* [refpolicy] [PATCH] Update for the gnome policy and file contexts @ 2016-08-13 14:45 Guido Trentalancia 2016-08-13 14:51 ` Dominick Grift 2016-08-15 21:33 ` [refpolicy] [PATCH v2] " Guido Trentalancia 0 siblings, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-13 14:45 UTC (permalink / raw) To: refpolicy Update for the gnome module: - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for a few needed fs and kernel permissions. This patch should be applied before applying the pulseaudio patch. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/gnome.fc | 7 ++ policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 8 +++ 3 files changed, 112 insertions(+), 2 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200 @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200 @@ -1,4 +1,4 @@ -## <summary>GNU network object model environment.</summary> + ######################################## ## <summary> @@ -100,9 +100,15 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + userdom_manage_user_home_content_sockets($1_gkeyringd_t) + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## <summary> +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_home_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Create objects in gnome gconf home ## directories with a private type. ## </summary> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` ') ######################################## +## <summary> +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + + +######################################## +## <summary> +## Create objects in the tmp +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## ## <summary> ## Read generic gnome keyring home files. ## </summary> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200 @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +userdom_manage_user_tmp_sockets(gconfd_t) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) optional_policy(` ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 14:45 [refpolicy] [PATCH] Update for the gnome policy and file contexts Guido Trentalancia @ 2016-08-13 14:51 ` Dominick Grift 2016-08-13 20:09 ` Guido Trentalancia ` (2 more replies) 2016-08-15 21:33 ` [refpolicy] [PATCH v2] " Guido Trentalancia 1 sibling, 3 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-13 14:51 UTC (permalink / raw) To: refpolicy On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > Update for the gnome module: > > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for a few needed fs and kernel permissions. > > This patch should be applied before applying the pulseaudio patch. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/gnome.fc | 7 ++ > policy/modules/contrib/gnome.if | 99 +++++++++++++++++++++++++++++++++++++++- > policy/modules/contrib/gnome.te | 8 +++ > 3 files changed, 112 insertions(+), 2 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 16:02:14.949814288 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 16:30:32.175198600 +0200 > @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) these are files so you can be more specific about it: /var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 16:02:14.950814302 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 00:55:24.980149003 +0200 > @@ -1,4 +1,4 @@ > -## <summary>GNU network object model environment.</summary> > + > > ######################################## > ## <summary> > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > + userdom_manage_user_home_content_files($1_gkeyringd_t) > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > + I don't like this, and I dont understand it > ps_process_pattern($3, $1_gkeyringd_t) > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > + > corecmd_bin_domtrans($1_gkeyringd_t, $3) > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ######################################## > ## <summary> > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_home_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## <summary> > ## Create objects in gnome gconf home > ## directories with a private type. > ## </summary> > @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` > ') > > ######################################## > +## <summary> > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > + > +######################################## > +## <summary> > +## Create objects in the tmp > +## directories with the gstreamer > +## orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + If you're not going to support that file in /tmp then this is not needed > +######################################## > ## <summary> > ## Read generic gnome keyring home files. > ## </summary> > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 16:02:14.951814316 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 13:45:54.704254788 +0200 > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > type gnome_keyring_tmp_t; > userdom_user_tmp_file(gnome_keyring_tmp_t) > > +type gstreamer_orcexec_t; > +application_executable_file(gstreamer_orcexec_t) it is not an applications executable file > + > ############################## > # > # Common local Policy > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > +kernel_dontaudit_read_system_state(gconfd_t) > + > +fs_getattr_xattr_fs(gconfd_t) > + > userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > +userdom_manage_user_tmp_sockets(gconfd_t) What is going on there and why did you choose this? > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/d4f48b93/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 14:51 ` Dominick Grift @ 2016-08-13 20:09 ` Guido Trentalancia 2016-08-13 20:20 ` Dominick Grift 2016-08-14 17:35 ` Guido Trentalancia 2016-08-14 21:14 ` Guido Trentalancia 2016-08-14 22:13 ` Guido Trentalancia 2 siblings, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-13 20:09 UTC (permalink / raw) To: refpolicy Hello Dominick, thanks for getting back on this. > On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> > wrote: > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 > > 16:02:14.949814288 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 > > 16:30:32.175198600 +0200 > > @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste > > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > > HOME_DIR/\.gnome2/keyrings(/.*)? > > gen_context(system_u:object_r:gnome_keyring_home_t,s0) > > HOME_DIR/\.gnome2_private(/.*)? > > gen_context(system_u:object_r:gnome_home_t,s0) > > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > > > @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > > /usr/bin/mate-keyring-daemon -- > > gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > > > /usr/lib/[^/]*/gconf/gconfd-2 -- > > gen_context(system_u:object_r:gconfd_exec_t,s0) > > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > > + > > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > > + > > +/var/run/user/[^/]*/orcexec\..* > > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > +/var/run/user/%{USERID}/orcexec\..* > > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > these are files so you can be more specific about it: > > /var/run/user/[^/]*/orcexec\..* -- > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > /var/run/user/%{USERID}/orcexec\..* -- > gen_context(system_u:object_r:gstreamer_orcexec_t,s0) Thanks for pointing it out, I have now amended it. > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 > > 16:02:14.950814302 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 > > 00:55:24.980149003 +0200 > > @@ -1,4 +1,4 @@ > > -## <summary>GNU network object model environment.</summary> > > + > > > > ######################################## > > ## <summary> > > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms > > manage_sock_file_perms }; > > > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > > + userdom_manage_user_home_content_files($1_gkeyringd_t) > > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > > + > I don't like this, and I dont understand it I will double check it. Hopefully, I won't forget about that, with the many other modules that are being changed... > > ps_process_pattern($3, $1_gkeyringd_t) > > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > > + > > corecmd_bin_domtrans($1_gkeyringd_t, $3) > > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > > > @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho > > > > ######################################## > > ## <summary> > > +## Create objects in user home > > +## directories with the gstreamer > > +## orcexec type. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +## <param name="object_class"> > > +## <summary> > > +## Class of the object being created. > > +## </summary> > > +## </param> > > +## <param name="name" optional="true"> > > +## <summary> > > +## The name of the object being created. > > +## </summary> > > +## </param> > > +# > > +interface(`gnome_home_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > +######################################## > > +## <summary> > > ## Create objects in gnome gconf home > > ## directories with a private type. > > ## </summary> > > @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` > > ') > > > > ######################################## > > +## <summary> > > +## Create objects in the user > > +## runtime directories with the > > +## gstreamer orcexec type. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +## <param name="object_class"> > > +## <summary> > > +## Class of the object being created. > > +## </summary> > > +## </param> > > +## <param name="name" optional="true"> > > +## <summary> > > +## The name of the object being created. > > +## </summary> > > +## </param> > > +# > > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > + > > +######################################## > > +## <summary> > > +## Create objects in the tmp > > +## directories with the gstreamer > > +## orcexec type. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +## <param name="object_class"> > > +## <summary> > > +## Class of the object being created. > > +## </summary> > > +## </param> > > +## <param name="name" optional="true"> > > +## <summary> > > +## The name of the object being created. > > +## </summary> > > +## </param> > > +# > > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > If you're not going to support that file in /tmp then this is not needed Removed. > > +######################################## > > ## <summary> > > ## Read generic gnome keyring home files. > > ## </summary> > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 > > 16:02:14.951814316 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 > > 13:45:54.704254788 +0200 > > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > > type gnome_keyring_tmp_t; > > userdom_user_tmp_file(gnome_keyring_tmp_t) > > > > +type gstreamer_orcexec_t; > > +application_executable_file(gstreamer_orcexec_t) > > it is not an applications executable file It's very similar to it or, in other words, it is equivalent to it. I could find a better interface to describe it. But if you have other constructive ideas, please let me know and I will test them out... > > + > > ############################## > > # > > # Common local Policy > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > > +kernel_dontaudit_read_system_state(gconfd_t) > > + > > +fs_getattr_xattr_fs(gconfd_t) > > + > > userdom_manage_user_tmp_dirs(gconfd_t) > > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > +userdom_manage_user_tmp_sockets(gconfd_t) > > What is going on there and why did you choose this? I think it's to support sockets in /tmp/orbit-USER/linc-.* They are created by ORBit2. It's a library and some gnome components are linked against it. I am now working on a new revised version of this patch which introduces specific support for ORBit temporary files. > > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > > > optional_policy(` > > _______________________________________________ Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 20:09 ` Guido Trentalancia @ 2016-08-13 20:20 ` Dominick Grift 2016-08-14 17:35 ` Guido Trentalancia 1 sibling, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-13 20:20 UTC (permalink / raw) To: refpolicy On 08/13/2016 10:09 PM, Guido Trentalancia wrote: > Hello Dominick, > > thanks for getting back on this. > >> On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> >> wrote: >> >> >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>> Update for the gnome module: >>> >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for a few needed fs and kernel permissions. >>> >>> This patch should be applied before applying the pulseaudio patch. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/gnome.fc | 7 ++ >>> policy/modules/contrib/gnome.if | 99 >>> +++++++++++++++++++++++++++++++++++++++- >>> policy/modules/contrib/gnome.te | 8 +++ >>> 3 files changed, 112 insertions(+), 2 deletions(-) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 >>> 16:02:14.949814288 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 >>> 16:30:32.175198600 +0200 >>> @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste >>> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) >>> HOME_DIR/\.gnome2/keyrings(/.*)? >>> gen_context(system_u:object_r:gnome_keyring_home_t,s0) >>> HOME_DIR/\.gnome2_private(/.*)? >>> gen_context(system_u:object_r:gnome_home_t,s0) >>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >>> >>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) >>> >>> @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont >>> /usr/bin/mate-keyring-daemon -- >>> gen_context(system_u:object_r:gkeyringd_exec_t,s0) >>> >>> /usr/lib/[^/]*/gconf/gconfd-2 -- >>> gen_context(system_u:object_r:gconfd_exec_t,s0) >>> -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) >>> + >>> +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) >>> + >>> +/var/run/user/[^/]*/orcexec\..* >>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >>> +/var/run/user/%{USERID}/orcexec\..* >>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >> >> these are files so you can be more specific about it: >> >> /var/run/user/[^/]*/orcexec\..* -- >> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >> /var/run/user/%{USERID}/orcexec\..* -- >> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > Thanks for pointing it out, I have now amended it. > >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 >>> 16:02:14.950814302 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 >>> 00:55:24.980149003 +0200 >>> @@ -1,4 +1,4 @@ >>> -## <summary>GNU network object model environment.</summary> >>> + >>> >>> ######################################## >>> ## <summary> >>> @@ -100,9 +100,15 @@ template(`gnome_role_template',` >>> >>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms >>> manage_sock_file_perms }; >>> >>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t) >>> + userdom_manage_user_home_content_files($1_gkeyringd_t) >>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t) >>> + > >> I don't like this, and I dont understand it > > I will double check it. Hopefully, I won't forget about that, with the many > other modules that are being changed... > >>> ps_process_pattern($3, $1_gkeyringd_t) >>> allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; >>> >>> + kernel_read_kernel_sysctls($1_gkeyringd_t) >>> + >>> corecmd_bin_domtrans($1_gkeyringd_t, $3) >>> corecmd_shell_domtrans($1_gkeyringd_t, $3) >>> >>> @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho >>> >>> ######################################## >>> ## <summary> >>> +## Create objects in user home >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +## <param name="object_class"> >>> +## <summary> >>> +## Class of the object being created. >>> +## </summary> >>> +## </param> >>> +## <param name="name" optional="true"> >>> +## <summary> >>> +## The name of the object being created. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`gnome_home_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >>> +######################################## >>> +## <summary> >>> ## Create objects in gnome gconf home >>> ## directories with a private type. >>> ## </summary> >>> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` >>> ') >>> >>> ######################################## >>> +## <summary> >>> +## Create objects in the user >>> +## runtime directories with the >>> +## gstreamer orcexec type. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +## <param name="object_class"> >>> +## <summary> >>> +## Class of the object being created. >>> +## </summary> >>> +## </param> >>> +## <param name="name" optional="true"> >>> +## <summary> >>> +## The name of the object being created. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >>> + >>> +######################################## >>> +## <summary> >>> +## Create objects in the tmp >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +## <param name="object_class"> >>> +## <summary> >>> +## Class of the object being created. >>> +## </summary> >>> +## </param> >>> +## <param name="name" optional="true"> >>> +## <summary> >>> +## The name of the object being created. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >> >> If you're not going to support that file in /tmp then this is not needed > > Removed. > >>> +######################################## >>> ## <summary> >>> ## Read generic gnome keyring home files. >>> ## </summary> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 >>> 16:02:14.951814316 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 >>> 13:45:54.704254788 +0200 >>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ >>> type gnome_keyring_tmp_t; >>> userdom_user_tmp_file(gnome_keyring_tmp_t) >>> >>> +type gstreamer_orcexec_t; >>> +application_executable_file(gstreamer_orcexec_t) >> >> it is not an applications executable file > > It's very similar to it or, in other words, it is equivalent to it. I could find > a better interface to describe it. > > But if you have other constructive ideas, please let me know and I will test > them out... It is nothing like an "application executable file". This is a file that gets mmap'd it does not get "executed", its certainly not an application, and only liborc clients mmap this file. In my policy this is just a user temporary file, or alternatively user home content file (i only support this file in $XDG_RUNTIME_DIR and not in ~, so in my policy i can just get away with classifying it user tmp(fs) file) > >>> + >>> ############################## >>> # >>> # Common local Policy >>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>> >>> +kernel_dontaudit_read_system_state(gconfd_t) >>> + >>> +fs_getattr_xattr_fs(gconfd_t) >>> + >>> userdom_manage_user_tmp_dirs(gconfd_t) >>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>> +userdom_manage_user_tmp_sockets(gconfd_t) >> >> What is going on there and why did you choose this? > > I think it's to support sockets in /tmp/orbit-USER/linc-.