* [refpolicy] [PATCH] misc dbus patches @ 2018-02-13 0:36 Russell Coker 2018-02-15 21:57 ` Chris PeBenito 0 siblings, 1 reply; 8+ messages in thread From: Russell Coker @ 2018-02-13 0:36 UTC (permalink / raw) To: refpolicy Here is a collection of dbus policy patches, all fairly simple. Chris please merge the ones you like and we can discuss any you don't like afterwards. Index: refpolicy-2.20180211/policy/modules/contrib/apt.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te +++ refpolicy-2.20180211/policy/modules/contrib/apt.te @@ -148,6 +148,11 @@ optional_policy(` ') optional_policy(` + # for packagekitd + policykit_dbus_chat(apt_t) +') + +optional_policy(` # rkhunter trigger rkhunter_domtrans(apt_t) ') @@ -159,4 +164,5 @@ optional_policy(` optional_policy(` unconfined_domain(apt_t) + unconfined_dbus_send(apt_t) ') Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) init_all_labeled_script_domtrans(system_dbusd_t) init_start_system(system_dbusd_t) # needed by dbus-broker +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* +libs_exec_lib_files(system_dbusd_t) + logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te @@ -194,6 +194,11 @@ optional_policy(` ') optional_policy(` + # gwenview triggers the need for this + xserver_dbus_chat_xdm(devicekit_disk_t) +') + +optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -287,6 +292,7 @@ optional_policy(` optional_policy(` dbus_system_bus_client(devicekit_power_t) + init_dbus_chat(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; Index: refpolicy-2.20180211/policy/modules/system/init.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/init.te +++ refpolicy-2.20180211/policy/modules/system/init.te @@ -509,6 +509,7 @@ optional_policy(` optional_policy(` unconfined_domain(init_t) + unconfined_dbus_send(init_t) ') ######################################## Index: refpolicy-2.20180211/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180211/policy/modules/system/systemd.te @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho optional_policy(` dbus_connect_system_bus(systemd_hostnamed_t) dbus_system_bus_client(systemd_hostnamed_t) + init_dbus_chat(systemd_hostnamed_t) ') optional_policy(` @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) userdom_delete_all_user_runtime_symlinks(systemd_logind_t) +# user_tmp_t is for the dbus-1 directory +userdom_list_user_tmp(systemd_logind_t) userdom_manage_user_runtime_dirs(systemd_logind_t) userdom_manage_user_runtime_root_dirs(systemd_logind_t) userdom_mounton_user_runtime_dirs(systemd_logind_t) @@ -482,6 +485,9 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(systemd_logind_t) ') +optional_policy(` + modemmanager_dbus_chat(systemd_logind_t) +') optional_policy(` policykit_dbus_chat(systemd_logind_t) @@ -753,6 +759,10 @@ optional_policy(` ') optional_policy(` + unconfined_dbus_send(systemd_machined_t) +') + +optional_policy(` virt_manage_virt_content(systemd_nspawn_t) ') Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te @@ -222,6 +222,7 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + init_dbus_chat(NetworkManager_t) optional_policy(` avahi_dbus_chat(NetworkManager_t) Index: refpolicy-2.20180211/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20180211/policy/modules/system/locallogin.te @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi ifdef(`init_systemd',` auth_manage_faillog(local_login_t) + init_dbus_chat(local_login_t) systemd_dbus_chat_logind(local_login_t) systemd_use_logind_fds(local_login_t) systemd_manage_logind_pid_pipes(local_login_t) Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + dbus_system_bus_client(groupadd_t) +') + +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') @@ -538,6 +542,10 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(useradd_t) +') + +optional_policy(` dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') Index: refpolicy-2.20180211/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20180211/policy/modules/system/unconfined.te @@ -116,6 +116,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(unconfined_t) +') + +optional_policy(` modutils_run(unconfined_t, unconfined_r) ') ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-13 0:36 [refpolicy] [PATCH] misc dbus patches Russell Coker @ 2018-02-15 21:57 ` Chris PeBenito 2018-02-16 6:04 ` Russell Coker 2018-02-23 4:53 ` Russell Coker 0 siblings, 2 replies; 8+ messages in thread From: Chris PeBenito @ 2018-02-15 21:57 UTC (permalink / raw) To: refpolicy On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > Here is a collection of dbus policy patches, all fairly simple. > > Chris please merge the ones you like and we can discuss any you don't like > afterwards. I merged everything except for the user/groupadd ones, which need explanation: what are they doing with dbus exactly? > Index: refpolicy-2.20180211/policy/modules/contrib/apt.