's as close as possible to the original source code (i.e. patches
kept to the minimum and configure options closest to the default).

> > > This is what is missing now:
> > > 
> > > - the gnome module: this is very important, I am now improving it
> > > as
> > > suggested by Dominick Grift;
> > > - the dbus patch for binary execution (otherwise it refuses to
> > > start);
> 
> I have the same file on gentoo and dbus all starts fine. In general
> things marked bin_t are not terrible so I'm not hugely against adding
> the perm. Is this for a new version of dbus or something?

I am always using the latest version of everything, so it's latest
dbus.

Please note that there should be references of this in the source
code... Did you get a chance to look there ?

Might be the following:

dbus/dbus-transport-unix.c:??c = dbus_connection_open
("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error);

Also, many .service files have the following:

Exec=/bin/false

> I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the
> code its calling that and that would give more insight to why.

See above.

> /bin/false is frequently used in /etc/passwd so it might be something
> to
> do with that?

I don't think so. It's used in /etc/passwd to deny a login for virtual
users (such as daemons).

> > > - the new fc_sort patch if you like the idea of installing it
> > > system-
> > > wide to avoid execution permission problems (e.g. in /usr/src);
> 
> sysadm_t has full permissions in to src_t already? otherwise
> compiling

It's a bug in the git module then. It should create files in /usr/src
with automatic transition to the src_t type.

> the kernel wouldnt work either since it has many scripts it needs to
> run
> too.
> How are you installing the sources? in general the package manager
> should be force-resetting the labels on the files as it merges them
> into
> the main FS.
> 
> > > - a patch to make use of the new module_load permission to load
> > > kernel
> > > module (problem of the appropriate location for
> > > modules_object_t).
> 
> I got a report on gentoo about things failing on kernel 4.7. I think
> this one is requried to fix it.

See above, we need to tackle the git module with a simple fix.

> > > 
> > > It's all about patches that are being reviewed, there are no
> > > other
> > > patches...

Apart from the lvm module that was left out for some reason.

> > In the future I'd ask that you post related patches as a series, so
> > we?
> > can see that patches are related.
> 
> Seconded, this makes it easier to follow.
> $ git format-patch origin/master..mybranch
> $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch
> the --compose switch will open an editor so you can write a short
> message
> about the series and then all the other patches are replies to that.?
> 
> -- Jason

Thanks Jason, I'll give it a try...

Regards,

Guido

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Dominick Grift]

On 08/15/2016 03:55 PM, Guido Trentalancia wrote:
> Hello Jason.
> 
> Thanks for getting back on this.
> 
> On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote:
>> On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote:
>>> On 08/14/16 15:48, Guido Trentalancia wrote:
>>>> Hello Chris.
>>>>
>>>> On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
>>>>> On 08/14/16 15:09, Guido Trentalancia wrote:
>>>>>> Update for the xserver module:
>>>>>>
>>>>>> - updated the file contexts for the Xsession script;
>>>>>> - created an interface for chatting over dbus with
>>>>>>   xdm (currently used by the userdomain module in
>>>>>>   the common user template);
>>>>>> - added permission to chat over dbus with colord.
>>>>>
>>>>> Merged, though I moved the interface up.
>>>>
>>>> Excellent.
>>
>> What distro (or version of distro) are you on?
> 
> It's not a distribution, but rather just Linux and GNU stuff built from
> scratch. It's not Linuxfromscratch, as I do not follow their way of
> building stuff, but similar to it.
> 
> It's as close as possible to the original source code (i.e. patches
> kept to the minimum and configure options closest to the default).
> 
>>>> This is what is missing now:
>>>>
>>>> - the gnome module: this is very important, I am now improving it
>>>> as
>>>> suggested by Dominick Grift;
>>>> - the dbus patch for binary execution (otherwise it refuses to
>>>> start);
>>
>> I have the same file on gentoo and dbus all starts fine. In general
>> things marked bin_t are not terrible so I'm not hugely against adding
>> the perm. Is this for a new version of dbus or something?
> 
> I am always using the latest version of everything, so it's latest
> dbus.
> 
> Please note that there should be references of this in the source
> code... Did you get a chance to look there ?
> 
> Might be the following:
> 
> dbus/dbus-transport-unix.c:  c = dbus_connection_open
> ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error);
> 

For the record: just because i advice against this that means just that,
not much. I am just rambling, saying what is on my mind. It is up to
others to decide what is right and what is wrong for them.

I am fine with things either way. I just like to talk about this stuff
and share some of my experiences.

> Also, many .service files have the following:
> 
> Exec=/bin/false
> 
>> I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the
>> code its calling that and that would give more insight to why.
> 
> See above.
> 
>> /bin/false is frequently used in /etc/passwd so it might be something
>> to
>> do with that?
> 
> I don't think so. It's used in /etc/passwd to deny a login for virtual
> users (such as daemons).
> 
>>>> - the new fc_sort patch if you like the idea of installing it
>>>> system-
>>>> wide to avoid execution permission problems (e.g. in /usr/src);
>>
>> sysadm_t has full permissions in to src_t already? otherwise
>> compiling
> 
> It's a bug in the git module then. It should create files in /usr/src
> with automatic transition to the src_t type.
> 
>> the kernel wouldnt work either since it has many scripts it needs to
>> run
>> too.
>> How are you installing the sources? in general the package manager
>> should be force-resetting the labels on the files as it merges them
>> into
>> the main FS.
>>
>>>> - a patch to make use of the new module_load permission to load
>>>> kernel
>>>> module (problem of the appropriate location for
>>>> modules_object_t).
>>
>> I got a report on gentoo about things failing on kernel 4.7. I think
>> this one is requried to fix it.
> 
> See above, we need to tackle the git module with a simple fix.
> 
>>>>
>>>> It's all about patches that are being reviewed, there are no
>>>> other
>>>> patches...
> 
> Apart from the lvm module that was left out for some reason.
> 
>>> In the future I'd ask that you post related patches as a series, so
>>> we 
>>> can see that patches are related.
>>
>> Seconded, this makes it easier to follow.
>> $ git format-patch origin/master..mybranch
>> $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch
>> the --compose switch will open an editor so you can write a short
>> message
>> about the series and then all the other patches are replies to that. 
>>
>> -- Jason
> 
> Thanks Jason, I'll give it a try...
> 
> Regards,
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/fd880523/attachment.bin 

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Jason Zaman]

On Mon, Aug 15, 2016 at 03:55:28PM +0200, Guido Trentalancia wrote:
> Hello Jason.
> 
> Thanks for getting back on this.
> 
> On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote:
> > On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote:
> > > On 08/14/16 15:48, Guido Trentalancia wrote:
> > > > Hello Chris.
> > > > 
> > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
> > > > > On 08/14/16 15:09, Guido Trentalancia wrote:
> > > > > > Update for the xserver module:
> > > > > > 
> > > > > > - updated the file contexts for the Xsession script;
> > > > > > - created an interface for chatting over dbus with
> > > > > > ? xdm (currently used by the userdomain module in
> > > > > > ? the common user template);
> > > > > > - added permission to chat over dbus with colord.
> > > > > 
> > > > > Merged, though I moved the interface up.
> > > > 
> > > > Excellent.
> > 
> > What distro (or version of distro) are you on?
> 
> It's not a distribution, but rather just Linux and GNU stuff built from
> scratch. It's not Linuxfromscratch, as I do not follow their way of
> building stuff, but similar to it.
> 
> It's as close as possible to the original source code (i.e. patches
> kept to the minimum and configure options closest to the default).
> 
> > > > This is what is missing now:
> > > > 
> > > > - the gnome module: this is very important, I am now improving it
> > > > as
> > > > suggested by Dominick Grift;
> > > > - the dbus patch for binary execution (otherwise it refuses to
> > > > start);
> > 
> > I have the same file on gentoo and dbus all starts fine. In general
> > things marked bin_t are not terrible so I'm not hugely against adding
> > the perm. Is this for a new version of dbus or something?
> 
> I am always using the latest version of everything, so it's latest
> dbus.

Im on the latest release in their stable branch too so not sure why
yours fails but mine doesnt.
> 
> Please note that there should be references of this in the source
> code... Did you get a chance to look there ?
> 
> Might be the following:
> 
> dbus/dbus-transport-unix.c:??c = dbus_connection_open
> ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error);
Could be this. Are you up for strace/gdb'ing to confirm? 
> 
> Also, many .service files have the following:
> 
> Exec=/bin/false
If this was it, it would fail as init_t or initrc_t. your dbus is
failing later on so cant be something like this.