* > > They are created by ORBit2. It's a library and some gnome components are linked > against it. > > I am now working on a new revised version of this patch which introduces > specific support for ORBit temporary files. > I see. for Mate i suppose. >>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>> >>> optional_policy(` >>> _______________________________________________ > > Best regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/279d0f2c/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 20:09 ` Guido Trentalancia 2016-08-13 20:20 ` Dominick Grift @ 2016-08-14 17:35 ` Guido Trentalancia 2016-08-14 17:45 ` Dominick Grift 1 sibling, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-14 17:35 UTC (permalink / raw) To: refpolicy Hello Dominick. I have done some further testing and there are some problems... Please read on... On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote: > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: [....] > > > + > > > ?############################## > > > ?# > > > ?# Common local Policy > > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > > ?manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > > ?userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > ? > > > +kernel_dontaudit_read_system_state(gconfd_t) > > > + > > > +fs_getattr_xattr_fs(gconfd_t) > > > + > > > ?userdom_manage_user_tmp_dirs(gconfd_t) > > > ?userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > > +userdom_manage_user_tmp_sockets(gconfd_t) > > > > What is going on there and why did you choose this? > > I think it's to support sockets in /tmp/orbit-USER/linc-.* > > They are created by ORBit2. It's a library and some gnome components > are linked > against it. > > I am now working on a new revised version of this patch which > introduces > specific support for ORBit temporary files. I have tested the above but met the following problem: the /tmp/orbit- USER directory is shared with other applications that run in the generic user domain ! So, if I change the type of the /tmp/orbit-USER directory to a newly created gnome_orbit_tmp_t type, then the other applications cannot access it... So, perhaps, the previous implementation which leads to userdom_manage_user_tmp_sockets(gconfd_t)?is the only way. What do you say ? Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-14 17:35 ` Guido Trentalancia @ 2016-08-14 17:45 ` Dominick Grift 0 siblings, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-14 17:45 UTC (permalink / raw) To: refpolicy On 08/14/2016 07:35 PM, Guido Trentalancia wrote: > Hello Dominick. > > I have done some further testing and there are some problems... > > Please read on... > > On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote: >>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > [....] > >>>> + >>>> ############################## >>>> # >>>> # Common local Policy >>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>>> >>>> +kernel_dontaudit_read_system_state(gconfd_t) >>>> + >>>> +fs_getattr_xattr_fs(gconfd_t) >>>> + >>>> userdom_manage_user_tmp_dirs(gconfd_t) >>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>>> +userdom_manage_user_tmp_sockets(gconfd_t) >>> >>> What is going on there and why did you choose this? >> >> I think it's to support sockets in /tmp/orbit-USER/linc-.* >> >> They are created by ORBit2. It's a library and some gnome components >> are linked >> against it. >> >> I am now working on a new revised version of this patch which >> introduces >> specific support for ORBit temporary files. > > I have tested the above but met the following problem: the /tmp/orbit- > USER directory is shared with other applications that run in the > generic user domain ! Yes > > So, if I change the type of the /tmp/orbit-USER directory to a newly > created gnome_orbit_tmp_t type, then the other applications cannot > access it... You don't have to change the type of the /tmp/orbit-USER directory Instead just make gconfd_t create sockets in user_tmp_t dirs with an automatic type transition to the existing gconfd_tmp_t type: manage_sock_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, sock_file) > > So, perhaps, the previous implementation which leads to > userdom_manage_user_tmp_sockets(gconfd_t) is the only way. I doubt that > > What do you say ? > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/582be4ce/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 14:51 ` Dominick Grift 2016-08-13 20:09 ` Guido Trentalancia @ 2016-08-14 21:14 ` Guido Trentalancia 2016-08-14 21:19 ` Dominick Grift 2016-08-14 22:13 ` Guido Trentalancia 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-14 21:14 UTC (permalink / raw) To: refpolicy Hello Dominick ! Finally I am able to clarify one of the two open questions about the gnome module... > On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> > wrote: > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) [...] > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 > > 16:02:14.950814302 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 > > 00:55:24.980149003 +0200 > > @@ -1,4 +1,4 @@ > > -## <summary>GNU network object model environment.</summary> > > + > > > > ######################################## > > ## <summary> > > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms > > manage_sock_file_perms }; > > > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > > + userdom_manage_user_home_content_files($1_gkeyringd_t) > > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > > + > > I don't like this, and I dont understand it It's needed to write .xsession-errors and the .cache subdirectory in the user home. It is quite important, as the latter is used, amongst other things, to store user credentials: for example, when the user enters the password in the evolution mail client to retrieve his/her mail, then the password entered is stored in the cache and the user does not need to enter the password again when the mail is received again periodically later. I hope this clarifies the matter. I am checking the other issue (socket creation in /tmp) by testing the policy you suggested but unfortunately, I can anticipate that there are issues. Will let you know more precisely when I have finished testing it. Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-14 21:14 ` Guido Trentalancia @ 2016-08-14 21:19 ` Dominick Grift 2016-08-14 21:33 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-14 21:19 UTC (permalink / raw) To: refpolicy On 08/14/2016 11:14 PM, Guido Trentalancia wrote: > Hello Dominick ! > > Finally I am able to clarify one of the two open questions about the gnome > module... > >> On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> >> wrote: >> >> >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>> Update for the gnome module: >>> >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for a few needed fs and kernel permissions. >>> >>> This patch should be applied before applying the pulseaudio patch. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/gnome.fc | 7 ++ >>> policy/modules/contrib/gnome.if | 99 >>> +++++++++++++++++++++++++++++++++++++++- >>> policy/modules/contrib/gnome.te | 8 +++ >>> 3 files changed, 112 insertions(+), 2 deletions(-) > > [...] > >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 >>> 16:02:14.950814302 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 >>> 00:55:24.980149003 +0200 >>> @@ -1,4 +1,4 @@ >>> -## <summary>GNU network object model environment.</summary> >>> + >>> >>> ######################################## >>> ## <summary> >>> @@ -100,9 +100,15 @@ template(`gnome_role_template',` >>> >>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms >>> manage_sock_file_perms }; >>> >>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t) >>> + userdom_manage_user_home_content_files($1_gkeyringd_t) >>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t) >>> + >> >> I don't like this, and I dont understand it > > It's needed to write .xsession-errors and the .cache subdirectory in the user > home. > > It is quite important, as the latter is used, amongst other things, to store > user credentials: for example, when the user enters the password in the > evolution mail client to retrieve his/her mail, then the password entered is > stored in the cache and the user does not need to enter the password again when > the mail is received again periodically later. > And the .xsessions_errors file is not mislabeled? (e.g. is that supposed to be user_home_t?) As for ~/.cache issue. Probably best to hold on to that for now as chances are that refpolicy will soon associate a different type with that directory. Thus that scenario might change again soon. You did not clarify the userdom_manage_user_home_content_sockets($1_gkeyringd_t) But i am pretty sure that this socket should not be user_home_t. > I hope this clarifies the matter. > > I am checking the other issue (socket creation in /tmp) by testing the policy > you suggested but unfortunately, I can anticipate that there are issues. Will > let you know more precisely when I have finished testing it. > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/6cf053ca/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-14 21:19 ` Dominick Grift @ 2016-08-14 21:33 ` Guido Trentalancia 2016-08-14 21:35 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-14 21:33 UTC (permalink / raw) To: refpolicy Hello Dominick. > On 08/14/2016 11:14 PM, Guido Trentalancia wrote: > > Hello Dominick ! > > > > Finally I am able to clarify one of the two open questions about the gnome > > module... > > > >> On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> > >> wrote: > >> > >> > >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > >>> Update for the gnome module: > >>> > >>> - a new gstreamer_orcexec_t type and file context is introduced > >>> to support the OIL Runtime Compiler (ORC) optimized code > >>> execution (used for example by pulseaudio); > >>> - add support for more permissions needed in gconfd_t and gnome > >>> keyring domains; > >>> - add support for a few needed fs and kernel permissions. > >>> > >>> This patch should be applied before applying the pulseaudio patch. > >>> > >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > >>> --- > >>> policy/modules/contrib/gnome.fc | 7 ++ > >>> policy/modules/contrib/gnome.if | 99 > >>> +++++++++++++++++++++++++++++++++++++++- > >>> policy/modules/contrib/gnome.te | 8 +++ > >>> 3 files changed, 112 insertions(+), 2 deletions(-) > > > > [...] > > > >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 > >>> 16:02:14.950814302 +0200 > >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 > >>> 00:55:24.980149003 +0200 > >>> @@ -1,4 +1,4 @@ > >>> -## <summary>GNU network object model environment.</summary> > >>> + > >>> > >>> ######################################## > >>> ## <summary> > >>> @@ -100,9 +100,15 @@ template(`gnome_role_template',` > >>> > >>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms > >>> manage_sock_file_perms }; > >>> > >>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > >>> + userdom_manage_user_home_content_files($1_gkeyringd_t) > >>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > >>> + > >> > >> I don't like this, and I dont understand it > > > > It's needed to write .xsession-errors and the .cache subdirectory in the > > user > > home. > > > > It is quite important, as the latter is used, amongst other things, to store > > user credentials: for example, when the user enters the password in the > > evolution mail client to retrieve his/her mail, then the password entered is > > stored in the cache and the user does not need to enter the password again > > when > > the mail is received again periodically later. > > > > And the .xsessions_errors file is not mislabeled? (e.g. is that supposed > to be user_home_t?) > > As for ~/.cache issue. Probably best to hold on to that for now as > chances are that refpolicy will soon associate a different type with > that directory. Thus that scenario might change again soon. > > You did not clarify the > userdom_manage_user_home_content_sockets($1_gkeyringd_t) > > But i am pretty sure that this socket should not be user_home_t. Might be sensitive sockets, they are named "control", "pkcs11", "ssh", "gpg" and are located in .cache/keyring-*/ They are currently labeled user_home_t. What do you suggest to do ? > > I hope this clarifies the matter. > > > > I am checking the other issue (socket creation in /tmp) by testing the > > policy > > you suggested but unfortunately, I can anticipate that there are issues. > > Will > > let you know more precisely when I have finished testing it. Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-14 21:33 ` Guido Trentalancia @ 2016-08-14 21:35 ` Dominick Grift 0 siblings, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-14 21:35 UTC (permalink / raw) To: refpolicy On 08/14/2016 11:33 PM, Guido Trentalancia wrote: > Hello Dominick. > >> On 08/14/2016 11:14 PM, Guido Trentalancia wrote: >>> Hello Dominick ! >>> >>> Finally I am able to clarify one of the two open questions about the gnome >>> module... >>> >>>> On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com> >>>> wrote: >>>> >>>> >>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>>>> Update for the gnome module: >>>>> >>>>> - a new gstreamer_orcexec_t type and file context is introduced >>>>> to support the OIL Runtime Compiler (ORC) optimized code >>>>> execution (used for example by pulseaudio); >>>>> - add support for more permissions needed in gconfd_t and gnome >>>>> keyring domains; >>>>> - add support for a few needed fs and kernel permissions. >>>>> >>>>> This patch should be applied before applying the pulseaudio patch. >>>>> >>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>>> --- >>>>> policy/modules/contrib/gnome.fc | 7 ++ >>>>> policy/modules/contrib/gnome.if | 99 >>>>> +++++++++++++++++++++++++++++++++++++++- >>>>> policy/modules/contrib/gnome.te | 8 +++ >>>>> 3 files changed, 112 insertions(+), 2 deletions(-) >>> >>> [...] >>> >>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 >>>>> 16:02:14.950814302 +0200 >>>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 >>>>> 00:55:24.980149003 +0200 >>>>> @@ -1,4 +1,4 @@ >>>>> -## <summary>GNU network object model environment.</summary> >>>>> + >>>>> >>>>> ######################################## >>>>> ## <summary> >>>>> @@ -100,9 +100,15 @@ template(`gnome_role_template',` >>>>> >>>>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms >>>>> manage_sock_file_perms }; >>>>> >>>>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t) >>>>> + userdom_manage_user_home_content_files($1_gkeyringd_t) >>>>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t) >>>>> + >>>> >>>> I don't like this, and I dont understand it >>> >>> It's needed to write .xsession-errors and the .cache subdirectory in the >>> user >>> home. >>> >>> It is quite important, as the latter is used, amongst other things, to store >>> user credentials: for example, when the user enters the password in the >>> evolution mail client to retrieve his/her mail, then the password entered is >>> stored in the cache and the user does not need to enter the password again >>> when >>> the mail is received again periodically later. >>> >> >> And the .xsessions_errors file is not mislabeled? (e.g. is that supposed >> to be user_home_t?) >> >> As for ~/.cache issue. Probably best to hold on to that for now as >> chances are that refpolicy will soon associate a different type with >> that directory. Thus that scenario might change again soon. >> >> You did not clarify the >> userdom_manage_user_home_content_sockets($1_gkeyringd_t) >> >> But i am pretty sure that this socket should not be user_home_t. > > Might be sensitive sockets, they are named "control", "pkcs11", "ssh", "gpg" and > are located in .cache/keyring-*/ > > They are currently labeled user_home_t. > > What do you suggest to do ? > I would hold off on this until the XDG spec types are implemented (~/.cache) then create a private gkeyring_cache_home_t type for ~/.cache/keyring >>> I hope this clarifies the matter. >>> >>> I am checking the other issue (socket creation in /tmp) by testing the >>> policy >>> you suggested but unfortunately, I can anticipate that there are issues. >>> Will >>> let you know more precisely when I have finished testing it. > > Best regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/b2191f47/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-13 14:51 ` Dominick Grift 2016-08-13 20:09 ` Guido Trentalancia 2016-08-14 21:14 ` Guido Trentalancia @ 2016-08-14 22:13 ` Guido Trentalancia 2016-08-15 6:00 ` Dominick Grift 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-14 22:13 UTC (permalink / raw) To: refpolicy Hello Dominick ! > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) [...] > > + > > ############################## > > # > > # Common local Policy > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > > +kernel_dontaudit_read_system_state(gconfd_t) > > + > > +fs_getattr_xattr_fs(gconfd_t) > > + > > userdom_manage_user_tmp_dirs(gconfd_t) > > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > +userdom_manage_user_tmp_sockets(gconfd_t) > > What is going on there and why did you choose this? Other applications (such as firefox) need to write those sockets, therefore the policy you suggested in a previous message is not feasible. In other words those sockets should be created as user_tmp_t and not as a private gconf_tmp_t. > > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > > > optional_policy(` Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-14 22:13 ` Guido Trentalancia @ 2016-08-15 6:00 ` Dominick Grift 2016-08-15 8:29 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-15 6:00 UTC (permalink / raw) To: refpolicy On 08/15/2016 12:13 AM, Guido Trentalancia wrote: > Hello Dominick ! > >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>> Update for the gnome module: >>> >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for a few needed fs and kernel permissions. >>> >>> This patch should be applied before applying the pulseaudio patch. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/gnome.fc | 7 ++ >>> policy/modules/contrib/gnome.if | 99 >>> +++++++++++++++++++++++++++++++++++++++- >>> policy/modules/contrib/gnome.te | 8 +++ >>> 3 files changed, 112 insertions(+), 2 deletions(-) > > [...] > >>> + >>> ############################## >>> # >>> # Common local Policy >>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>> >>> +kernel_dontaudit_read_system_state(gconfd_t) >>> + >>> +fs_getattr_xattr_fs(gconfd_t) >>> + >>> userdom_manage_user_tmp_dirs(gconfd_t) >>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>> +userdom_manage_user_tmp_sockets(gconfd_t) >> >> What is going on there and why did you choose this? > > Other applications (such as firefox) need to write those sockets, therefore the > policy you suggested in a previous message is not feasible. > How do you figure that? > In other words those sockets should be created as user_tmp_t and not as a > private gconf_tmp_t. > >>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>> >>> optional_policy(` > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/fbf3e512/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-15 6:00 ` Dominick Grift @ 2016-08-15 8:29 ` Dominick Grift 2016-08-16 19:26 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-15 8:29 UTC (permalink / raw) To: refpolicy On 08/15/2016 08:00 AM, Dominick Grift wrote: > On 08/15/2016 12:13 AM, Guido Trentalancia wrote: >> Hello Dominick ! >> >>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>>> Update for the gnome module: >>>> >>>> - a new gstreamer_orcexec_t type and file context is introduced >>>> to support the OIL Runtime Compiler (ORC) optimized code >>>> execution (used for example by pulseaudio); >>>> - add support for more permissions needed in gconfd_t and gnome >>>> keyring domains; >>>> - add support for a few needed fs and kernel permissions. >>>> >>>> This patch should be applied before applying the pulseaudio patch. >>>> >>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>> --- >>>> policy/modules/contrib/gnome.fc | 7 ++ >>>> policy/modules/contrib/gnome.if | 99 >>>> +++++++++++++++++++++++++++++++++++++++- >>>> policy/modules/contrib/gnome.te | 8 +++ >>>> 3 files changed, 112 insertions(+), 2 deletions(-) >> >> [...] >> >>>> + >>>> ############################## >>>> # >>>> # Common local Policy >>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>>> >>>> +kernel_dontaudit_read_system_state(gconfd_t) >>>> + >>>> +fs_getattr_xattr_fs(gconfd_t) >>>> + >>>> userdom_manage_user_tmp_dirs(gconfd_t) >>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>>> +userdom_manage_user_tmp_sockets(gconfd_t) >>> >>> What is going on there and why did you choose this? >> >> Other applications (such as firefox) need to write those sockets, therefore the >> policy you suggested in a previous message is not feasible. >> > > How do you figure that? > Let me just expand on this a little. I might be wrong on some of the following but i have in the past targeted gnome2 so i do have a little experience with dealing with orbit There are many sockets in orbit-USER. Every application that relies on that functionality maintains its own socket in there. It is the PRE-dbus way of communications. gconfd maintains a socket in there. It was in the past decided to target gconfd. We should now also be consistent and just finish what we started. Besides even if you leave that socket type user_tmp_t that still will leave you with the "gconfd_t:unix_stream_socket connectto" since the gconfd process does have a private type. If you start saying we will target this part of gconfd but not the other part of gconfd then you might as well not target it at all. It may not be as black-and-white as that, but it essentially boils down to that. Also beware to not let your desire to "make things work" make you forget about why were doing this in the first place: to enforce integrity. Things like these are essentially why I can't use refpolicy. Because there are too many compromises like these in there. Where it was forgotten what the purpose is of confined user domains, and where the desire to just produce something that "works" basically blurred our vision. >> In other words those sockets should be created as user_tmp_t and not as a >> private gconf_tmp_t. >> >>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>>> >>>> optional_policy(` >> >> Regards, >> >> Guido >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/ab0b2be7/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-15 8:29 ` Dominick Grift @ 2016-08-16 19:26 ` Guido Trentalancia 2016-08-16 19:30 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-16 19:26 UTC (permalink / raw) To: refpolicy Hello Dominick. Late reply to this... On Mon, 15/08/2016 at 10.29 +0200, Dominick Grift wrote: > On 08/15/2016 08:00 AM, Dominick Grift wrote: > > On 08/15/2016 12:13 AM, Guido Trentalancia wrote: > > > Hello Dominick ! > > > > > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > > > > Update for the gnome module: > > > > > > > > > > - a new gstreamer_orcexec_t type and file context is > > > > > introduced > > > > > ? to support the OIL Runtime Compiler (ORC) optimized code > > > > > ? execution (used for example by pulseaudio); > > > > > - add support for more permissions needed in gconfd_t and > > > > > gnome > > > > > ? keyring domains; > > > > > - add support for a few needed fs and kernel permissions.? > > > > > > > > > > This patch should be applied before applying the pulseaudio > > > > > patch. > > > > > > > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > > > > --- > > > > > ?policy/modules/contrib/gnome.fc |????7 ++ > > > > > ?policy/modules/contrib/gnome.if |???99 > > > > > +++++++++++++++++++++++++++++++++++++++- > > > > > ?policy/modules/contrib/gnome.te |????8 +++ > > > > > ?3 files changed, 112 insertions(+), 2 deletions(-) > > > > > > [...] > > > > > > > > + > > > > > ?############################## > > > > > ?# > > > > > ?# Common local Policy > > > > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > > > > ?manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > > > > ?userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file > > > > > }) > > > > > ? > > > > > +kernel_dontaudit_read_system_state(gconfd_t) > > > > > + > > > > > +fs_getattr_xattr_fs(gconfd_t) > > > > > + > > > > > ?userdom_manage_user_tmp_dirs(gconfd_t) > > > > > ?userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > > > > +userdom_manage_user_tmp_sockets(gconfd_t) > > > > > > > > What is going on there and why did you choose this? > > > > > > Other applications (such as firefox) need to write those sockets, > > > therefore the > > > policy you suggested in a previous message is not feasible. > > > > > > > How do you figure that? > > > > Let me just expand on this a little. I might be wrong on some of the > following but i have in the past targeted gnome2 so i do have a > little > experience with dealing with orbit > > There are many sockets in orbit-USER. Every application that relies > on > that functionality maintains its own socket in there. It is the PRE- > dbus > way of communications. I have now dropped the support for ORBit-2 in the latest version of this patch. At the end, it is an obsolete library/framework. Sooner or later, we shall remove any remaining support for GConf and the rest of the Gnome2 file contexts and stuff. It's pointless and risky to keep obsolete stuff for long. In general, security goes hand in hand with keeping software up to date. > gconfd maintains a socket in there. It was in the past decided to > target > gconfd. We should now also be consistent and just finish what we > started. > > Besides even if you leave that socket type user_tmp_t that still will > leave you with the "gconfd_t:unix_stream_socket connectto" since the > gconfd process does have a private type. > > If you start saying we will target this part of gconfd but not the > other > part of gconfd then you might as well not target it at all. It may > not > be as black-and-white as that, but it essentially boils down to that. > > Also beware to not let your desire to "make things work" make you > forget > about why were doing this in the first place: to enforce integrity. > > Things like these are essentially why I can't use refpolicy. Because > there are too many compromises like these in there. Where it was I am not following you anymore... What compromises are you talking about ? The system needs to be usable, at least to a minimum level. Otherwise, the policy itself is useless. If there are permissions or interfaces that are dangerous from a security standpoint and removing them does not affect a minimum level of usability, then we should surely make any effort to remove them from the policy ! Please be more specific ! If there is something that is of your concern in the actual policy, please let me know and I will try to test if removing it affects usability, then we can proceed to get rid of it. This is very important. We need an updated tight policy that provides a minimum (eventually tunable) level of usability. > forgotten what the purpose is of confined user domains, and where the > desire to just produce something that "works" basically blurred our > vision. Well, it needs to work in the first place, otherwise there is no point of supporting a given module, we can just remove the support instead of providing a broken one. Something of my concern, for example, is too much unnecessary freedom for applications to read or manage the user_home_t files when they can be assigned their own private types instead (see for example, my recent pulseaudio patch). What specifically concerns you most ? > > > In other words those sockets should be created as user_tmp_t and > > > not as a > > > private gconf_tmp_t. > > > > > > > > ?userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > > > > ? > > > > > ?optional_policy(` Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH] Update for the gnome policy and file contexts 2016-08-16 19:26 ` Guido Trentalancia @ 2016-08-16 19:30 ` Dominick Grift 0 siblings, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-16 19:30 UTC (permalink / raw) To: refpolicy On 08/16/2016 09:26 PM, Guido Trentalancia wrote: > Hello Dominick. > > Late reply to this... > > On Mon, 15/08/2016 at 10.29 +0200, Dominick Grift wrote: >> On 08/15/2016 08:00 AM, Dominick Grift wrote: >>> On 08/15/2016 12:13 AM, Guido Trentalancia wrote: >>>> Hello Dominick ! >>>> >>>>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>>>>> Update for the gnome module: >>>>>> >>>>>> - a new gstreamer_orcexec_t type and file context is >>>>>> introduced >>>>>> to support the OIL Runtime Compiler (ORC) optimized code >>>>>> execution (used for example by pulseaudio); >>>>>> - add support for more permissions needed in gconfd_t and >>>>>> gnome >>>>>> keyring domains; >>>>>> - add support for a few needed fs and kernel permissions. >>>>>> >>>>>> This patch should be applied before applying the pulseaudio >>>>>> patch. >>>>>> >>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>>>> --- >>>>>> policy/modules/contrib/gnome.fc | 7 ++ >>>>>> policy/modules/contrib/gnome.if | 99 >>>>>> +++++++++++++++++++++++++++++++++++++++- >>>>>> policy/modules/contrib/gnome.te | 8 +++ >>>>>> 3 files changed, 112 insertions(+), 2 deletions(-) >>>> >>>> [...] >>>> >>>>>> + >>>>>> ############################## >>>>>> # >>>>>> # Common local Policy >>>>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>>>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>>>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file >>>>>> }) >>>>>> >>>>>> +kernel_dontaudit_read_system_state(gconfd_t) >>>>>> + >>>>>> +fs_getattr_xattr_fs(gconfd_t) >>>>>> + >>>>>> userdom_manage_user_tmp_dirs(gconfd_t) >>>>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>>>>> +userdom_manage_user_tmp_sockets(gconfd_t) >>>>> >>>>> What is going on there and why did you choose this? >>>> >>>> Other applications (such as firefox) need to write those sockets, >>>> therefore the >>>> policy you suggested in a previous message is not feasible. >>>> >>> >>> How do you figure that? >>> >> >> Let me just expand on this a little. I might be wrong on some of the >> following but i have in the past targeted gnome2 so i do have a >> little >> experience with dealing with orbit >> >> There are many sockets in orbit-USER. Every application that relies >> on >> that functionality maintains its own socket in there. It is the PRE- >> dbus >> way of communications. > > I have now dropped the support for ORBit-2 in the latest version of > this patch. At the end, it is an obsolete library/framework. > > Sooner or later, we shall remove any remaining support for GConf and > the rest of the Gnome2 file contexts and stuff. It's pointless and > risky to keep obsolete stuff for long. In general, security goes hand > in hand with keeping software up to date. > >> gconfd maintains a socket in there. It was in the past decided to >> target >> gconfd. We should now also be consistent and just finish what we >> started. >> >> Besides even if you leave that socket type user_tmp_t that still will >> leave you with the "gconfd_t:unix_stream_socket connectto" since the >> gconfd process does have a private type. >> >> If you start saying we will target this part of gconfd but not the >> other >> part of gconfd then you might as well not target it at all. It may >> not >> be as black-and-white as that, but it essentially boils down to that. >> >> Also beware to not let your desire to "make things work" make you >> forget >> about why were doing this in the first place: to enforce integrity. >> >> Things like these are essentially why I can't use refpolicy. Because >> there are too many compromises like these in there. Where it was > > I am not following you anymore... > > What compromises are you talking about ? The system needs to be usable, > at least to a minimum level. Otherwise, the policy itself is useless. > > If there are permissions or interfaces that are dangerous from a > security standpoint and removing them does not affect a minimum level > of usability, then we should surely make any effort to remove them from > the policy ! > > Please be more specific ! > > If there is something that is of your concern in the actual policy, > please let me know and I will try to test if removing it affects > usability, then we can proceed to get rid of it. This is very > important. We need an updated tight policy that provides a minimum > (eventually tunable) level of usability. > >> forgotten what the purpose is of confined user domains, and where the >> desire to just produce something that "works" basically blurred our >> vision. > > Well, it needs to work in the first place, otherwise there is no point > of supporting a given module, we can just remove the support instead of > providing a broken one. > > Something of my concern, for example, is too much unnecessary freedom > for applications to read or manage the user_home_t files when they can > be assigned their own private types instead (see for example, my recent > pulseaudio patch). > > What specifically concerns you most ? > I can't be much more specific. I think that allowing a process associated with type gconfd_t to maintain a socket with type user_tmp_t is a bad idea. Anyway's, I will leave this to others to decide. >>>> In other words those sockets should be created as user_tmp_t and >>>> not as a >>>> private gconf_tmp_t. >>>> >>>>>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>>>>> >>>>>> optional_policy(` > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160816/73f3ff93/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v2] Update for the gnome policy and file contexts 2016-08-13 14:45 [refpolicy] [PATCH] Update for the gnome policy and file contexts Guido Trentalancia 2016-08-13 14:51 ` Dominick Grift @ 2016-08-15 21:33 ` Guido Trentalancia 2016-08-15 20:08 ` Chris PeBenito 2016-08-20 14:52 ` [refpolicy] [PATCH v3] " Guido Trentalancia 1 sibling, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-15 21:33 UTC (permalink / raw) To: refpolicy Update for the gnome module: - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for chat over dbus in the gconfd domain; - add support for a few needed fs and kernel permissions. Compared to the previous version of this patch, the support for Gnome2/ORBit-2 has been dropped. Recent changes to the pulseaudio module depends on this patch ! Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/gnome.fc | 9 +++ policy/modules/contrib/gnome.if | 100 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 12 ++++ 3 files changed, 118 insertions(+), 3 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-15 17:06:46.933458938 +0200 @@ -4,6 +4,9 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -13,4 +16,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-15 19:18:12.011401521 +0200 @@ -1,4 +1,4 @@ -## <summary>GNU network object model environment.</summary> + ######################################## ## <summary> @@ -44,7 +44,7 @@ template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; ') @@ -100,9 +100,23 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) + + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11") + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh") + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) @@ -112,6 +126,7 @@ template(`gnome_role_template',` dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + gnome_dbus_chat_gconfd($3) gnome_dbus_chat_gkeyringd($1, $3) ') ') @@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## <summary> +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_home_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Create objects in gnome gconf home ## directories with a private type. ## </summary> @@ -604,6 +649,36 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## <summary> +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Read generic gnome keyring home files. ## </summary> ## <param name="domain"> @@ -622,6 +697,27 @@ interface(`gnome_read_keyring_home_files ') ######################################## +## <summary> +## Send and receive messages from +## the gconf daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## ## <summary> ## Send and receive messages from ## gnome keyring daemon over dbus. --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-15 21:09:21.914336714 +0200 @@ -43,9 +43,15 @@ application_executable_file(gkeyringd_ex type gnome_keyring_home_t; userdom_user_home_content(gnome_keyring_home_t) +type gnome_keyring_cache_home_t; +userdom_user_home_content(gnome_keyring_cache_home_t) + type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -87,6 +93,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +files_search_tmp(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v2] Update for the gnome policy and file contexts 2016-08-15 21:33 ` [refpolicy] [PATCH v2] " Guido Trentalancia @ 2016-08-15 20:08 ` Chris PeBenito 2016-08-20 14:52 ` [refpolicy] [PATCH v3] " Guido Trentalancia 1 sibling, 0 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-15 20:08 UTC (permalink / raw) To: refpolicy On 08/15/16 17:33, Guido Trentalancia wrote: > Update for the gnome module: > > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for chat over dbus in the gconfd domain; > - add support for a few needed fs and kernel permissions. > > Compared to the previous version of this patch, the support for > Gnome2/ORBit-2 has been dropped. > > Recent changes to the pulseaudio module depends on this patch ! [...] > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-15 19:18:12.011401521 +0200 > @@ -1,4 +1,4 @@ > -## <summary>GNU network object model environment.