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te > +++ refpolicy-2.20180211/policy/modules/contrib/apt.te > @@ -148,6 +148,11 @@ optional_policy(` > ') > > optional_policy(` > + # for packagekitd > + policykit_dbus_chat(apt_t) > +') > + > +optional_policy(` > # rkhunter trigger > rkhunter_domtrans(apt_t) > ') > @@ -159,4 +164,5 @@ optional_policy(` > > optional_policy(` > unconfined_domain(apt_t) > + unconfined_dbus_send(apt_t) > ') > Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te > +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te > @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) > init_all_labeled_script_domtrans(system_dbusd_t) > init_start_system(system_dbusd_t) # needed by dbus-broker > > +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* > +libs_exec_lib_files(system_dbusd_t) > + > logging_send_audit_msgs(system_dbusd_t) > logging_send_syslog_msg(system_dbusd_t) > > Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te > +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te > @@ -194,6 +194,11 @@ optional_policy(` > ') > > optional_policy(` > + # gwenview triggers the need for this > + xserver_dbus_chat_xdm(devicekit_disk_t) > +') > + > +optional_policy(` > virt_manage_images(devicekit_disk_t) > ') > > @@ -287,6 +292,7 @@ optional_policy(` > > optional_policy(` > dbus_system_bus_client(devicekit_power_t) > + init_dbus_chat(devicekit_power_t) > > allow devicekit_power_t devicekit_t:dbus send_msg; > > Index: refpolicy-2.20180211/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/init.te > +++ refpolicy-2.20180211/policy/modules/system/init.te > @@ -509,6 +509,7 @@ optional_policy(` > > optional_policy(` > unconfined_domain(init_t) > + unconfined_dbus_send(init_t) > ') > > ######################################## > Index: refpolicy-2.20180211/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20180211/policy/modules/system/systemd.te > @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho > optional_policy(` > dbus_connect_system_bus(systemd_hostnamed_t) > dbus_system_bus_client(systemd_hostnamed_t) > + init_dbus_chat(systemd_hostnamed_t) > ') > > optional_policy(` > @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy > userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) > userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) > userdom_delete_all_user_runtime_symlinks(systemd_logind_t) > +# user_tmp_t is for the dbus-1 directory > +userdom_list_user_tmp(systemd_logind_t) > userdom_manage_user_runtime_dirs(systemd_logind_t) > userdom_manage_user_runtime_root_dirs(systemd_logind_t) > userdom_mounton_user_runtime_dirs(systemd_logind_t) > @@ -482,6 +485,9 @@ optional_policy(` > optional_policy(` > networkmanager_dbus_chat(systemd_logind_t) > ') > +optional_policy(` > + modemmanager_dbus_chat(systemd_logind_t) > +') > > optional_policy(` > policykit_dbus_chat(systemd_logind_t) > @@ -753,6 +759,10 @@ optional_policy(` > ') > > optional_policy(` > + unconfined_dbus_send(systemd_machined_t) > +') > + > +optional_policy(` > virt_manage_virt_content(systemd_nspawn_t) > ') > > Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te > +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > @@ -222,6 +222,7 @@ optional_policy(` > > optional_policy(` > dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) > + init_dbus_chat(NetworkManager_t) > > optional_policy(` > avahi_dbus_chat(NetworkManager_t) > Index: refpolicy-2.20180211/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20180211/policy/modules/system/locallogin.te > @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi > ifdef(`init_systemd',` > auth_manage_faillog(local_login_t) > > + init_dbus_chat(local_login_t) > systemd_dbus_chat_logind(local_login_t) > systemd_use_logind_fds(local_login_t) > systemd_manage_logind_pid_pipes(local_login_t) > Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te > +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > optional_policy(` > + dbus_system_bus_client(groupadd_t) > +') > + > +optional_policy(` > dpkg_use_fds(groupadd_t) > dpkg_rw_pipes(groupadd_t) > ') > @@ -538,6 +542,10 @@ optional_policy(` > ') > > optional_policy(` > + dbus_system_bus_client(useradd_t) > +') > + > +optional_policy(` > dpkg_use_fds(useradd_t) > dpkg_rw_pipes(useradd_t) > ') > Index: refpolicy-2.20180211/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20180211/policy/modules/system/unconfined.te > @@ -116,6 +116,10 @@ optional_policy(` > ') > > optional_policy(` > + modemmanager_dbus_chat(unconfined_t) > +') > + > +optional_policy(` > modutils_run(unconfined_t, unconfined_r) > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-15 21:57 ` Chris PeBenito @ 2018-02-16 6:04 ` Russell Coker 2018-02-23 4:53 ` Russell Coker 1 sibling, 0 replies; 8+ messages in thread From: Russell Coker @ 2018-02-16 6:04 UTC (permalink / raw) To: refpolicy On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > I merged everything except for the user/groupadd ones, which need > explanation: what are they doing with dbus exactly? Not sure. I'll do more tests on this. Thanks. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-15 21:57 ` Chris PeBenito 2018-02-16 6:04 ` Russell Coker @ 2018-02-23 4:53 ` Russell Coker 2018-02-23 7:25 ` Dominick Grift 1 sibling, 1 reply; 8+ messages in thread From: Russell Coker @ 2018-02-23 4:53 UTC (permalink / raw) To: refpolicy On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > > Here is a collection of dbus policy patches, all fairly simple. > > > > Chris please merge the ones you like and we can discuss any you don't like > > afterwards. > > I merged everything except for the user/groupadd ones, which need > explanation: what are they doing with dbus exactly? sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 The above is from a strace of "groupadd zzz2". It is sending a message to systemd to lookup dynamic users. I can't find where in the groupadd code it does this though. I checked the pam configuration and that doesn't appear to have it. > > Index: refpolicy-2.20180211/policy/modules/contrib/apt.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te > > +++ refpolicy-2.20180211/policy/modules/contrib/apt.te > > @@ -148,6 +148,11 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + # for packagekitd > > + policykit_dbus_chat(apt_t) > > +') > > + > > +optional_policy(` > > > > # rkhunter trigger > > rkhunter_domtrans(apt_t) > > > > ') > > > > @@ -159,4 +164,5 @@ optional_policy(` > > > > optional_policy(` > > > > unconfined_domain(apt_t) > > > > + unconfined_dbus_send(apt_t) > > > > ') > > > > Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te > > +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te > > @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) > > > > init_all_labeled_script_domtrans(system_dbusd_t) > > init_start_system(system_dbusd_t) # needed by dbus-broker > > > > +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* > > +libs_exec_lib_files(system_dbusd_t) > > + > > > > logging_send_audit_msgs(system_dbusd_t) > > logging_send_syslog_msg(system_dbusd_t) > > > > Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te > > +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > @@ -194,6 +194,11 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + # gwenview triggers the need for this > > + xserver_dbus_chat_xdm(devicekit_disk_t) > > +') > > + > > +optional_policy(` > > > > virt_manage_images(devicekit_disk_t) > > > > ') > > > > @@ -287,6 +292,7 @@ optional_policy(` > > > > optional_policy(` > > > > dbus_system_bus_client(devicekit_power_t) > > > > + init_dbus_chat(devicekit_power_t) > > > > allow devicekit_power_t devicekit_t:dbus send_msg; > > > > Index: refpolicy-2.20180211/policy/modules/system/init.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/system/init.te > > +++ refpolicy-2.20180211/policy/modules/system/init.te > > @@ -509,6 +509,7 @@ optional_policy(` > > > > optional_policy(` > > > > unconfined_domain(init_t) > > > > + unconfined_dbus_send(init_t) > > > > ') > > > > ######################################## > > > > Index: refpolicy-2.20180211/policy/modules/system/systemd.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te > > +++ refpolicy-2.20180211/policy/modules/system/systemd.te > > @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho > > > > optional_policy(` > > > > dbus_connect_system_bus(systemd_hostnamed_t) > > dbus_system_bus_client(systemd_hostnamed_t) > > > > + init_dbus_chat(systemd_hostnamed_t) > > > > ') > > > > optional_policy(` > > > > @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy > > > > userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) > > userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) > > userdom_delete_all_user_runtime_symlinks(systemd_logind_t) > > > > +# user_tmp_t is for the dbus-1 directory > > +userdom_list_user_tmp(systemd_logind_t) > > > > userdom_manage_user_runtime_dirs(systemd_logind_t) > > userdom_manage_user_runtime_root_dirs(systemd_logind_t) > > userdom_mounton_user_runtime_dirs(systemd_logind_t) > > > > @@ -482,6 +485,9 @@ optional_policy(` > > > > optional_policy(` > > > > networkmanager_dbus_chat(systemd_logind_t) > > > > ') > > > > +optional_policy(` > > + modemmanager_dbus_chat(systemd_logind_t) > > +') > > > > optional_policy(` > > > > policykit_dbus_chat(systemd_logind_t) > > > > @@ -753,6 +759,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + unconfined_dbus_send(systemd_machined_t) > > +') > > + > > +optional_policy(` > > > > virt_manage_virt_content(systemd_nspawn_t) > > > > ') > > > > Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te > > +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > @@ -222,6 +222,7 @@ optional_policy(` > > > > optional_policy(` > > > > dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) > > > > + init_dbus_chat(NetworkManager_t) > > > > optional_policy(` > > > > avahi_dbus_chat(NetworkManager_t) > > > > Index: refpolicy-2.20180211/policy/modules/system/locallogin.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te > > +++ refpolicy-2.20180211/policy/modules/system/locallogin.te > > @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi > > > > ifdef(`init_systemd',` > > > > auth_manage_faillog(local_login_t) > > > > + init_dbus_chat(local_login_t) > > > > systemd_dbus_chat_logind(local_login_t) > > systemd_use_logind_fds(local_login_t) > > systemd_manage_logind_pid_pipes(local_login_t) > > > > Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te > > +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te > > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > > > > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > > > optional_policy(` > > > > + dbus_system_bus_client(groupadd_t) > > +') > > + > > +optional_policy(` > > > > dpkg_use_fds(groupadd_t) > > dpkg_rw_pipes(groupadd_t) > > > > ') > > > > @@ -538,6 +542,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + dbus_system_bus_client(useradd_t) > > +') > > + > > +optional_policy(` > > > > dpkg_use_fds(useradd_t) > > dpkg_rw_pipes(useradd_t) > > > > ') > > > > Index: refpolicy-2.20180211/policy/modules/system/unconfined.te > > =================================================================== > > --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te > > +++ refpolicy-2.20180211/policy/modules/system/unconfined.te > > @@ -116,6 +116,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + modemmanager_dbus_chat(unconfined_t) > > +') > > + > > +optional_policy(` > > > > modutils_run(unconfined_t, unconfined_r) > > > > ') > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-23 4:53 ` Russell Coker @ 2018-02-23 7:25 ` Dominick Grift 2018-02-24 14:18 ` Chris PeBenito 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2018-02-23 7:25 UTC (permalink / raw) To: refpolicy On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: > On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > > On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > > > Here is a collection of dbus policy patches, all fairly simple. > > > > > > Chris please merge the ones you like and we can discuss any you don't like > > > afterwards. > > > > I merged everything except for the user/groupadd ones, which need > > explanation: what are they doing with dbus exactly? > > sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t > \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ > systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 > \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s > \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", > iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, > msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 > > The above is from a strace of "groupadd zzz2". It is sending a message to > systemd to lookup dynamic users. I can't find where in the groupadd code it > does this though. I checked the pam configuration and that doesn't appear to > have it. this is nss_systemd. it is an optional systemd nss module. from that perspective one might consider adding it to auth_use_nsswitch() > > > > Index: refpolicy-2.20180211/policy/modules/contrib/apt.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/apt.