> > I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the
> > code its calling that and that would give more insight to why.
> 
> See above.
> 
> > /bin/false is frequently used in /etc/passwd so it might be something
> > to
> > do with that?
> 
> I don't think so. It's used in /etc/passwd to deny a login for virtual
> users (such as daemons).
> 
> > > > - the new fc_sort patch if you like the idea of installing it
> > > > system-
> > > > wide to avoid execution permission problems (e.g. in /usr/src);
> > 
> > sysadm_t has full permissions in to src_t already? otherwise
> > compiling
> 
> It's a bug in the git module then. It should create files in /usr/src
> with automatic transition to the src_t type.

/usr/bin/git is bin_t, so it will run as sysadm_t.
you mean you are doing:
cd /usr/src/
git clone git://github.com/TresysTechnology/refpolicy.git
and its failing?

That definitely gets it all as src_t for me

meriadoc src # id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
meriadoc src # ls -ldZ /usr/src/refpolicy/
drwxr-xr-x. 8 root root staff_u:object_r:src_t:s0 22 Aug 15 22:05 /usr/src/refpolicy//

Everything under that dir is also src_t. There should be no problems.
the git policy is for git daemon and gitweb. the main "git" binary is
just bin_t. What label do you have on it after checking out?

-- Jason

> 
> > the kernel wouldnt work either since it has many scripts it needs to
> > run
> > too.
> > How are you installing the sources? in general the package manager
> > should be force-resetting the labels on the files as it merges them
> > into
> > the main FS.
> > 
> > > > - a patch to make use of the new module_load permission to load
> > > > kernel
> > > > module (problem of the appropriate location for
> > > > modules_object_t).
> > 
> > I got a report on gentoo about things failing on kernel 4.7. I think
> > this one is requried to fix it.
> 
> See above, we need to tackle the git module with a simple fix.
> 
> > > > 
> > > > It's all about patches that are being reviewed, there are no
> > > > other
> > > > patches...
> 
> Apart from the lvm module that was left out for some reason.
> 
> > > In the future I'd ask that you post related patches as a series, so
> > > we?
> > > can see that patches are related.
> > 
> > Seconded, this makes it easier to follow.
> > $ git format-patch origin/master..mybranch
> > $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch
> > the --compose switch will open an editor so you can write a short
> > message
> > about the series and then all the other patches are replies to that.?
> > 
> > -- Jason
> 
> Thanks Jason, I'll give it a try...
> 
> Regards,
> 
> Guido

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello.

On Mon, 15/08/2016 at 22.31 +0800, Jason Zaman wrote:
> On Mon, Aug 15, 2016 at 03:55:28PM +0200, Guido Trentalancia wrote:
> > Hello Jason.
> > 
> > Thanks for getting back on this.
> > 
> > On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote:
> > > On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote:
> > > > On 08/14/16 15:48, Guido Trentalancia wrote:
> > > > > Hello Chris.
> > > > > 
> > > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote:
> > > > > > On 08/14/16 15:09, Guido Trentalancia wrote:
> > > > > > > Update for the xserver module:
> > > > > > > 
> > > > > > > - updated the file contexts for the Xsession script;
> > > > > > > - created an interface for chatting over dbus with
> > > > > > > ? xdm (currently used by the userdomain module in
> > > > > > > ? the common user template);
> > > > > > > - added permission to chat over dbus with colord.
> > > > > > 
> > > > > > Merged, though I moved the interface up.
> > > > > 
> > > > > Excellent.
> > > 
> > > What distro (or version of distro) are you on?
> > 
> > It's not a distribution, but rather just Linux and GNU stuff built
> > from
> > scratch. It's not Linuxfromscratch, as I do not follow their way of
> > building stuff, but similar to it.
> > 
> > It's as close as possible to the original source code (i.e. patches
> > kept to the minimum and configure options closest to the default).
> > 
> > > > > This is what is missing now:
> > > > > 
> > > > > - the gnome module: this is very important, I am now
> > > > > improving it
> > > > > as
> > > > > suggested by Dominick Grift;
> > > > > - the dbus patch for binary execution (otherwise it refuses
> > > > > to
> > > > > start);
> > > 
> > > I have the same file on gentoo and dbus all starts fine. In
> > > general
> > > things marked bin_t are not terrible so I'm not hugely against
> > > adding
> > > the perm. Is this for a new version of dbus or something?
> > 
> > I am always using the latest version of everything, so it's latest
> > dbus.
> 
> Im on the latest release in their stable branch too so not sure why
> yours fails but mine doesnt.
> > 
> > Please note that there should be references of this in the source
> > code... Did you get a chance to look there ?
> > 
> > Might be the following:
> > 
> > dbus/dbus-transport-unix.c:??c = dbus_connection_open
> > ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error);
> Could be this. Are you up for strace/gdb'ing to confirm??

Not now, as I am busy with building and testing gnome module which is
more urgent.

> > Also, many .service files have the following:
> > 
> > Exec=/bin/false
> If this was it, it would fail as init_t or initrc_t. your dbus is
> failing later on so cant be something like this.
> 
> > > I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in
> > > the
> > > code its calling that and that would give more insight to why.
> > 
> > See above.
> > 
> > > /bin/false is frequently used in /etc/passwd so it might be
> > > something
> > > to
> > > do with that?
> > 
> > I don't think so. It's used in /etc/passwd to deny a login for
> > virtual
> > users (such as daemons).
> > 
> > > > > - the new fc_sort patch if you like the idea of installing it
> > > > > system-
> > > > > wide to avoid execution permission problems (e.g. in
> > > > > /usr/src);
> > > 
> > > sysadm_t has full permissions in to src_t already? otherwise
> > > compiling
> > 
> > It's a bug in the git module then. It should create files in
> > /usr/src
> > with automatic transition to the src_t type.
> 
> /usr/bin/git is bin_t, so it will run as sysadm_t.
> you mean you are doing:
> cd /usr/src/
> git clone git://github.com/TresysTechnology/refpolicy.git
> and its failing?

Exactly. It gets usr_t instead of src_t.

> That definitely gets it all as src_t for me
> 
> meriadoc src # id -Z
> staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
> meriadoc src # ls -ldZ /usr/src/refpolicy/
> drwxr-xr-x. 8 root root staff_u:object_r:src_t:s0 22 Aug 15 22:05
> /usr/src/refpolicy//
> 
> Everything under that dir is also src_t. There should be no problems.
> the git policy is for git daemon and gitweb. the main "git" binary is
> just bin_t. What label do you have on it after checking out?

git binary is bin_t.

Regards,

Guido

[refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module

[Guido Trentalancia]

Hello Jason.

I am finally back to your question...

On Mon, 15/08/2016 at 15.55 +0200, Guido Trentalancia wrote:
> Hello Jason.
> 
> Thanks for getting back on this.
> 
> On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote:

[...]

> > > > This is what is missing now:
> > > > 
> > > > - the gnome module: this is very important, I am now improving
> > > > it
> > > > as
> > > > suggested by Dominick Grift;
> > > > - the dbus patch for binary execution (otherwise it refuses to
> > > > start);
> > 
> > I have the same file on gentoo and dbus all starts fine. In general
> > things marked bin_t are not terrible so I'm not hugely against
> > adding
> > the perm. Is this for a new version of dbus or something?
> 
> I am always using the latest version of everything, so it's latest
> dbus.
> 
> Please note that there should be references of this in the source
> code... Did you get a chance to look there ?
> 
> Might be the following:
> 
> dbus/dbus-transport-unix.c:??c = dbus_connection_open
> ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error);
> 
> Also, many .service files have the following:
> 
> Exec=/bin/false

The matter is finally clarified. It's the latter (the Exec field in the
service files) !

Try by yourself, it's extremely easy to reproduce, just create a
service file with that field...

Some service files that are executed through systemd use that Exec
field, most probably because the Exec field is mandatory for dbus
service files.

I am now dropping that dbus patch, because corecmd_exec_bin() executes
bin_t executable files BUT the resulting process runs in the
system_dbusd_t !

Regards,

Guido