</summary> > + This was probably a mistake, but please don't remove the XML. > ######################################## > ## <summary> > @@ -44,7 +44,7 @@ template(`gnome_role_template',` > gen_require(` > attribute gnomedomain, gkeyringd_domain; > attribute_role gconfd_roles; > - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; > + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > type gconfd_t, gconfd_exec_t, gconf_tmp_t; > type gconf_home_t; > ') > @@ -100,9 +100,23 @@ template(`gnome_role_template',` > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > + userdom_manage_user_home_content_files($1_gkeyringd_t) This is discussed in another thread, I am concerned about these permissions for the same reason Dominick is. > + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) > + > + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "control") > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "gpg") > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "pkcs11") > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file, "ssh") I suspect putting the socket names is unnecessary. It doesn't appear to create different types of sockets in the same directory. > ps_process_pattern($3, $1_gkeyringd_t) > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > + > corecmd_bin_domtrans($1_gkeyringd_t, $3) > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > @@ -112,6 +126,7 @@ template(`gnome_role_template',` > dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) > > optional_policy(` > + gnome_dbus_chat_gconfd($3) > gnome_dbus_chat_gkeyringd($1, $3) > ') > ') > @@ -569,6 +584,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ######################################## > ## <summary> > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_home_filetrans_gstreamer_orcexec',` This should be gnome_user_home_dir_filetrans_orcexec() or gnome_user_home_dir_filetrans_gstreamer() orcexec [...] > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') Right naming scheme, but if you drop the "gstreamer" out of the previous interface name, do the same here. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v3] Update for the gnome policy and file contexts 2016-08-15 21:33 ` [refpolicy] [PATCH v2] " Guido Trentalancia 2016-08-15 20:08 ` Chris PeBenito @ 2016-08-20 14:52 ` Guido Trentalancia 2016-08-21 18:49 ` Dominick Grift 2016-08-22 19:39 ` [refpolicy] [PATCH v4] " Guido Trentalancia 1 sibling, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-20 14:52 UTC (permalink / raw) To: refpolicy Update for the gnome module: - target the dconf daemon, the gsettings user application, the gnome-settings-daemon and the at-spi daemon with all the needed domain transitions; - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for chat over dbus in the gconfd domain and in the new domains (dconf, gsettings, etc); - add support for a few needed fs and kernel permissions. - add support for reading the colord related files in the home directories (such as the ICC EDID profiles): requires the recent colord patch; - add support for for reading the colord related files in the home directories in the common user domain template; - add support for a new mime_info_t type to be used in the home directories; - includes minor modifications to the consolekit, dbus and policykit modules to support the new targeted gnome daemons and applications; - modifies the pulseaudio module to introduce new interfaces to read and write pulseaudio tmpfs files and to use the pulseaudio file descriptor. The support for Gnome2/ORBit-2 (version 2) has been dropped. This patch depends on the recent colord patch. Recent changes to the pulseaudio module depends on this patch ! Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/colord.if | 41 +++ policy/modules/contrib/colord.te | 4 policy/modules/contrib/consolekit.te | 4 policy/modules/contrib/dbus.te | 9 policy/modules/contrib/gnome.fc | 19 + policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++ policy/modules/contrib/policykit.fc | 2 policy/modules/contrib/policykit.if | 20 + policy/modules/contrib/policykit.te | 1 policy/modules/contrib/pulseaudio.if | 77 ++++++ policy/modules/contrib/pulseaudio.te | 5 policy/modules/system/userdomain.if | 4 13 files changed, 876 insertions(+), 3 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200 @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') + +###################################### +## <summary> +## Read colord home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_read_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, colord_home_t, colord_home_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## colord home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_manage_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + manage_files_pattern($1, colord_home_t, colord_home_t) +') --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200 @@ -123,6 +136,10 @@ optional_policy(` ') optional_policy(` + gnome_settings_daemon_use_fds(colord_t) +') + +optional_policy(` policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200 @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + gnome_read_settings_daemon_files(consolekit_t) +') + +optional_policy(` dbus_read_lib_files(consolekit_t) dbus_system_domain(consolekit_t, consolekit_exec_t) --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200 @@ -148,6 +148,15 @@ optional_policy(` ') optional_policy(` + colord_read_home_files(system_dbusd_t) +') + +optional_policy(` + gnome_read_settings_daemon_files(system_dbusd_t) + gnome_settings_daemon_use_fds(system_dbusd_t) +') + +optional_policy(` policykit_read_lib(system_dbusd_t) ') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200 @@ -1,16 +1,33 @@ +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0) /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0) +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0) +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) + +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200 @@ -43,14 +43,40 @@ interface(`gnome_role',` template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; + attribute_role dconf_roles; + attribute_role at_spi_roles; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + attribute_role gnome_settings_roles; + attribute_role gnome_settings_daemon_roles; + type dconf_t, dconf_exec_t, dconf_home_t; + type at_spi_t, at_spi_exec_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; + type gnome_settings_t, gnome_settings_exec_t; + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; + type gnome_settings_schemas_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; + type mime_info_t; + type user_dbusd_t; + type dbusd_exec_t; ') ######################################## # + # Dconf declarations + # + + roleattribute $2 dconf_roles; + + ######################################## + # + # At-spi declarations + # + + roleattribute $2 at_spi_roles; + + ######################################## + # # Gconf declarations # @@ -58,6 +84,20 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings declarations + # + + roleattribute $2 gnome_settings_roles; + + ######################################## + # + # Gnome-settings-daemon declarations + # + + roleattribute $2 gnome_settings_daemon_roles; + + ######################################## + # # Gkeyringd declarations # @@ -69,6 +109,70 @@ template(`gnome_role_template',` ######################################## # + # Common policy + # + + allow $3 dconf_home_t:dir manage_dir_perms; + allow $3 dconf_home_t:file manage_file_perms; + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms; + + allow $3 gnome_settings_schemas_t:dir list_dir_perms; + allow $3 gnome_settings_schemas_t:file read_file_perms; + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + + allow $3 mime_info_t:dir list_dir_perms; + allow $3 mime_info_t:file read_file_perms; + + allow at_spi_t user_dbusd_t:process signal; + + allow user_dbusd_t self:process signal; + + allow user_dbusd_t bin_t:file entrypoint; + + allow user_dbusd_t dbusd_exec_t:file exec_file_perms; + + gnome_read_settings_files(user_dbusd_t) + gnome_read_settings_daemon_files(user_dbusd_t) + + files_read_usr_files($3) + + kernel_read_system_state(user_dbusd_t) + + optional_policy(` + xserver_read_user_xauth(user_dbusd_t) + xserver_stream_connect(user_dbusd_t) + ') + + ######################################## + # + # Dconf policy + # + + allow dconf_t user_dbusd_t:unix_stream_socket connectto; + + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms }; + + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t) + + ######################################## + # + # At-spi policy + # + + allow at_spi_t user_dbusd_t:unix_stream_socket connectto; + + allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms }; + + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms }; + + allow $3 at_spi_t:fd use; + + domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t) + + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t) + + ######################################## + # # Gconf policy # @@ -84,6 +188,38 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings policy + # + + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t) + + allow $3 gnome_settings_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_t) + + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto; + + allow gnome_settings_t bin_t:file entrypoint; + allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms }; + + # for dbus-launch + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t) + + domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t) + + ######################################## + # + # Gnome-settings-daemon policy + # + + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t) + + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto; + + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_daemon_t) + + ######################################## + # # Gkeyringd policy # @@ -100,23 +236,85 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) + + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file) + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) gnome_stream_connect_gkeyringd($1, $3) optional_policy(` + dbus_connect_spec_session_bus(user, dconf_t) + dbus_connect_spec_session_bus(user, at_spi_t) + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) + dbus_connect_system_bus(gnome_settings_daemon_t) + dbus_send_spec_session_bus(user, dconf_t) + dbus_send_spec_session_bus(user, at_spi_t) + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + gnome_dbus_chat_dconf($3) + gnome_dbus_chat_dconf(gnome_settings_t) + gnome_dbus_chat_at_spi($3) + gnome_dbus_chat_gconfd($3) + gnome_dbus_chat_gnome_settings(user_dbusd_t) + gnome_dbus_chat_gnome_settings_daemon($3) + gnome_dbus_chat_gnome_settings_daemon(at_spi_t) gnome_dbus_chat_gkeyringd($1, $3) ') ') ') +####################################### +## <summary> +## Read gnome-settings files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_settings_files',` + gen_require(` + type gnome_settings_t; + ') + + read_files_pattern($1, gnome_settings_t, gnome_settings_t) +') + +####################################### +## <summary> +## Read gnome-settings-daemon +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_settings_daemon_files',` + gen_require(` + type gnome_settings_daemon_t; + ') + + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t) +') + ######################################## ## <summary> ## Execute gconf in the caller domain. @@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## <summary> +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Create objects in gnome gconf home ## directories with a private type. ## </summary> @@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## <summary> +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Read generic gnome keyring home files. ## </summary> ## <param name="domain"> @@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files ######################################## ## <summary> +## Read mime info files in the home +## directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_mime_info_home_files',` + gen_require(` + type mime_info_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, mime_info_t, mime_info_t) +') + +######################################## +## <summary> +## Send and receive messages from +## the dconf daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_dconf',` + gen_require(` + type dconf_t; + class dbus send_msg; + ') + + allow $1 dconf_t:dbus send_msg; + allow dconf_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the at-spi daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_at_spi',` + gen_require(` + type at_spi_t; + class dbus send_msg; + ') + + allow $1 at_spi_t:dbus send_msg; + allow at_spi_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the gconf daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## gnome-settings over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gnome_settings',` + gen_require(` + type gnome_settings_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_t:dbus send_msg; + allow gnome_settings_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the gnome-settings-daemon over +## dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gnome_settings_daemon',` + gen_require(` + type gnome_settings_daemon_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_daemon_t:dbus send_msg; + allow gnome_settings_daemon_t $1:dbus send_msg; +') + +######################################## +## <summary> ## Send and receive messages from ## gnome keyring daemon over dbus. ## </summary> @@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey files_search_tmp($1) stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') + +######################################## +## <summary> +## Use file descriptors for +## the gnome settings daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + allow $1 gnome_settings_daemon_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use the +## file descriptors for the gnome +## settings daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dontaudit_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + dontaudit $1 gnome_settings_daemon_t:fd use; +') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200 @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1) attribute gkeyringd_domain; attribute gnomedomain; +attribute_role dconf_roles; +attribute_role at_spi_roles; attribute_role gconfd_roles; +attribute_role gnome_settings_roles; +attribute_role gnome_settings_daemon_roles; + +type dconf_t; +type dconf_exec_t; +userdom_user_application_domain(dconf_t, dconf_exec_t) +role dconf_roles types dconf_t; + +type dconf_home_t; +userdom_user_home_content(dconf_home_t) + +type at_spi_t; +type at_spi_exec_t; +userdom_user_application_domain(at_spi_t, at_spi_exec_t) +role at_spi_roles types at_spi_t; type gconf_etc_t; files_config_file(gconf_etc_t) @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; +type gnome_settings_t; +type gnome_settings_exec_t; +userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t) +role gnome_settings_roles types gnome_settings_t; + +type gnome_settings_daemon_t; +type gnome_settings_daemon_exec_t; +userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t) +role gnome_settings_daemon_roles types gnome_settings_daemon_t; + +type gnome_settings_schemas_t; +files_config_file(gnome_settings_schemas_t) + type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex type gnome_keyring_home_t; userdom_user_home_content(gnome_keyring_home_t) +type gnome_keyring_cache_home_t; +userdom_user_home_content(gnome_keyring_cache_home_t) + type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type mime_info_t; +files_config_file(mime_info_t) + +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -73,7 +112,62 @@ optional_policy(` ############################## # -# Conf daemon local Policy +# DConf daemon local policy (Gnome3) +# + +allow dconf_t self:process signal; + +allow dconf_t dconf_home_t:dir manage_dir_perms; +allow dconf_t dconf_home_t:file manage_file_perms; +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms; + +userdom_search_user_home_content(dconf_t) + +fs_getattr_xattr_fs(dconf_t) + +kernel_read_system_state(dconf_t) + +selinux_getattr_fs(dconf_t) + +############################## +# +# At-spi local policy +# + +allow at_spi_t self:process signal; + +allow at_spi_t dconf_home_t:dir manage_dir_perms; +allow at_spi_t dconf_home_t:file manage_file_perms; +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms; +allow at_spi_t gnome_settings_schemas_t:file read_file_perms; +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t) + +corecmd_search_bin(at_spi_t) + +files_read_usr_files(at_spi_t) + +fs_getattr_xattr_fs(at_spi_t) + +kernel_read_system_state(at_spi_t) + +selinux_getattr_fs(at_spi_t) + +# search in .cache +userdom_search_user_home_dirs(at_spi_t) +userdom_search_user_home_content(at_spi_t) + +optional_policy(` + xserver_read_user_xauth(at_spi_t) + xserver_stream_connect(at_spi_t) +') + +############################## +# +# GConf daemon local Policy (Gnome2) # allow gconfd_t gconf_etc_t:dir list_dir_perms; @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +files_search_tmp(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) @@ -102,6 +202,171 @@ optional_policy(` ') ############################## +# +# Gnome-settings local policy +# + +allow gnome_settings_t self:dir list_dir_perms; +allow gnome_settings_t self:file rw_file_perms; +allow gnome_settings_t self:process { fork sigchld }; +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms; + +allow gnome_settings_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_t dconf_home_t:file manage_file_perms; +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_t gnome_settings_exec_t:file entrypoint; + +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t) + +corecmd_exec_bin(gnome_settings_t) +corecmd_search_bin(gnome_settings_t) + +dev_dontaudit_search_sysfs(gnome_settings_t) +dev_list_all_dev_nodes(gnome_settings_t) +dev_rw_null(gnome_settings_t) +dev_search_sysfs(gnome_settings_t) + +files_list_root(gnome_settings_t) +files_read_etc_files(gnome_settings_t) +files_read_usr_files(gnome_settings_t) +files_search_pids(gnome_settings_t) + +fs_getattr_xattr_fs(gnome_settings_t) + +init_sigchld(gnome_settings_t) + +kernel_read_system_state(gnome_settings_t) + +libs_use_ld_so(gnome_settings_t) +libs_use_shared_libs(gnome_settings_t) + +miscfiles_read_localization(gnome_settings_t) + +selinux_getattr_fs(gnome_settings_t) +selinux_dontaudit_search_fs(gnome_settings_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_t) + +# search in .cache +userdom_search_user_home_dirs(gnome_settings_t) +userdom_search_user_home_content(gnome_settings_t) + +optional_policy(` + dbus_read_lib_files(gnome_settings_t) +') + +optional_policy(` + xserver_use_xdm_fds(gnome_settings_t) +') + +############################## +# +# Gnome-settings-daemon local policy +# + +allow gnome_settings_daemon_t self:dir list_dir_perms; +allow gnome_settings_daemon_t self:file rw_file_perms; +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t self:process { fork sigchld signal }; +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms; +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms; +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms }; + +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t) + +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t) + +cups_read_config(gnome_settings_daemon_t) +cups_stream_connect(gnome_settings_daemon_t) + +dev_dontaudit_search_sysfs(gnome_settings_daemon_t) +dev_read_urand(gnome_settings_daemon_t) +dev_read_sysfs(gnome_settings_daemon_t) +dev_rw_null(gnome_settings_daemon_t) + +files_list_root(gnome_settings_daemon_t) +files_list_tmp(gnome_settings_daemon_t) +files_read_etc_files(gnome_settings_daemon_t) +files_read_usr_files(gnome_settings_daemon_t) +files_search_tmp(gnome_settings_daemon_t) + +fs_getattr_tmpfs(gnome_settings_daemon_t) +fs_getattr_xattr_fs(gnome_settings_daemon_t) +fs_list_tmpfs(gnome_settings_daemon_t) +fs_rw_tmpfs_files(gnome_settings_daemon_t) + +init_sigchld(gnome_settings_daemon_t) + +kernel_read_system_state(gnome_settings_daemon_t) + +libs_use_ld_so(gnome_settings_daemon_t) +libs_use_shared_libs(gnome_settings_daemon_t) + +logging_search_logs(gnome_settings_daemon_t) + +miscfiles_read_fonts(gnome_settings_daemon_t) +miscfiles_read_generic_certs(gnome_settings_daemon_t) +miscfiles_read_localization(gnome_settings_daemon_t) + +selinux_getattr_fs(gnome_settings_daemon_t) +selinux_dontaudit_search_fs(gnome_settings_daemon_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t) + +userdom_list_user_home_dirs(gnome_settings_daemon_t) +userdom_list_user_tmp(gnome_settings_daemon_t) +userdom_search_user_home_dirs(gnome_settings_daemon_t) +userdom_search_user_home_content(gnome_settings_daemon_t) + +optional_policy(` + colord_dbus_chat(gnome_settings_daemon_t) + colord_manage_home_files(gnome_settings_daemon_t) +') + +optional_policy(` + dbus_system_bus_client(gnome_settings_daemon_t) +') + +optional_policy(` + devicekit_dbus_chat_power(gnome_settings_daemon_t) +') + +optional_policy(` + policykit_dbus_chat(gnome_settings_daemon_t) + policykit_domtrans(gnome_settings_daemon_t) +') + +optional_policy(` + pulseaudio_read_home(gnome_settings_daemon_t) + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t) + pulseaudio_signull(gnome_settings_daemon_t) + pulseaudio_stream_connect(gnome_settings_daemon_t) + pulseaudio_use_fds(gnome_settings_daemon_t) +') + +optional_policy(` + xserver_read_user_xauth(gnome_settings_daemon_t) + xserver_stream_connect(gnome_settings_daemon_t) +') + +############################## # # Keyring-daemon local policy # --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200 @@ -1,3 +1,5 @@ +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0) + /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200 @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',` ######################################## ## <summary> +## Execute a domain transition to +## run polkit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans',` + gen_require(` + type policykit_t, policykit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_exec_t, policykit_t) +') + +######################################## +## <summary> ## Execute a domain transition to run polkit_auth. ## </summary> ## <param name="domain"> --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200 @@ -117,6 +118,7 @@ optional_policy(` optional_policy(` gnome_read_generic_home_content(policykit_t) + gnome_read_settings_daemon_files(policykit_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` typeattribute $1 pulseaudio_tmpfsfile; ') + +####################################### +## <summary> +## Read pulseaudio tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_read_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +####################################### +## <summary> +## Read and write pulseaudio tmpfs +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_rw_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +######################################## +## <summary> +## Use file descriptors for +## pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use the +## file descriptors for pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_dontaudit_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + dontaudit $1 pulseaudio_t:fd use; +') --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200 @@ -193,6 +193,11 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) ') optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200 +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200 @@ -593,6 +593,10 @@ template(`userdom_common_user_template', ') optional_policy(` + colord_manage_home_files($1_t) + ') + + optional_policy(` dbus_system_bus_client($1_t) optional_policy(` ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v3] Update for the gnome policy and file contexts 2016-08-20 14:52 ` [refpolicy] [PATCH v3] " Guido Trentalancia @ 2016-08-21 18:49 ` Dominick Grift 2016-08-21 19:02 ` Guido Trentalancia 2016-08-22 19:39 ` [refpolicy] [PATCH v4] " Guido Trentalancia 1 sibling, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-21 18:49 UTC (permalink / raw) To: refpolicy On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote: > Update for the gnome module: > > - target the dconf daemon, the gsettings user application, the > gnome-settings-daemon and the at-spi daemon with all the > needed domain transitions; > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for chat over dbus in the gconfd domain and in the > new domains (dconf, gsettings, etc); > - add support for a few needed fs and kernel permissions. > - add support for reading the colord related files in the home > directories (such as the ICC EDID profiles): requires the > recent colord patch; > - add support for for reading the colord related files in the home > directories in the common user domain template; > - add support for a new mime_info_t type to be used in the home > directories; > - includes minor modifications to the consolekit, dbus and > policykit modules to support the new targeted gnome daemons > and applications; > - modifies the pulseaudio module to introduce new interfaces to > read and write pulseaudio tmpfs files and to use the pulseaudio > file descriptor. > > The support for Gnome2/ORBit-2 (version 2) has been dropped. if you want me to review this then you have to split this patch into smaller patches > > This patch depends on the recent colord patch. > > Recent changes to the pulseaudio module depends on this patch ! > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/colord.if | 41 +++ > policy/modules/contrib/colord.te | 4 > policy/modules/contrib/consolekit.te | 4 > policy/modules/contrib/dbus.te | 9 > policy/modules/contrib/gnome.fc | 19 + > policy/modules/contrib/gnome.if | 426 ++++++++++++++++++++++++++++++++++- > policy/modules/contrib/gnome.te | 267 +++++++++++++++++++++ > policy/modules/contrib/policykit.fc | 2 > policy/modules/contrib/policykit.if | 20 + > policy/modules/contrib/policykit.te | 1 > policy/modules/contrib/pulseaudio.if | 77 ++++++ > policy/modules/contrib/pulseaudio.te | 5 > policy/modules/system/userdomain.if | 4 > 13 files changed, 876 insertions(+), 3 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200 > @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',` > files_search_var_lib($1) > read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) > ') > + > +###################################### > +## <summary> > +## Read colord home files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`colord_read_home_files',` > + gen_require(` > + type colord_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + read_files_pattern($1, colord_home_t, colord_home_t) > +') > + > +###################################### > +## <summary> > +## Create, read, write, and delete > +## colord home content. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`colord_manage_home_files',` > + gen_require(` > + type colord_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + manage_files_pattern($1, colord_home_t, colord_home_t) > +') > --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200 > @@ -123,6 +136,10 @@ optional_policy(` > ') > > optional_policy(` > + gnome_settings_daemon_use_fds(colord_t) > +') > + > +optional_policy(` > policykit_dbus_chat(colord_t) > policykit_domtrans_auth(colord_t) > policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200 > @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + gnome_read_settings_daemon_files(consolekit_t) > +') > + > +optional_policy(` > dbus_read_lib_files(consolekit_t) > dbus_system_domain(consolekit_t, consolekit_exec_t) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200 > @@ -148,6 +148,15 @@ optional_policy(` > ') > > optional_policy(` > + colord_read_home_files(system_dbusd_t) > +') > + > +optional_policy(` > + gnome_read_settings_daemon_files(system_dbusd_t) > + gnome_settings_daemon_use_fds(system_dbusd_t) > +') > + > +optional_policy(` > policykit_read_lib(system_dbusd_t) > ') > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200 > @@ -1,16 +1,33 @@ > +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) > +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) > +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) > HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) > HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) > HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0) > + > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) > > /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0) > /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0) > +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0) > +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) > +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) > + > +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-20 03:27:52.570896165 +0200 > @@ -43,14 +43,40 @@ interface(`gnome_role',` > template(`gnome_role_template',` > gen_require(` > attribute gnomedomain, gkeyringd_domain; > + attribute_role dconf_roles; > + attribute_role at_spi_roles; > attribute_role gconfd_roles; > - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; > + attribute_role gnome_settings_roles; > + attribute_role gnome_settings_daemon_roles; > + type dconf_t, dconf_exec_t, dconf_home_t; > + type at_spi_t, at_spi_exec_t; > type gconfd_t, gconfd_exec_t, gconf_tmp_t; > type gconf_home_t; > + type gnome_settings_t, gnome_settings_exec_t; > + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; > + type gnome_settings_schemas_t; > + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > + type mime_info_t; > + type user_dbusd_t; > + type dbusd_exec_t; > ') > > ######################################## > # > + # Dconf declarations > + # > + > + roleattribute $2 dconf_roles; > + > + ######################################## > + # > + # At-spi declarations > + # > + > + roleattribute $2 at_spi_roles; > + > + ######################################## > + # > # Gconf declarations > # > > @@ -58,6 +84,20 @@ template(`gnome_role_template',` > > ######################################## > # > + # Gnome-settings declarations > + # > + > + roleattribute $2 gnome_settings_roles; > + > + ######################################## > + # > + # Gnome-settings-daemon declarations > + # > + > + roleattribute $2 gnome_settings_daemon_roles; > + > + ######################################## > + # > # Gkeyringd declarations > # > > @@ -69,6 +109,70 @@ template(`gnome_role_template',` > > ######################################## > # > + # Common policy > + # > + > + allow $3 dconf_home_t:dir manage_dir_perms; > + allow $3 dconf_home_t:file manage_file_perms; > + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms; > + > + allow $3 gnome_settings_schemas_t:dir list_dir_perms; > + allow $3 gnome_settings_schemas_t:file read_file_perms; > + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > + allow $3 mime_info_t:dir list_dir_perms; > + allow $3 mime_info_t:file read_file_perms; > + > + allow at_spi_t user_dbusd_t:process signal; > + > + allow user_dbusd_t self:process signal; > + > + allow user_dbusd_t bin_t:file entrypoint; > + > + allow user_dbusd_t dbusd_exec_t:file exec_file_perms; > + > + gnome_read_settings_files(user_dbusd_t) > + gnome_read_settings_daemon_files(user_dbusd_t) > + > + files_read_usr_files($3) > + > + kernel_read_system_state(user_dbusd_t) > + > + optional_policy(` > + xserver_read_user_xauth(user_dbusd_t) > + xserver_stream_connect(user_dbusd_t) > + ') > + > + ######################################## > + # > + # Dconf policy > + # > + > + allow dconf_t user_dbusd_t:unix_stream_socket connectto; > + > + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms }; > + > + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t) > + > + ######################################## > + # > + # At-spi policy > + # > + > + allow at_spi_t user_dbusd_t:unix_stream_socket connectto; > + > + allow at_spi_t dbusd_exec_t:file { entrypoint exec_file_perms }; > + > + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms }; > + > + allow $3 at_spi_t:fd use; > + > + domtrans_pattern(at_spi_t, dbusd_exec_t, user_dbusd_t) > + > + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t) > + > + ######################################## > + # > # Gconf policy > # > > @@ -84,6 +188,38 @@ template(`gnome_role_template',` > > ######################################## > # > + # Gnome-settings policy > + # > + > + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t) > + > + allow $3 gnome_settings_t:process { ptrace signal_perms }; > + ps_process_pattern($3, gnome_settings_t) > + > + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto; > + > + allow gnome_settings_t bin_t:file entrypoint; > + allow gnome_settings_t dbusd_exec_t:file { entrypoint exec_file_perms }; > + > + # for dbus-launch > + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t) > + > + domtrans_pattern(gnome_settings_t, dbusd_exec_t, user_dbusd_t) > + > + ######################################## > + # > + # Gnome-settings-daemon policy > + # > + > + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t) > + > + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto; > + > + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms }; > + ps_process_pattern($3, gnome_settings_daemon_t) > + > + ######################################## > + # > # Gkeyringd policy > # > > @@ -100,23 +236,85 @@ template(`gnome_role_template',` > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > + userdom_manage_user_home_content_files($1_gkeyringd_t) > + > + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) > + > + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) > + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file) > + > ps_process_pattern($3, $1_gkeyringd_t) > allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; > > + kernel_read_kernel_sysctls($1_gkeyringd_t) > + > corecmd_bin_domtrans($1_gkeyringd_t, $3) > corecmd_shell_domtrans($1_gkeyringd_t, $3) > > gnome_stream_connect_gkeyringd($1, $3) > > optional_policy(` > + dbus_connect_spec_session_bus(user, dconf_t) > + dbus_connect_spec_session_bus(user, at_spi_t) > + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) > + dbus_connect_system_bus(gnome_settings_daemon_t) > + dbus_send_spec_session_bus(user, dconf_t) > + dbus_send_spec_session_bus(user, at_spi_t) > + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) > dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) > > optional_policy(` > + gnome_dbus_chat_dconf($3) > + gnome_dbus_chat_dconf(gnome_settings_t) > + gnome_dbus_chat_at_spi($3) > + gnome_dbus_chat_gconfd($3) > + gnome_dbus_chat_gnome_settings(user_dbusd_t) > + gnome_dbus_chat_gnome_settings_daemon($3) > + gnome_dbus_chat_gnome_settings_daemon(at_spi_t) > gnome_dbus_chat_gkeyringd($1, $3) > ') > ') > ') > > +####################################### > +## <summary> > +## Read gnome-settings files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_read_settings_files',` > + gen_require(` > + type gnome_settings_t; > + ') > + > + read_files_pattern($1, gnome_settings_t, gnome_settings_t) > +') > + > +####################################### > +## <summary> > +## Read gnome-settings-daemon > +## files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_read_settings_daemon_files',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t) > +') > + > ######################################## > ## <summary> > ## Execute gconf in the caller domain. > @@ -569,6 +767,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ######################################## > ## <summary> > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## <summary> > ## Create objects in gnome gconf home > ## directories with a private type. > ## </summary> > @@ -604,6 +832,36 @@ interface(`gnome_gconf_home_filetrans',` > > ######################################## > ## <summary> > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="object_class"> > +## <summary> > +## Class of the object being created. > +## </summary> > +## </param> > +## <param name="name" optional="true"> > +## <summary> > +## The name of the object being created. > +## </summary> > +## </param> > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## <summary> > ## Read generic gnome keyring home files. > ## </summary> > ## <param name="domain"> > @@ -623,6 +881,133 @@ interface(`gnome_read_keyring_home_files > > ######################################## > ## <summary> > +## Read mime info files in the home > +## directory. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_read_mime_info_home_files',` > + gen_require(` > + type mime_info_t; > + ') > + > + userdom_search_user_home_dirs($1) > + userdom_list_user_home_content($1) > + read_files_pattern($1, mime_info_t, mime_info_t) > +') > + > +######################################## > +## <summary> > +## Send and receive messages from > +## the dconf daemon over dbus. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dbus_chat_dconf',` > + gen_require(` > + type dconf_t; > + class dbus send_msg; > + ') > + > + allow $1 dconf_t:dbus send_msg; > + allow dconf_t $1:dbus send_msg; > +') > + > +######################################## > +## <summary> > +## Send and receive messages from > +## the at-spi daemon over dbus. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dbus_chat_at_spi',` > + gen_require(` > + type at_spi_t; > + class dbus send_msg; > + ') > + > + allow $1 at_spi_t:dbus send_msg; > + allow at_spi_t $1:dbus send_msg; > +') > + > +######################################## > +## <summary> > +## Send and receive messages from > +## the gconf daemon over dbus. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dbus_chat_gconfd',` > + gen_require(` > + type gconfd_t; > + class dbus send_msg; > + ') > + > + allow $1 gconfd_t:dbus send_msg; > + allow gconfd_t $1:dbus send_msg; > +') > + > +######################################## > +## <summary> > +## Send and receive messages from > +## gnome-settings over dbus. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dbus_chat_gnome_settings',` > + gen_require(` > + type gnome_settings_t; > + class dbus send_msg; > + ') > + > + allow $1 gnome_settings_t:dbus send_msg; > + allow gnome_settings_t $1:dbus send_msg; > +') > + > +######################################## > +## <summary> > +## Send and receive messages from > +## the gnome-settings-daemon over > +## dbus. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dbus_chat_gnome_settings_daemon',` > + gen_require(` > + type gnome_settings_daemon_t; > + class dbus send_msg; > + ') > + > + allow $1 gnome_settings_daemon_t:dbus send_msg; > + allow gnome_settings_daemon_t $1:dbus send_msg; > +') > + > +######################################## > +## <summary> > ## Send and receive messages from > ## gnome keyring daemon over dbus. > ## </summary> > @@ -735,3 +1120,42 @@ interface(`gnome_stream_connect_all_gkey > files_search_tmp($1) > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) > ') > + > +######################################## > +## <summary> > +## Use file descriptors for > +## the gnome settings daemon. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_settings_daemon_use_fds',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + allow $1 gnome_settings_daemon_t:fd use; > +') > + > +######################################## > +## <summary> > +## Do not audit attempts to use the > +## file descriptors for the gnome > +## settings daemon. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`gnome_dontaudit_settings_daemon_use_fds',` > + gen_require(` > + type gnome_settings_daemon_t; > + ') > + > + dontaudit $1 gnome_settings_daemon_t:fd use; > +') > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-20 01:27:16.464669503 +0200 > @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1) > > attribute gkeyringd_domain; > attribute gnomedomain; > +attribute_role dconf_roles; > +attribute_role at_spi_roles; > attribute_role gconfd_roles; > +attribute_role gnome_settings_roles; > +attribute_role gnome_settings_daemon_roles; > + > +type dconf_t; > +type dconf_exec_t; > +userdom_user_application_domain(dconf_t, dconf_exec_t) > +role dconf_roles types dconf_t; > + > +type dconf_home_t; > +userdom_user_home_content(dconf_home_t) > + > +type at_spi_t; > +type at_spi_exec_t; > +userdom_user_application_domain(at_spi_t, at_spi_exec_t) > +role at_spi_roles types at_spi_t; > > type gconf_etc_t; > files_config_file(gconf_etc_t) > @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon > userdom_user_application_domain(gconfd_t, gconfd_exec_t) > role gconfd_roles types gconfd_t; > > +type gnome_settings_t; > +type gnome_settings_exec_t; > +userdom_user_application_domain(gnome_settings_exec_t, gnome_settings_exec_t) > +role gnome_settings_roles types gnome_settings_t; > + > +type gnome_settings_daemon_t; > +type gnome_settings_daemon_exec_t; > +userdom_user_application_domain(gnome_settings_daemon_exec_t, gnome_settings_daemon_exec_t) > +role gnome_settings_daemon_roles types gnome_settings_daemon_t; > + > +type gnome_settings_schemas_t; > +files_config_file(gnome_settings_schemas_t) > + > type gnome_home_t; > typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; > typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; > @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex > type gnome_keyring_home_t; > userdom_user_home_content(gnome_keyring_home_t) > > +type gnome_keyring_cache_home_t; > +userdom_user_home_content(gnome_keyring_cache_home_t) > + > type gnome_keyring_tmp_t; > userdom_user_tmp_file(gnome_keyring_tmp_t) > > +type mime_info_t; > +files_config_file(mime_info_t) > + > +type gstreamer_orcexec_t; > +application_executable_file(gstreamer_orcexec_t) > + > ############################## > # > # Common local Policy > @@ -73,7 +112,62 @@ optional_policy(` > > ############################## > # > -# Conf daemon local Policy > +# DConf daemon local policy (Gnome3) > +# > + > +allow dconf_t self:process signal; > + > +allow dconf_t dconf_home_t:dir manage_dir_perms; > +allow dconf_t dconf_home_t:file manage_file_perms; > +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +userdom_search_user_home_content(dconf_t) > + > +fs_getattr_xattr_fs(dconf_t) > + > +kernel_read_system_state(dconf_t) > + > +selinux_getattr_fs(dconf_t) > + > +############################## > +# > +# At-spi local policy > +# > + > +allow at_spi_t self:process signal; > + > +allow at_spi_t dconf_home_t:dir manage_dir_perms; > +allow at_spi_t dconf_home_t:file manage_file_perms; > +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms; > +allow at_spi_t gnome_settings_schemas_t:file read_file_perms; > +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t) > + > +corecmd_search_bin(at_spi_t) > + > +files_read_usr_files(at_spi_t) > + > +fs_getattr_xattr_fs(at_spi_t) > + > +kernel_read_system_state(at_spi_t) > + > +selinux_getattr_fs(at_spi_t) > + > +# search in .cache > +userdom_search_user_home_dirs(at_spi_t) > +userdom_search_user_home_content(at_spi_t) > + > +optional_policy(` > + xserver_read_user_xauth(at_spi_t) > + xserver_stream_connect(at_spi_t) > +') > + > +############################## > +# > +# GConf daemon local Policy (Gnome2) > # > > allow gconfd_t gconf_etc_t:dir list_dir_perms; > @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > +kernel_dontaudit_read_system_state(gconfd_t) > + > +files_search_tmp(gconfd_t) > + > +fs_getattr_xattr_fs(gconfd_t) > + > userdom_manage_user_tmp_dirs(gconfd_t) > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > @@ -102,6 +202,171 @@ optional_policy(` > ') > > ############################## > +# > +# Gnome-settings local policy > +# > + > +allow gnome_settings_t self:dir list_dir_perms; > +allow gnome_settings_t self:file rw_file_perms; > +allow gnome_settings_t self:process { fork sigchld }; > +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms; > + > +allow gnome_settings_t dconf_home_t:dir manage_dir_perms; > +allow gnome_settings_t dconf_home_t:file manage_file_perms; > +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms; > +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms; > +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_t gnome_settings_exec_t:file entrypoint; > + > +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t) > + > +corecmd_exec_bin(gnome_settings_t) > +corecmd_search_bin(gnome_settings_t) > + > +dev_dontaudit_search_sysfs(gnome_settings_t) > +dev_list_all_dev_nodes(gnome_settings_t) > +dev_rw_null(gnome_settings_t) > +dev_search_sysfs(gnome_settings_t) > + > +files_list_root(gnome_settings_t) > +files_read_etc_files(gnome_settings_t) > +files_read_usr_files(gnome_settings_t) > +files_search_pids(gnome_settings_t) > + > +fs_getattr_xattr_fs(gnome_settings_t) > + > +init_sigchld(gnome_settings_t) > + > +kernel_read_system_state(gnome_settings_t) > + > +libs_use_ld_so(gnome_settings_t) > +libs_use_shared_libs(gnome_settings_t) > + > +miscfiles_read_localization(gnome_settings_t) > + > +selinux_getattr_fs(gnome_settings_t) > +selinux_dontaudit_search_fs(gnome_settings_t) > + > +### should create an xserver interface for writing .xsession-errors > +userdom_dontaudit_write_user_home_content_files(gnome_settings_t) > + > +# search in .cache > +userdom_search_user_home_dirs(gnome_settings_t) > +userdom_search_user_home_content(gnome_settings_t) > + > +optional_policy(` > + dbus_read_lib_files(gnome_settings_t) > +') > + > +optional_policy(` > + xserver_use_xdm_fds(gnome_settings_t) > +') > + > +############################## > +# > +# Gnome-settings-daemon local policy > +# > + > +allow gnome_settings_daemon_t self:dir list_dir_perms; > +allow gnome_settings_daemon_t self:file rw_file_perms; > +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_daemon_t self:process { fork sigchld signal }; > +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms; > +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms; > + > +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms; > +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms; > +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms; > + > +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms; > +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms; > +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; > + > +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms }; > + > +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t) > + > +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t) > + > +cups_read_config(gnome_settings_daemon_t) > +cups_stream_connect(gnome_settings_daemon_t) > + > +dev_dontaudit_search_sysfs(gnome_settings_daemon_t) > +dev_read_urand(gnome_settings_daemon_t) > +dev_read_sysfs(gnome_settings_daemon_t) > +dev_rw_null(gnome_settings_daemon_t) > + > +files_list_root(gnome_settings_daemon_t) > +files_list_tmp(gnome_settings_daemon_t) > +files_read_etc_files(gnome_settings_daemon_t) > +files_read_usr_files(gnome_settings_daemon_t) > +files_search_tmp(gnome_settings_daemon_t) > + > +fs_getattr_tmpfs(gnome_settings_daemon_t) > +fs_getattr_xattr_fs(gnome_settings_daemon_t) > +fs_list_tmpfs(gnome_settings_daemon_t) > +fs_rw_tmpfs_files(gnome_settings_daemon_t) > + > +init_sigchld(gnome_settings_daemon_t) > + > +kernel_read_system_state(gnome_settings_daemon_t) > + > +libs_use_ld_so(gnome_settings_daemon_t) > +libs_use_shared_libs(gnome_settings_daemon_t) > + > +logging_search_logs(gnome_settings_daemon_t) > + > +miscfiles_read_fonts(gnome_settings_daemon_t) > +miscfiles_read_generic_certs(gnome_settings_daemon_t) > +miscfiles_read_localization(gnome_settings_daemon_t) > + > +selinux_getattr_fs(gnome_settings_daemon_t) > +selinux_dontaudit_search_fs(gnome_settings_daemon_t) > + > +### should create an xserver interface for writing .xsession-errors > +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t) > + > +userdom_list_user_home_dirs(gnome_settings_daemon_t) > +userdom_list_user_tmp(gnome_settings_daemon_t) > +userdom_search_user_home_dirs(gnome_settings_daemon_t) > +userdom_search_user_home_content(gnome_settings_daemon_t) > + > +optional_policy(` > + colord_dbus_chat(gnome_settings_daemon_t) > + colord_manage_home_files(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + devicekit_dbus_chat_power(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + policykit_dbus_chat(gnome_settings_daemon_t) > + policykit_domtrans(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + pulseaudio_read_home(gnome_settings_daemon_t) > + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t) > + pulseaudio_signull(gnome_settings_daemon_t) > + pulseaudio_stream_connect(gnome_settings_daemon_t) > + pulseaudio_use_fds(gnome_settings_daemon_t) > +') > + > +optional_policy(` > + xserver_read_user_xauth(gnome_settings_daemon_t) > + xserver_stream_connect(gnome_settings_daemon_t) > +') > + > +############################## > # > # Keyring-daemon local policy > # > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200 > @@ -1,3 +1,5 @@ > +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0) > + > /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) > /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200 > @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',` > > ######################################## > ## <summary> > +## Execute a domain transition to > +## run polkit. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`policykit_domtrans',` > + gen_require(` > + type policykit_t, policykit_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, policykit_exec_t, policykit_t) > +') > + > +######################################## > +## <summary> > ## Execute a domain transition to run polkit_auth. > ## </summary> > ## <param name="domain"> > --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200 > @@ -117,6 +118,7 @@ optional_policy(` > > optional_policy(` > gnome_read_generic_home_content(policykit_t) > + gnome_read_settings_daemon_files(policykit_t) > ') > > optional_policy(` > --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 > @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` > > typeattribute $1 pulseaudio_tmpfsfile; > ') > + > +####################################### > +## <summary> > +## Read pulseaudio tmpfs files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`pulseaudio_read_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +####################################### > +## <summary> > +## Read and write pulseaudio tmpfs > +## files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`pulseaudio_rw_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +######################################## > +## <summary> > +## Use file descriptors for > +## pulseaudio. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`pulseaudio_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + allow $1 pulseaudio_t:fd use; > +') > + > +######################################## > +## <summary> > +## Do not audit attempts to use the > +## file descriptors for pulseaudio. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`pulseaudio_dontaudit_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + dontaudit $1 pulseaudio_t:fd use; > +') > --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200 > @@ -193,6 +193,11 @@ optional_policy(` > > optional_policy(` > gnome_stream_connect_gconf(pulseaudio_t) > + > + # OIL Runtime Compiler (ORC) optimized code execution > + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) > + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) > ') > > optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200 > +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200 > @@ -593,6 +593,10 @@ template(`userdom_common_user_template', > ') > > optional_policy(` > + colord_manage_home_files($1_t) > + ') > + > + optional_policy(` > dbus_system_bus_client($1_t) > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/4d08999f/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v3] Update for the gnome policy and file contexts 2016-08-21 18:49 ` Dominick Grift @ 2016-08-21 19:02 ` Guido Trentalancia 2016-08-21 19:05 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-21 19:02 UTC (permalink / raw) To: refpolicy Hello. On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy wrote: > On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote: > > > > Update for the gnome module: > > > > - target the dconf daemon, the gsettings user application, the > > ? gnome-settings-daemon and the at-spi daemon with all the > > ? needed domain transitions; > > - a new gstreamer_orcexec_t type and file context is introduced > > ? to support the OIL Runtime Compiler (ORC) optimized code > > ? execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > ? keyring domains; > > - add support for chat over dbus in the gconfd domain and in the > > ? new domains (dconf, gsettings, etc); > > - add support for a few needed fs and kernel permissions. > > - add support for reading the colord related files in the home > > ? directories (such as the ICC EDID profiles): requires the > > ? recent colord patch; > > - add support for for reading the colord related files in the home > > ? directories in the common user domain template; > > - add support for a new mime_info_t type to be used in the home > > ? directories; > > - includes minor modifications to the consolekit, dbus and > > ? policykit modules to support the new targeted gnome daemons > > ? and applications; > > - modifies the pulseaudio module to introduce new interfaces to > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > ? file descriptor. > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > if you want me to review this then you have to split this patch into > smaller patches You already reviewed the initial patch. However this new version is much different from it, so you might want to review it again. If you want, I can split it in separate patches, one for each module (colord, consolekit, dbus, gnome, policykit, pulseaudio and userdomain). However, they would be all interdependent, so I can't see much gain in doing that... Is that all right for you ? Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v3] Update for the gnome policy and file contexts 2016-08-21 19:02 ` Guido Trentalancia @ 2016-08-21 19:05 ` Dominick Grift 2016-08-21 19:44 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-21 19:05 UTC (permalink / raw) To: refpolicy On 08/21/2016 09:02 PM, Guido Trentalancia wrote: > Hello. > > On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy wrote: >> On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote: >>> >>> Update for the gnome module: >>> >>> - target the dconf daemon, the gsettings user application, the >>> gnome-settings-daemon and the at-spi daemon with all the >>> needed domain transitions; >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for chat over dbus in the gconfd domain and in the >>> new domains (dconf, gsettings, etc); >>> - add support for a few needed fs and kernel permissions. >>> - add support for reading the colord related files in the home >>> directories (such as the ICC EDID profiles): requires the >>> recent colord patch; >>> - add support for for reading the colord related files in the home >>> directories in the common user domain template; >>> - add support for a new mime_info_t type to be used in the home >>> directories; >>> - includes minor modifications to the consolekit, dbus and >>> policykit modules to support the new targeted gnome daemons >>> and applications; >>> - modifies the pulseaudio module to introduce new interfaces to >>> read and write pulseaudio tmpfs files and to use the pulseaudio >>> file descriptor. >>> >>> The support for Gnome2/ORBit-2 (version 2) has been dropped. >> >> if you want me to review this then you have to split this patch into >> smaller patches > > You already reviewed the initial patch. However this new version is > much different from it, so you might want to review it again. > > If you want, I can split it in separate patches, one for each module > (colord, consolekit, dbus, gnome, policykit, pulseaudio and > userdomain). However, they would be all interdependent, so I can't see > much gain in doing that... > > Is that all right for you ? I can't review this as-is. So if you want my feedback then you will have to find a way to split this into smaller but sensible patches. > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/74ce28f6/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v3] Update for the gnome policy and file contexts 2016-08-21 19:05 ` Dominick Grift @ 2016-08-21 19:44 ` Guido Trentalancia 0 siblings, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-21 19:44 UTC (permalink / raw) To: refpolicy On Sun, 21/08/2016 at 21.05 +0200, Dominick Grift wrote: > On 08/21/2016 09:02 PM, Guido Trentalancia wrote: > > > > Hello. > > > > On Sun, 21/08/2016 at 20.49 +0200, Dominick Grift via refpolicy > > wrote: > > > > > > On 08/20/2016 04:52 PM, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Update for the gnome module: > > > > > > > > - target the dconf daemon, the gsettings user application, the > > > > ? gnome-settings-daemon and the at-spi daemon with all the > > > > ? needed domain transitions; > > > > - a new gstreamer_orcexec_t type and file context is introduced > > > > ? to support the OIL Runtime Compiler (ORC) optimized code > > > > ? execution (used for example by pulseaudio); > > > > - add support for more permissions needed in gconfd_t and gnome > > > > ? keyring domains; > > > > - add support for chat over dbus in the gconfd domain and in > > > > the > > > > ? new domains (dconf, gsettings, etc); > > > > - add support for a few needed fs and kernel permissions. > > > > - add support for reading the colord related files in the home > > > > ? directories (such as the ICC EDID profiles): requires the > > > > ? recent colord patch; > > > > - add support for for reading the colord related files in the > > > > home > > > > ? directories in the common user domain template; > > > > - add support for a new mime_info_t type to be used in the home > > > > ? directories; > > > > - includes minor modifications to the consolekit, dbus and > > > > ? policykit modules to support the new targeted gnome daemons > > > > ? and applications; > > > > - modifies the pulseaudio module to introduce new interfaces to > > > > ? read and write pulseaudio tmpfs files and to use the > > > > pulseaudio > > > > ? file descriptor. > > > > > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > > > if you want me to review this then you have to split this patch > > > into > > > smaller patches > > > > You already reviewed the initial patch. However this new version is > > much different from it, so you might want to review it again. > > > > If you want, I can split it in separate patches, one for each > > module > > (colord, consolekit, dbus, gnome, policykit, pulseaudio and > > userdomain). However, they would be all interdependent, so I can't > > see > > much gain in doing that... > > > > Is that all right for you ? > > I can't review this as-is. So if you want my feedback then you will > have > to find a way to split this into smaller but sensible patches. It can't be really split. It doesn't matter, if you don't want or don't have time to review it... Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-20 14:52 ` [refpolicy] [PATCH v3] " Guido Trentalancia 2016-08-21 18:49 ` Dominick Grift @ 2016-08-22 19:39 ` Guido Trentalancia 2016-08-23 1:15 ` Chris PeBenito 2016-09-01 4:20 ` Jason Zaman 1 sibling, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-22 19:39 UTC (permalink / raw) To: refpolicy Update for the gnome module: - target the dconf daemon, the gsettings user application, the gnome-settings-daemon and the at-spi daemon with all the needed domain transitions; - a new gstreamer_orcexec_t type and file context is introduced to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio); - add support for more permissions needed in gconfd_t and gnome keyring domains; - add support for chat over dbus in the gconfd domain and in the new domains (dconf, gsettings, etc); - add support for a few needed fs and kernel permissions. - add support for reading the colord related files in the home directories (such as the ICC EDID profiles): requires the recent colord patch; - add support for for reading the colord related files in the home directories in the common user domain template; - add support for a new mime_info_t type to be used in the home directories; - includes minor modifications to the consolekit, dbus and policykit modules to support the new targeted gnome daemons and applications; - modifies the pulseaudio module to introduce new interfaces to read and write pulseaudio tmpfs files and to use the pulseaudio file descriptor; - provides better module encapsulation (i.e. dbus module). The support for Gnome2/ORBit-2 (version 2) has been dropped. This patch depends on the recent colord patch. Recent changes to the pulseaudio module depends on this patch ! Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/colord.if | 41 +++ policy/modules/contrib/colord.te | 4 policy/modules/contrib/consolekit.te | 4 policy/modules/contrib/dbus.if | 22 + policy/modules/contrib/dbus.te | 9 policy/modules/contrib/gnome.fc | 19 + policy/modules/contrib/gnome.if | 418 ++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 267 ++++++++++++++++++++++ policy/modules/contrib/policykit.fc | 2 policy/modules/contrib/policykit.if | 20 + policy/modules/contrib/policykit.te | 1 policy/modules/contrib/pulseaudio.if | 77 ++++++ policy/modules/contrib/pulseaudio.te | 5 policy/modules/system/userdomain.if | 4 14 files changed, 890 insertions(+), 3 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.if 2016-08-06 21:27:11.338094155 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.if 2016-08-19 23:13:27.765740337 +0200 @@ -58,3 +58,44 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') + +###################################### +## <summary> +## Read colord home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_read_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, colord_home_t, colord_home_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## colord home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_manage_home_files',` + gen_require(` + type colord_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + manage_files_pattern($1, colord_home_t, colord_home_t) +') --- refpolicy-git-14082016/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-20 00:21:47.786192022 +0200 @@ -123,6 +136,10 @@ optional_policy(` ') optional_policy(` + gnome_settings_daemon_use_fds(colord_t) +') + +optional_policy(` policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t)--- refpolicy-git-06082016-orig/policy/modules/contrib/consolekit.te 2016-08-07 23:05:57.060018494 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/consolekit.te 2016-08-19 22:13:01.508709501 +0200 @@ -104,6 +101,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + gnome_read_settings_daemon_files(consolekit_t) +') + +optional_policy(` dbus_read_lib_files(consolekit_t) dbus_system_domain(consolekit_t, consolekit_exec_t) --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.if 2016-08-06 21:27:11.344094223 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/dbus.if 2016-08-22 21:16:25.424569109 +0200 @@ -626,3 +626,25 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') + +######################################## +## <summary> +## Make a domain transition from a +## given source domain to another +## specified target domain using +## the DBUS executable file type. +## </summary> +## <param name="domain"> +## <summary> +## Source domain. +## </summary> +## </param> +# +interface(`dbus_domain_transition',` + gen_require(` + type dbusd_exec_t; + ') + + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms }; + domtrans_pattern($1, dbusd_exec_t, $2) +')--- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te 2016-08-06 21:27:11.344094223 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te 2016-08-20 00:27:48.730380843 +0200 @@ -148,6 +148,15 @@ optional_policy(` ') optional_policy(` + colord_read_home_files(system_dbusd_t) +') + +optional_policy(` + gnome_read_settings_daemon_files(system_dbusd_t) + gnome_settings_daemon_use_fds(system_dbusd_t) +') + +optional_policy(` policykit_read_lib(system_dbusd_t) ') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-19 23:26:12.625475184 +0200 @@ -1,16 +1,33 @@ +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) +HOME_DIR/\.cache/keyring[^/]+(/.*)? gen_context(system_u:object_r:gnome_keyring_cache_home_t,s0) +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:dconf_home_t,s0) HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local/share/mime(/.*)? gen_context(system_u:object_r:mime_info_t,s0) + +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) +/usr/bin/gsettings -- gen_context(system_u:object_r:gnome_settings_exec_t,s0) /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/at-spi-bus-launcher -- gen_context(system_u:object_r:at_spi_exec_t,s0) +/usr/libexec/dconf-service -- gen_context(system_u:object_r:dconf_exec_t,s0) +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gnome-settings-daemon -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) +/usr/libexec/gsd-[^/]* -- gen_context(system_u:object_r:gnome_settings_daemon_exec_t,s0) + +/usr/share/glib-[^/]*/schemas(/.*)? gen_context(system_u:object_r:gnome_settings_schemas_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-22 21:24:49.634876147 +0200 @@ -43,14 +43,39 @@ interface(`gnome_role',` template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; + attribute_role dconf_roles; + attribute_role at_spi_roles; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + attribute_role gnome_settings_roles; + attribute_role gnome_settings_daemon_roles; + type dconf_t, dconf_exec_t, dconf_home_t; + type at_spi_t, at_spi_exec_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; + type gnome_settings_t, gnome_settings_exec_t; + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; + type gnome_settings_schemas_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; + type mime_info_t; + type user_dbusd_t; ') ######################################## # + # Dconf declarations + # + + roleattribute $2 dconf_roles; + + ######################################## + # + # At-spi declarations + # + + roleattribute $2 at_spi_roles; + + ######################################## + # # Gconf declarations # @@ -58,6 +83,20 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings declarations + # + + roleattribute $2 gnome_settings_roles; + + ######################################## + # + # Gnome-settings-daemon declarations + # + + roleattribute $2 gnome_settings_daemon_roles; + + ######################################## + # # Gkeyringd declarations # @@ -69,6 +108,64 @@ template(`gnome_role_template',` ######################################## # + # Common policy + # + + allow $3 dconf_home_t:dir manage_dir_perms; + allow $3 dconf_home_t:file manage_file_perms; + allow $3 dconf_home_t:lnk_file manage_lnk_file_perms; + + allow $3 gnome_settings_schemas_t:dir list_dir_perms; + allow $3 gnome_settings_schemas_t:file read_file_perms; + allow $3 gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + + allow $3 mime_info_t:dir list_dir_perms; + allow $3 mime_info_t:file read_file_perms; + + allow at_spi_t user_dbusd_t:process signal; + + allow user_dbusd_t self:process signal; + + allow user_dbusd_t bin_t:file entrypoint; + + gnome_read_settings_files(user_dbusd_t) + gnome_read_settings_daemon_files(user_dbusd_t) + + files_read_usr_files($3) + + kernel_read_system_state(user_dbusd_t) + + optional_policy(` + xserver_read_user_xauth(user_dbusd_t) + xserver_stream_connect(user_dbusd_t) + ') + + ######################################## + # + # Dconf policy + # + + allow dconf_t user_dbusd_t:unix_stream_socket connectto; + + allow user_dbusd_t dconf_exec_t:file { entrypoint exec_file_perms }; + + domtrans_pattern(user_dbusd_t, dconf_exec_t, dconf_t) + + ######################################## + # + # At-spi policy + # + + allow at_spi_t user_dbusd_t:unix_stream_socket connectto; + + allow user_dbusd_t at_spi_exec_t:file { entrypoint exec_file_perms }; + + allow $3 at_spi_t:fd use; + + domtrans_pattern(user_dbusd_t, at_spi_exec_t, at_spi_t) + + ######################################## + # # Gconf policy # @@ -84,6 +181,35 @@ template(`gnome_role_template',` ######################################## # + # Gnome-settings policy + # + + domtrans_pattern($3, gnome_settings_exec_t, gnome_settings_t) + + allow $3 gnome_settings_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_t) + + allow gnome_settings_t user_dbusd_t:unix_stream_socket connectto; + + allow gnome_settings_t bin_t:file entrypoint; + + # for dbus-launch + corecmd_bin_domtrans(gnome_settings_t, user_dbusd_t) + + ######################################## + # + # Gnome-settings-daemon policy + # + + domtrans_pattern($3, gnome_settings_daemon_exec_t, gnome_settings_daemon_t) + + allow gnome_settings_daemon_t user_dbusd_t:unix_stream_socket connectto; + + allow $3 gnome_settings_daemon_t:process { ptrace signal_perms }; + ps_process_pattern($3, gnome_settings_daemon_t) + + ######################################## + # # Gkeyringd policy # @@ -100,23 +226,87 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + userdom_manage_user_home_content_dirs($1_gkeyringd_t) + userdom_manage_user_home_content_files($1_gkeyringd_t) + + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, dir) + + manage_sock_files_pattern($1_gkeyringd_t, gnome_keyring_cache_home_t, gnome_keyring_cache_home_t) + userdom_user_home_content_filetrans($1_gkeyringd_t, gnome_keyring_cache_home_t, sock_file) + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + kernel_read_kernel_sysctls($1_gkeyringd_t) + corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) gnome_stream_connect_gkeyringd($1, $3) optional_policy(` + dbus_connect_spec_session_bus(user, dconf_t) + dbus_connect_spec_session_bus(user, at_spi_t) + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) + dbus_connect_system_bus(gnome_settings_daemon_t) + dbus_domain_transition(at_spi_t, user_dbusd_t) + dbus_domain_transition(gnome_settings_t, user_dbusd_t) + dbus_send_spec_session_bus(user, dconf_t) + dbus_send_spec_session_bus(user, at_spi_t) + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + gnome_dbus_chat_dconf($3) + gnome_dbus_chat_dconf(gnome_settings_t) + gnome_dbus_chat_at_spi($3) + gnome_dbus_chat_gconfd($3) + gnome_dbus_chat_gnome_settings(user_dbusd_t) + gnome_dbus_chat_gnome_settings_daemon($3) + gnome_dbus_chat_gnome_settings_daemon(at_spi_t) gnome_dbus_chat_gkeyringd($1, $3) ') ') ') +####################################### +## <summary> +## Read gnome-settings files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_settings_files',` + gen_require(` + type gnome_settings_t; + ') + + read_files_pattern($1, gnome_settings_t, gnome_settings_t) +') + +####################################### +## <summary> +## Read gnome-settings-daemon +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_settings_daemon_files',` + gen_require(` + type gnome_settings_daemon_t; + ') + + read_files_pattern($1, gnome_settings_daemon_t, gnome_settings_daemon_t) +') + ######################################## ## <summary> ## Execute gconf in the caller domain. @@ -569,6 +759,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## <summary> +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Create objects in gnome gconf home ## directories with a private type. ## </summary> @@ -604,6 +824,36 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## <summary> +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## <summary> ## Read generic gnome keyring home files. ## </summary> ## <param name="domain"> @@ -623,6 +873,133 @@ interface(`gnome_read_keyring_home_files ######################################## ## <summary> +## Read mime info files in the home +## directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_read_mime_info_home_files',` + gen_require(` + type mime_info_t; + ') + + userdom_search_user_home_dirs($1) + userdom_list_user_home_content($1) + read_files_pattern($1, mime_info_t, mime_info_t) +') + +######################################## +## <summary> +## Send and receive messages from +## the dconf daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_dconf',` + gen_require(` + type