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/apt.te > > > @@ -148,6 +148,11 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + # for packagekitd > > > + policykit_dbus_chat(apt_t) > > > +') > > > + > > > +optional_policy(` > > > > > > # rkhunter trigger > > > rkhunter_domtrans(apt_t) > > > > > > ') > > > > > > @@ -159,4 +164,5 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > unconfined_domain(apt_t) > > > > > > + unconfined_dbus_send(apt_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/dbus.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/dbus.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/dbus.te > > > @@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t) > > > > > > init_all_labeled_script_domtrans(system_dbusd_t) > > > init_start_system(system_dbusd_t) # needed by dbus-broker > > > > > > +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* > > > +libs_exec_lib_files(system_dbusd_t) > > > + > > > > > > logging_send_audit_msgs(system_dbusd_t) > > > logging_send_syslog_msg(system_dbusd_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/devicekit.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/devicekit.te > > > @@ -194,6 +194,11 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + # gwenview triggers the need for this > > > + xserver_dbus_chat_xdm(devicekit_disk_t) > > > +') > > > + > > > +optional_policy(` > > > > > > virt_manage_images(devicekit_disk_t) > > > > > > ') > > > > > > @@ -287,6 +292,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > dbus_system_bus_client(devicekit_power_t) > > > > > > + init_dbus_chat(devicekit_power_t) > > > > > > allow devicekit_power_t devicekit_t:dbus send_msg; > > > > > > Index: refpolicy-2.20180211/policy/modules/system/init.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/init.te > > > +++ refpolicy-2.20180211/policy/modules/system/init.te > > > @@ -509,6 +509,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > unconfined_domain(init_t) > > > > > > + unconfined_dbus_send(init_t) > > > > > > ') > > > > > > ######################################## > > > > > > Index: refpolicy-2.20180211/policy/modules/system/systemd.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.te > > > +++ refpolicy-2.20180211/policy/modules/system/systemd.te > > > @@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_ho > > > > > > optional_policy(` > > > > > > dbus_connect_system_bus(systemd_hostnamed_t) > > > dbus_system_bus_client(systemd_hostnamed_t) > > > > > > + init_dbus_chat(systemd_hostnamed_t) > > > > > > ') > > > > > > optional_policy(` > > > > > > @@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(sy > > > > > > userdom_delete_all_user_runtime_named_pipes(systemd_logind_t) > > > userdom_delete_all_user_runtime_named_sockets(systemd_logind_t) > > > userdom_delete_all_user_runtime_symlinks(systemd_logind_t) > > > > > > +# user_tmp_t is for the dbus-1 directory > > > +userdom_list_user_tmp(systemd_logind_t) > > > > > > userdom_manage_user_runtime_dirs(systemd_logind_t) > > > userdom_manage_user_runtime_root_dirs(systemd_logind_t) > > > userdom_mounton_user_runtime_dirs(systemd_logind_t) > > > > > > @@ -482,6 +485,9 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > networkmanager_dbus_chat(systemd_logind_t) > > > > > > ') > > > > > > +optional_policy(` > > > + modemmanager_dbus_chat(systemd_logind_t) > > > +') > > > > > > optional_policy(` > > > > > > policykit_dbus_chat(systemd_logind_t) > > > > > > @@ -753,6 +759,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + unconfined_dbus_send(systemd_machined_t) > > > +') > > > + > > > +optional_policy(` > > > > > > virt_manage_virt_content(systemd_nspawn_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/contrib/networkmanager.te > > > +++ refpolicy-2.20180211/policy/modules/contrib/networkmanager.te > > > @@ -222,6 +222,7 @@ optional_policy(` > > > > > > optional_policy(` > > > > > > dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) > > > > > > + init_dbus_chat(NetworkManager_t) > > > > > > optional_policy(` > > > > > > avahi_dbus_chat(NetworkManager_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/system/locallogin.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/locallogin.te > > > +++ refpolicy-2.20180211/policy/modules/system/locallogin.te > > > @@ -138,6 +138,7 @@ userdom_create_all_users_keys(local_logi > > > > > > ifdef(`init_systemd',` > > > > > > auth_manage_faillog(local_login_t) > > > > > > + init_dbus_chat(local_login_t) > > > > > > systemd_dbus_chat_logind(local_login_t) > > > systemd_use_logind_fds(local_login_t) > > > systemd_manage_logind_pid_pipes(local_login_t) > > > > > > Index: refpolicy-2.20180211/policy/modules/admin/usermanage.