[refpolicy] [PATCH] some userdomain patches

[refpolicy] [PATCH] some userdomain patches

[Russell Coker]

Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.

Allow sysadm_t to read kmsg.

Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui.  Also allow them to chat with devicekit disk and power daemons.

Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems

Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
@@ -121,6 +121,7 @@ optional_policy(`
 
 optional_policy(`
 	mono_domtrans(unconfined_t)
+	mono_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -210,6 +211,11 @@ optional_policy(`
 	wine_domtrans(unconfined_t)
 ')
 
+optional_policy(`
+	xserver_role(unconfined_r, unconfined_t)
+	xserver_dbus_chat_xdm(unconfined_t)
+')
+
 ########################################
 #
 # Unconfined Execmem Local policy
Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
@@ -351,6 +351,7 @@ optional_policy(`
 
 optional_policy(`
 	dmesg_exec(sysadm_t)
+	dev_read_kmsg(sysadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170417/policy/modules/system/userdomain.if
@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	optional_policy(`
+		kerneloops_dbus_chat($1_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat_disk($1_t)
+		devicekit_dbus_chat_power($1_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
 userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
 
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
 optional_policy(`
 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
 

[refpolicy] [PATCH] some userdomain patches

[Guido Trentalancia]

Hello again. 

I was wondering what is causing the need for sysadm_t to read kmsg?

Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly...

Regards, 

Guido 



On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>Added mono_run for unconfined and also xserver_role and allow it to
>dbus
>chat with xdm.
>
>Allow sysadm_t to read kmsg.
>
>Allow user domains to dbus chat with kerneloops for the kerneloops
>desktop
>gui.  Also allow them to chat with devicekit disk and power daemons.
>
>Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
>
>Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
>+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
>@@ -121,6 +121,7 @@ optional_policy(`
> 
> optional_policy(`
> 	mono_domtrans(unconfined_t)
>+	mono_run(unconfined_t, unconfined_r)
> ')
> 
> optional_policy(`
>@@ -210,6 +211,11 @@ optional_policy(`
> 	wine_domtrans(unconfined_t)
> ')
> 
>+optional_policy(`
>+	xserver_role(unconfined_r, unconfined_t)
>+	xserver_dbus_chat_xdm(unconfined_t)
>+')
>+
> ########################################
> #
> # Unconfined Execmem Local policy
>Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
>+++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
>@@ -351,6 +351,7 @@ optional_policy(`
> 
> optional_policy(`
> 	dmesg_exec(sysadm_t)
>+	dev_read_kmsg(sysadm_t)
> ')
> 
> optional_policy(`
>Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
>+++ refpolicy-2.20170417/policy/modules/system/userdomain.if
>@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
> 		# Allow making the stack executable via mprotect.
> 		allow $1_t self:process execstack;
> 	')
>+
>+	optional_policy(`
>+		kerneloops_dbus_chat($1_t)
>+	')
>+
>+	optional_policy(`
>+		devicekit_dbus_chat_disk($1_t)
>+		devicekit_dbus_chat_power($1_t)
>+	')
> ')
> 
> #######################################
>Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
>+++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
>@@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> 
>+# for /var/lib/gconf/defaults
>+files_read_var_lib_files(gconfd_t)
>+
>+# for /proc/filesystems
>+kernel_read_system_state(gconfd_t)
>+
> optional_policy(`
> 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
> 
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH] some userdomain patches

[Chris PeBenito]

On 04/17/2017 09:35 AM, Russell Coker via refpolicy wrote:
> Added mono_run for unconfined and also xserver_role and allow it to dbus
> chat with xdm.
>
> Allow sysadm_t to read kmsg.
>
> Allow user domains to dbus chat with kerneloops for the kerneloops desktop
> gui.  Also allow them to chat with devicekit disk and power daemons.
>
> Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems

Merged, except for the kmsg part.


> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te
> @@ -121,6 +121,7 @@ optional_policy(`
>
>  optional_policy(`
>  	mono_domtrans(unconfined_t)
> +	mono_run(unconfined_t, unconfined_r)
>  ')
>
>  optional_policy(`
> @@ -210,6 +211,11 @@ optional_policy(`
>  	wine_domtrans(unconfined_t)
>  ')
>
> +optional_policy(`
> +	xserver_role(unconfined_r, unconfined_t)
> +	xserver_dbus_chat_xdm(unconfined_t)
> +')
> +
>  ########################################
>  #
>  # Unconfined Execmem Local policy
> Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
> @@ -351,6 +351,7 @@ optional_policy(`
>
>  optional_policy(`
>  	dmesg_exec(sysadm_t)
> +	dev_read_kmsg(sysadm_t)
>  ')
>
>  optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170417/policy/modules/system/userdomain.if
> @@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
>  		# Allow making the stack executable via mprotect.
>  		allow $1_t self:process execstack;
>  	')
> +
> +	optional_policy(`
> +		kerneloops_dbus_chat($1_t)
> +	')
> +
> +	optional_policy(`
> +		devicekit_dbus_chat_disk($1_t)
> +		devicekit_dbus_chat_power($1_t)
> +	')
>  ')
>
>  #######################################
> Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
> +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
> @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
>  userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>  userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>
> +# for /var/lib/gconf/defaults
> +files_read_var_lib_files(gconfd_t)
> +
> +# for /proc/filesystems
> +kernel_read_system_state(gconfd_t)
> +
>  optional_policy(`
>  	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH] some userdomain patches

[Chris PeBenito]

On 04/17/2017 12:46 PM, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> I was wondering what is causing the need for sysadm_t to read kmsg?
>
> Usually this happens through an application domain such as dmesg_t as for your previous patch rather than directly...

A variation on the question, is there a reason not to change sysadm to 
transition to dmesg_t?


> On the 17th of April 2017 15:35:33 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>> Added mono_run for unconfined and also xserver_role and allow it to
>> dbus
>> chat with xdm.
>>
>> Allow sysadm_t to read kmsg.
>>
>> Allow user domains to dbus chat with kerneloops for the kerneloops
>> desktop
>> gui.  Also allow them to chat with devicekit disk and power daemons.
>>
>> Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
>>
>> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
>> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te
>> @@ -121,6 +121,7 @@ optional_policy(`
>>
>> optional_policy(`
>> 	mono_domtrans(unconfined_t)
>> +	mono_run(unconfined_t, unconfined_r)
>> ')
>>
>> optional_policy(`
>> @@ -210,6 +211,11 @@ optional_policy(`
>> 	wine_domtrans(unconfined_t)
>> ')
>>
>> +optional_policy(`
>> +	xserver_role(unconfined_r, unconfined_t)
>> +	xserver_dbus_chat_xdm(unconfined_t)
>> +')
>> +
>> ########################################
>> #
>> # Unconfined Execmem Local policy
>> Index: refpolicy-2.20170417/policy/modules/roles/sysadm.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/roles/sysadm.te
>> +++ refpolicy-2.20170417/policy/modules/roles/sysadm.te
>> @@ -351,6 +351,7 @@ optional_policy(`
>>
>> optional_policy(`
>> 	dmesg_exec(sysadm_t)
>> +	dev_read_kmsg(sysadm_t)
>> ')
>>
>> optional_policy(`
>> Index: refpolicy-2.20170417/policy/modules/system/userdomain.if
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/system/userdomain.if
>> +++ refpolicy-2.20170417/policy/modules/system/userdomain.if
>> @@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
>> 		# Allow making the stack executable via mprotect.
>> 		allow $1_t self:process execstack;
>> 	')
>> +
>> +	optional_policy(`
>> +		kerneloops_dbus_chat($1_t)
>> +	')
>> +
>> +	optional_policy(`
>> +		devicekit_dbus_chat_disk($1_t)
>> +		devicekit_dbus_chat_power($1_t)
>> +	')
>> ')
>>
>> #######################################
>> Index: refpolicy-2.20170417/policy/modules/contrib/gnome.te
>> ===================================================================
>> --- refpolicy-2.20170417.orig/policy/modules/contrib/gnome.te
>> +++ refpolicy-2.20170417/policy/modules/contrib/gnome.te
>> @@ -95,6 +95,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>
>> +# for /var/lib/gconf/defaults
>> +files_read_var_lib_files(gconfd_t)
>> +
>> +# for /proc/filesystems
>> +kernel_read_system_state(gconfd_t)
>> +
>> optional_policy(`
>> 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito