All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] login take 4
@ 2017-04-23 14:30 Russell Coker
  2017-04-26 10:43 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2017-04-23 14:30 UTC (permalink / raw)
  To: refpolicy

I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.

Please merge this.

Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170421/policy/modules/system/locallogin.te
@@ -33,6 +33,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+dontaudit local_login_t self:capability net_admin;
 allow local_login_t self:process { setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
 
 kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)
 
 dev_read_urand(policykit_t)
 
@@ -104,6 +107,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	userdom_dbus_send_all_users(policykit_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(policykit_t)
Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
@@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
+ifdef(`init_systemd', `
+	# gdm3 causes system_dbusd_t to want this access
+	dev_rw_dri(system_dbusd_t)
+	dev_rw_input_dev(system_dbusd_t)
+')
+
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
 
Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170421/policy/modules/system/authlogin.te
@@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
 kernel_read_crypto_sysctls(chkpwd_t)
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
+++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 
+kernel_read_crypto_sysctls(gpg_t)
 kernel_read_sysctl(gpg_t)
 # read /proc/cpuinfo
 kernel_read_system_state(gpg_t)
@@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent
 kernel_read_core_if(gpg_agent_t)
 kernel_read_system_state(gpg_agent_t)
 
+auth_use_nsswitch(gpg_agent_t)
+
 corecmd_exec_bin(gpg_agent_t)
 corecmd_exec_shell(gpg_agent_t)
 
@@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
 ')
 
@@ -279,6 +286,11 @@ optional_policy(`
 	pcscd_stream_connect(gpg_agent_t)
 ')
 
+optional_policy(`
+	xserver_sigchld_xdm(gpg_agent_t)
+	xserver_read_user_xauth(gpg_agent_t)
+')
+
 ##############################
 #
 # Pinentry local policy

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] login take 4
  2017-04-23 14:30 [refpolicy] [PATCH] login take 4 Russell Coker
@ 2017-04-26 10:43 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-04-26 10:43 UTC (permalink / raw)
  To: refpolicy

On 04/23/2017 10:30 AM, Russell Coker via refpolicy wrote:
> I have used optional sections for dbus and xserver as requested and also
> fixed a minor issue of a rule not being in the correct section.
>
> Please merge this.
>
> Index: refpolicy-2.20170421/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170421/policy/modules/system/locallogin.te
> @@ -33,6 +33,7 @@ role system_r types sulogin_t;
>  #
>
>  allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> +dontaudit local_login_t self:capability net_admin;
>  allow local_login_t self:process { setexec setrlimit setsched };
>  allow local_login_t self:fd use;
>  allow local_login_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20170421/policy/modules/contrib/policykit.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/policykit.te
> +++ refpolicy-2.20170421/policy/modules/contrib/policykit.te
> @@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
>
>  kernel_read_kernel_sysctls(policykit_t)
>  kernel_read_system_state(policykit_t)
> +fs_getattr_tmpfs(policykit_t)
> +fs_getattr_cgroup(policykit_t)
> +dev_read_urand(policykit_t)
>
>  dev_read_urand(policykit_t)
>
> @@ -104,6 +107,7 @@ userdom_read_all_users_state(policykit_t
>
>  optional_policy(`
>  	dbus_system_domain(policykit_t, policykit_exec_t)
> +	userdom_dbus_send_all_users(policykit_t)
>
>  	optional_policy(`
>  		consolekit_dbus_chat(policykit_t)
> Index: refpolicy-2.20170421/policy/modules/contrib/dbus.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/dbus.te
> +++ refpolicy-2.20170421/policy/modules/contrib/dbus.te
> @@ -96,6 +96,12 @@ corecmd_exec_shell(system_dbusd_t)
>  dev_read_urand(system_dbusd_t)
>  dev_read_sysfs(system_dbusd_t)
>
> +ifdef(`init_systemd', `
> +	# gdm3 causes system_dbusd_t to want this access
> +	dev_rw_dri(system_dbusd_t)
> +	dev_rw_input_dev(system_dbusd_t)
> +')
> +
>  domain_use_interactive_fds(system_dbusd_t)
>  domain_read_all_domains_state(system_dbusd_t)
>
> Index: refpolicy-2.20170421/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20170421/policy/modules/system/authlogin.te
> @@ -105,6 +105,8 @@ files_list_etc(chkpwd_t)
>  kernel_read_crypto_sysctls(chkpwd_t)
>  # is_selinux_enabled
>  kernel_read_system_state(chkpwd_t)
> +selinux_get_enforce_mode(chkpwd_t)
> +selinux_getattr_fs(chkpwd_t)
>
>  domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> Index: refpolicy-2.20170421/policy/modules/contrib/gpg.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/gpg.te
> +++ refpolicy-2.20170421/policy/modules/contrib/gpg.te
> @@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
>  domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
>  domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> +kernel_read_crypto_sysctls(gpg_t)
>  kernel_read_sysctl(gpg_t)
>  # read /proc/cpuinfo
>  kernel_read_system_state(gpg_t)
> @@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent
>  kernel_read_core_if(gpg_agent_t)
>  kernel_read_system_state(gpg_agent_t)
>
> +auth_use_nsswitch(gpg_agent_t)
> +
>  corecmd_exec_bin(gpg_agent_t)
>  corecmd_exec_shell(gpg_agent_t)
>
> @@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>
>  optional_policy(`
> +	dbus_system_bus_client(gpg_agent_t)
> +')
> +
> +optional_policy(`
>  	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
>  ')
>
> @@ -279,6 +286,11 @@ optional_policy(`
>  	pcscd_stream_connect(gpg_agent_t)
>  ')
>
> +optional_policy(`
> +	xserver_sigchld_xdm(gpg_agent_t)
> +	xserver_read_user_xauth(gpg_agent_t)
> +')
> +
>  ##############################
>  #
>  # Pinentry local policy

Merged, though I moved a few lines.


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-26 10:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-23 14:30 [refpolicy] [PATCH] login take 4 Russell Coker
2017-04-26 10:43 ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.