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/admin/usermanage.te > > > +++ refpolicy-2.20180211/policy/modules/admin/usermanage.te > > > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > > > > > > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > > > > > optional_policy(` > > > > > > + dbus_system_bus_client(groupadd_t) > > > +') > > > + > > > +optional_policy(` > > > > > > dpkg_use_fds(groupadd_t) > > > dpkg_rw_pipes(groupadd_t) > > > > > > ') > > > > > > @@ -538,6 +542,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + dbus_system_bus_client(useradd_t) > > > +') > > > + > > > +optional_policy(` > > > > > > dpkg_use_fds(useradd_t) > > > dpkg_rw_pipes(useradd_t) > > > > > > ') > > > > > > Index: refpolicy-2.20180211/policy/modules/system/unconfined.te > > > =================================================================== > > > --- refpolicy-2.20180211.orig/policy/modules/system/unconfined.te > > > +++ refpolicy-2.20180211/policy/modules/system/unconfined.te > > > @@ -116,6 +116,10 @@ optional_policy(` > > > > > > ') > > > > > > optional_policy(` > > > > > > + modemmanager_dbus_chat(unconfined_t) > > > +') > > > + > > > +optional_policy(` > > > > > > modutils_run(unconfined_t, unconfined_r) > > > > > > ') > > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180223/e531058d/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-23 7:25 ` Dominick Grift @ 2018-02-24 14:18 ` Chris PeBenito 2018-02-24 14:27 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: Chris PeBenito @ 2018-02-24 14:18 UTC (permalink / raw) To: refpolicy On 02/23/2018 02:25 AM, Dominick Grift via refpolicy wrote: > On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: >> On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: >>> On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: >>>> Here is a collection of dbus policy patches, all fairly simple. >>>> >>>> Chris please merge the ones you like and we can discuss any you don't like >>>> afterwards. >>> >>> I merged everything except for the user/groupadd ones, which need >>> explanation: what are they doing with dbus exactly? >> >> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t >> \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ >> systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 >> \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s >> \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", >> iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, >> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 >> >> The above is from a strace of "groupadd zzz2". It is sending a message to >> systemd to lookup dynamic users. I can't find where in the groupadd code it >> does this though. I checked the pam configuration and that doesn't appear to >> have it. > > this is nss_systemd. it is an optional systemd nss module. > > from that perspective one might consider adding it to auth_use_nsswitch() That does make sense. It does additionally bring up how big that interface is getting. Perhaps it should be split up, maybe by the nsswitch database (passwd, hosts, networks, etc.) -- Chris PeBenito ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-24 14:18 ` Chris PeBenito @ 2018-02-24 14:27 ` Dominick Grift 2018-02-24 15:35 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2018-02-24 14:27 UTC (permalink / raw) To: refpolicy On Sat, Feb 24, 2018 at 09:18:20AM -0500, Chris PeBenito via refpolicy wrote: > On 02/23/2018 02:25 AM, Dominick Grift via refpolicy wrote: > > On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: > >> On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > >>> On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > >>>> Here is a collection of dbus policy patches, all fairly simple. > >>>> > >>>> Chris please merge the ones you like and we can discuss any you don't like > >>>> afterwards. > >>> > >>> I merged everything except for the user/groupadd ones, which need > >>> explanation: what are they doing with dbus exactly? > >> > >> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t > >> \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ > >> systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 > >> \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s > >> \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", > >> iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, > >> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 > >> > >> The above is from a strace of "groupadd zzz2". It is sending a message to > >> systemd to lookup dynamic users. I can't find where in the groupadd code it > >> does this though. I checked the pam configuration and that doesn't appear to > >> have it. > > > > this is nss_systemd. it is an optional systemd nss module. > > > > from that perspective one might consider adding it to auth_use_nsswitch() > > That does make sense. It does additionally bring up how big that > interface is getting. Perhaps it should be split up, maybe by the > nsswitch database (passwd, hosts, networks, etc.) The pattern i am currently seeing is nss with or without network (but i may not see the full picture yet) so i have a base nss client which just reads /etc/passwd, /etc/nsswitch.conf and stream connects to sssd if that is installed. then theres the full nss, which basically is base + everything else https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/nss.cil > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180224/5963e21b/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] misc dbus patches 2018-02-24 14:27 ` Dominick Grift @ 2018-02-24 15:35 ` Dominick Grift 0 siblings, 0 replies; 8+ messages in thread From: Dominick Grift @ 2018-02-24 15:35 UTC (permalink / raw) To: refpolicy On Sat, Feb 24, 2018 at 03:27:01PM +0100, Dominick Grift wrote: > On Sat, Feb 24, 2018 at 09:18:20AM -0500, Chris PeBenito via refpolicy wrote: > > On 02/23/2018 02:25 AM, Dominick Grift via refpolicy wrote: > > > On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: > > >> On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: > > >>> On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: > > >>>> Here is a collection of dbus policy patches, all fairly simple. > > >>>> > > >>>> Chris please merge the ones you like and we can discuss any you don't like > > >>>> afterwards. > > >>> > > >>> I merged everything except for the user/groupadd ones, which need > > >>> explanation: what are they doing with dbus exactly? > > >> > > >> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t > > >> \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ > > >> systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 > > >> \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s > > >> \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", > > >> iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, > > >> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 > > >> > > >> The above is from a strace of "groupadd zzz2". It is sending a message to > > >> systemd to lookup dynamic users. I can't find where in the groupadd code it > > >> does this though. I checked the pam configuration and that doesn't appear to > > >> have it. > > > > > > this is nss_systemd. it is an optional systemd nss module. > > > > > > from that perspective one might consider adding it to auth_use_nsswitch() > > > > That does make sense. It does additionally bring up how big that > > interface is getting. Perhaps it should be split up, maybe by the > > nsswitch database (passwd, hosts, networks, etc.) > > The pattern i am currently seeing is nss with or without network (but i may not see the full picture yet) > > so i have a base nss client which just reads /etc/passwd, /etc/nsswitch.conf > and stream connects to sssd if that is installed. > > then theres the full nss, which basically is base + everything else > > https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/nss.cil It is not as black and white though. My decision was colored. Because if you do a ps auxZ on a system that has a process with a dynamic id then ps needs to use nss_systemd similarly if you do an ls in a dir with object assoc. with dynamic ids. But my unpriv user shells are not allowed access to ps system processes, and arent allowed access to list dirs that might have objects with dynamic id's (atleast that is the goal) I try to keep my unpriv shells without network access and without dbus system bus access if possible So i basically either use full nss, or base nss. for everything in between its base nss plus indiviual calls to whatever else it needs its ugly, but its ugly regardless... > > > > > -- > > Chris PeBenito > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180224/5defadc0/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-02-24 15:35 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-02-13 0:36 [refpolicy] [PATCH] misc dbus patches Russell Coker 2018-02-15 21:57 ` Chris PeBenito 2018-02-16 6:04 ` Russell Coker 2018-02-23 4:53 ` Russell Coker 2018-02-23 7:25 ` Dominick Grift 2018-02-24 14:18 ` Chris PeBenito 2018-02-24 14:27 ` Dominick Grift 2018-02-24 15:35 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.