dconf_t; + class dbus send_msg; + ') + + allow $1 dconf_t:dbus send_msg; + allow dconf_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the at-spi daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_at_spi',` + gen_require(` + type at_spi_t; + class dbus send_msg; + ') + + allow $1 at_spi_t:dbus send_msg; + allow at_spi_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the gconf daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## gnome-settings over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gnome_settings',` + gen_require(` + type gnome_settings_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_t:dbus send_msg; + allow gnome_settings_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## the gnome-settings-daemon over +## dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dbus_chat_gnome_settings_daemon',` + gen_require(` + type gnome_settings_daemon_t; + class dbus send_msg; + ') + + allow $1 gnome_settings_daemon_t:dbus send_msg; + allow gnome_settings_daemon_t $1:dbus send_msg; +') + +######################################## +## <summary> ## Send and receive messages from ## gnome keyring daemon over dbus. ## </summary> @@ -735,3 +1112,42 @@ interface(`gnome_stream_connect_all_gkey files_search_tmp($1) stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') + +######################################## +## <summary> +## Use file descriptors for +## the gnome settings daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + allow $1 gnome_settings_daemon_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use the +## file descriptors for the gnome +## settings daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_dontaudit_settings_daemon_use_fds',` + gen_require(` + type gnome_settings_daemon_t; + ') + + dontaudit $1 gnome_settings_daemon_t:fd use; +') --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-22 21:04:17.942469224 +0200 @@ -7,7 +7,24 @@ policy_module(gnome, 2.5.1) attribute gkeyringd_domain; attribute gnomedomain; +attribute_role dconf_roles; +attribute_role at_spi_roles; attribute_role gconfd_roles; +attribute_role gnome_settings_roles; +attribute_role gnome_settings_daemon_roles; + +type dconf_t; +type dconf_exec_t; +userdom_user_application_domain(dconf_t, dconf_exec_t) +role dconf_roles types dconf_t; + +type dconf_home_t; +userdom_user_home_content(dconf_home_t) + +type at_spi_t; +type at_spi_exec_t; +userdom_user_application_domain(at_spi_t, at_spi_exec_t) +role at_spi_roles types at_spi_t; type gconf_etc_t; files_config_file(gconf_etc_t) @@ -31,6 +48,19 @@ typealias gconfd_t alias { auditadm_gcon userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; +type gnome_settings_t; +type gnome_settings_exec_t; +userdom_user_application_domain(gnome_settings_t, gnome_settings_exec_t) +role gnome_settings_roles types gnome_settings_t; + +type gnome_settings_daemon_t; +type gnome_settings_daemon_exec_t; +userdom_user_application_domain(gnome_settings_daemon_t, gnome_settings_daemon_exec_t) +role gnome_settings_daemon_roles types gnome_settings_daemon_t; + +type gnome_settings_schemas_t; +files_config_file(gnome_settings_schemas_t) + type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; @@ -43,9 +73,18 @@ application_executable_file(gkeyringd_ex type gnome_keyring_home_t; userdom_user_home_content(gnome_keyring_home_t) +type gnome_keyring_cache_home_t; +userdom_user_home_content(gnome_keyring_cache_home_t) + type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type mime_info_t; +files_config_file(mime_info_t) + +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy @@ -73,7 +112,62 @@ optional_policy(` ############################## # -# Conf daemon local Policy +# DConf daemon local policy (Gnome3) +# + +allow dconf_t self:process signal; + +allow dconf_t dconf_home_t:dir manage_dir_perms; +allow dconf_t dconf_home_t:file manage_file_perms; +allow dconf_t dconf_home_t:lnk_file manage_lnk_file_perms; + +userdom_search_user_home_content(dconf_t) + +fs_getattr_xattr_fs(dconf_t) + +kernel_read_system_state(dconf_t) + +selinux_getattr_fs(dconf_t) + +############################## +# +# At-spi local policy +# + +allow at_spi_t self:process signal; + +allow at_spi_t dconf_home_t:dir manage_dir_perms; +allow at_spi_t dconf_home_t:file manage_file_perms; +allow at_spi_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow at_spi_t gnome_settings_schemas_t:dir list_dir_perms; +allow at_spi_t gnome_settings_schemas_t:file read_file_perms; +allow at_spi_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +rw_fifo_files_pattern(at_spi_t, at_spi_t, at_spi_t) + +corecmd_search_bin(at_spi_t) + +files_read_usr_files(at_spi_t) + +fs_getattr_xattr_fs(at_spi_t) + +kernel_read_system_state(at_spi_t) + +selinux_getattr_fs(at_spi_t) + +# search in .cache +userdom_search_user_home_dirs(at_spi_t) +userdom_search_user_home_content(at_spi_t) + +optional_policy(` + xserver_read_user_xauth(at_spi_t) + xserver_stream_connect(at_spi_t) +') + +############################## +# +# GConf daemon local Policy (Gnome2) # allow gconfd_t gconf_etc_t:dir list_dir_perms; @@ -87,6 +181,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +kernel_dontaudit_read_system_state(gconfd_t) + +files_search_tmp(gconfd_t) + +fs_getattr_xattr_fs(gconfd_t) + userdom_manage_user_tmp_dirs(gconfd_t) userdom_tmp_filetrans_user_tmp(gconfd_t, dir) userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) @@ -102,6 +202,171 @@ optional_policy(` ') ############################## +# +# Gnome-settings local policy +# + +allow gnome_settings_t self:dir list_dir_perms; +allow gnome_settings_t self:file rw_file_perms; +allow gnome_settings_t self:process { fork sigchld }; +allow gnome_settings_t self:unix_stream_socket create_stream_socket_perms; + +allow gnome_settings_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_t dconf_home_t:file manage_file_perms; +allow gnome_settings_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_t gnome_settings_exec_t:file entrypoint; + +rw_fifo_files_pattern(gnome_settings_t, gnome_settings_t, gnome_settings_t) + +corecmd_exec_bin(gnome_settings_t) +corecmd_search_bin(gnome_settings_t) + +dev_dontaudit_search_sysfs(gnome_settings_t) +dev_list_all_dev_nodes(gnome_settings_t) +dev_rw_null(gnome_settings_t) +dev_search_sysfs(gnome_settings_t) + +files_list_root(gnome_settings_t) +files_read_etc_files(gnome_settings_t) +files_read_usr_files(gnome_settings_t) +files_search_pids(gnome_settings_t) + +fs_getattr_xattr_fs(gnome_settings_t) + +init_sigchld(gnome_settings_t) + +kernel_read_system_state(gnome_settings_t) + +libs_use_ld_so(gnome_settings_t) +libs_use_shared_libs(gnome_settings_t) + +miscfiles_read_localization(gnome_settings_t) + +selinux_getattr_fs(gnome_settings_t) +selinux_dontaudit_search_fs(gnome_settings_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_t) + +# search in .cache +userdom_search_user_home_dirs(gnome_settings_t) +userdom_search_user_home_content(gnome_settings_t) + +optional_policy(` + dbus_read_lib_files(gnome_settings_t) +') + +optional_policy(` + xserver_use_xdm_fds(gnome_settings_t) +') + +############################## +# +# Gnome-settings-daemon local policy +# + +allow gnome_settings_daemon_t self:dir list_dir_perms; +allow gnome_settings_daemon_t self:file rw_file_perms; +allow gnome_settings_daemon_t self:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t self:process { fork sigchld signal }; +allow gnome_settings_daemon_t self:unix_stream_socket create_stream_socket_perms; +allow gnome_settings_daemon_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow gnome_settings_daemon_t dconf_home_t:dir manage_dir_perms; +allow gnome_settings_daemon_t dconf_home_t:file manage_file_perms; +allow gnome_settings_daemon_t dconf_home_t:lnk_file manage_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_schemas_t:dir list_dir_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:file read_file_perms; +allow gnome_settings_daemon_t gnome_settings_schemas_t:lnk_file read_lnk_file_perms; + +allow gnome_settings_daemon_t gnome_settings_daemon_exec_t:file { entrypoint exec_file_perms }; + +rw_fifo_files_pattern(gnome_settings_daemon_t, gnome_settings_daemon_t, gnome_settings_daemon_t) + +read_files_pattern(gnome_settings_daemon_t, mime_info_t, mime_info_t) + +cups_read_config(gnome_settings_daemon_t) +cups_stream_connect(gnome_settings_daemon_t) + +dev_dontaudit_search_sysfs(gnome_settings_daemon_t) +dev_read_urand(gnome_settings_daemon_t) +dev_read_sysfs(gnome_settings_daemon_t) +dev_rw_null(gnome_settings_daemon_t) + +files_list_root(gnome_settings_daemon_t) +files_list_tmp(gnome_settings_daemon_t) +files_read_etc_files(gnome_settings_daemon_t) +files_read_usr_files(gnome_settings_daemon_t) +files_search_tmp(gnome_settings_daemon_t) + +fs_getattr_tmpfs(gnome_settings_daemon_t) +fs_getattr_xattr_fs(gnome_settings_daemon_t) +fs_list_tmpfs(gnome_settings_daemon_t) +fs_rw_tmpfs_files(gnome_settings_daemon_t) + +init_sigchld(gnome_settings_daemon_t) + +kernel_read_system_state(gnome_settings_daemon_t) + +libs_use_ld_so(gnome_settings_daemon_t) +libs_use_shared_libs(gnome_settings_daemon_t) + +logging_search_logs(gnome_settings_daemon_t) + +miscfiles_read_fonts(gnome_settings_daemon_t) +miscfiles_read_generic_certs(gnome_settings_daemon_t) +miscfiles_read_localization(gnome_settings_daemon_t) + +selinux_getattr_fs(gnome_settings_daemon_t) +selinux_dontaudit_search_fs(gnome_settings_daemon_t) + +### should create an xserver interface for writing .xsession-errors +userdom_dontaudit_write_user_home_content_files(gnome_settings_daemon_t) + +userdom_list_user_home_dirs(gnome_settings_daemon_t) +userdom_list_user_tmp(gnome_settings_daemon_t) +userdom_search_user_home_dirs(gnome_settings_daemon_t) +userdom_search_user_home_content(gnome_settings_daemon_t) + +optional_policy(` + colord_dbus_chat(gnome_settings_daemon_t) + colord_manage_home_files(gnome_settings_daemon_t) +') + +optional_policy(` + dbus_system_bus_client(gnome_settings_daemon_t) +') + +optional_policy(` + devicekit_dbus_chat_power(gnome_settings_daemon_t) +') + +optional_policy(` + policykit_dbus_chat(gnome_settings_daemon_t) + policykit_domtrans(gnome_settings_daemon_t) +') + +optional_policy(` + pulseaudio_read_home(gnome_settings_daemon_t) + pulseaudio_rw_tmpfs_files(gnome_settings_daemon_t) + pulseaudio_signull(gnome_settings_daemon_t) + pulseaudio_stream_connect(gnome_settings_daemon_t) + pulseaudio_use_fds(gnome_settings_daemon_t) +') + +optional_policy(` + xserver_read_user_xauth(gnome_settings_daemon_t) + xserver_stream_connect(gnome_settings_daemon_t) +') + +############################## # # Keyring-daemon local policy #--- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.fc 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.fc 2016-08-20 01:03:29.139150710 +0200 @@ -1,3 +1,5 @@ +/usr/bin/pkexec -- gen_context(system_u:object_r:policykit_exec_t,s0) + /usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) /usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.if 2016-08-06 21:27:11.407094942 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.if 2016-08-20 01:22:02.076149949 +0200 @@ -44,6 +44,26 @@ interface(`policykit_dbus_chat_auth',` ######################################## ## <summary> +## Execute a domain transition to +## run polkit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans',` + gen_require(` + type policykit_t, policykit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_exec_t, policykit_t) +') + +######################################## +## <summary> ## Execute a domain transition to run polkit_auth. ## </summary> ## <param name="domain"> --- refpolicy-git-06082016-orig/policy/modules/contrib/policykit.te 2016-08-06 21:27:11.408094953 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/policykit.te 2016-08-19 22:14:15.581772016 +0200 @@ -117,6 +118,7 @@ optional_policy(` optional_policy(` gnome_read_generic_home_content(policykit_t) + gnome_read_settings_daemon_files(policykit_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:26.654959226 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 @@ -347,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` typeattribute $1 pulseaudio_tmpfsfile; ') + +####################################### +## <summary> +## Read pulseaudio tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_read_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +####################################### +## <summary> +## Read and write pulseaudio tmpfs +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_rw_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +######################################## +## <summary> +## Use file descriptors for +## pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use the +## file descriptors for pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_dontaudit_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + dontaudit $1 pulseaudio_t:fd use; +') --- refpolicy-git-14082016/policy/modules/contrib/pulseaudio.te 2016-08-20 06:08:33.005716322 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-18 18:23:19.470718028 +0200 @@ -193,6 +193,11 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) ') optional_policy(`--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-20 04:02:51.687901531 +0200 +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-19 23:44:30.690540547 +0200 @@ -593,6 +593,10 @@ template(`userdom_common_user_template', ') optional_policy(` + colord_manage_home_files($1_t) + ') + + optional_policy(` dbus_system_bus_client($1_t) optional_policy(` ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-22 19:39 ` [refpolicy] [PATCH v4] " Guido Trentalancia @ 2016-08-23 1:15 ` Chris PeBenito 2016-08-23 12:44 ` Guido Trentalancia 2016-08-23 16:06 ` Guido Trentalancia 2016-09-01 4:20 ` Jason Zaman 1 sibling, 2 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-23 1:15 UTC (permalink / raw) To: refpolicy On 08/22/16 15:39, Guido Trentalancia wrote: > Update for the gnome module: > > - target the dconf daemon, the gsettings user application, the > gnome-settings-daemon and the at-spi daemon with all the > needed domain transitions; > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for chat over dbus in the gconfd domain and in the > new domains (dconf, gsettings, etc); > - add support for a few needed fs and kernel permissions. > - add support for reading the colord related files in the home > directories (such as the ICC EDID profiles): requires the > recent colord patch; > - add support for for reading the colord related files in the home > directories in the common user domain template; > - add support for a new mime_info_t type to be used in the home > directories; > - includes minor modifications to the consolekit, dbus and > policykit modules to support the new targeted gnome daemons > and applications; > - modifies the pulseaudio module to introduce new interfaces to > read and write pulseaudio tmpfs files and to use the pulseaudio > file descriptor; > - provides better module encapsulation (i.e. dbus module). > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > This patch depends on the recent colord patch. > > Recent changes to the pulseaudio module depends on this patch ! Unfortunately, as Dominick pointed out, you've gone to the other end of the patch organization spectrum and made too large of a patch. If you split it up into individual commits, git format-patch and git send-email will make it easy to send a series of patches in commit order. So all you have to do is create reasonably-sized and logically-organized commits. I did not review everything, but here are a few things I noticed: > +######################################## > +## <summary> > +## Make a domain transition from a > +## given source domain to another > +## specified target domain using > +## the DBUS executable file type. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Source domain. > +## </summary> > +## </param> > +# > +interface(`dbus_domain_transition',` I'm not clear why this is necessary. > + gen_require(` > + type dbusd_exec_t; > + ') > + > + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms }; Entrypoint should not be included here. > + domtrans_pattern($1, dbusd_exec_t, $2) > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-22 21:24:49.634876147 +0200 > @@ -43,14 +43,39 @@ interface(`gnome_role',` > template(`gnome_role_template',` > gen_require(` > attribute gnomedomain, gkeyringd_domain; > + attribute_role dconf_roles; > + attribute_role at_spi_roles; > attribute_role gconfd_roles; > - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; > + attribute_role gnome_settings_roles; > + attribute_role gnome_settings_daemon_roles; Are all of these role attributes really necessary? Typically these are only needed when there are long chains of transitions where the original domain doesn't have any relation to latter domains. For example: user_t -> domain1_t -> domain2_t In this case, there is no link in the sources between user_t and domain2_t, but domain2_t needs to be allowed user_r. Domain1_t's interfaces can collect up all the roles that run domain1 in a role attribute, and then use that attribute when running domain2. > + type dconf_t, dconf_exec_t, dconf_home_t; > + type at_spi_t, at_spi_exec_t; > type gconfd_t, gconfd_exec_t, gconf_tmp_t; > type gconf_home_t; > + type gnome_settings_t, gnome_settings_exec_t; > + type gnome_settings_daemon_t, gnome_settings_daemon_exec_t; > + type gnome_settings_schemas_t; > + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > + type mime_info_t; > + type user_dbusd_t; This dbus type cannot be referenced directly in this module. > optional_policy(` > + dbus_connect_spec_session_bus(user, dconf_t) > + dbus_connect_spec_session_bus(user, at_spi_t) > + dbus_connect_spec_session_bus(user, gnome_settings_daemon_t) Prefixes can't be hardcoded like this. > + dbus_connect_system_bus(gnome_settings_daemon_t) > + dbus_domain_transition(at_spi_t, user_dbusd_t) > + dbus_domain_transition(gnome_settings_t, user_dbusd_t) > + dbus_send_spec_session_bus(user, dconf_t) > + dbus_send_spec_session_bus(user, at_spi_t) > + dbus_send_spec_session_bus(user, gnome_settings_daemon_t) > dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 1:15 ` Chris PeBenito @ 2016-08-23 12:44 ` Guido Trentalancia 2016-08-23 13:58 ` Guido Trentalancia 2016-08-23 23:02 ` Chris PeBenito 2016-08-23 16:06 ` Guido Trentalancia 1 sibling, 2 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-23 12:44 UTC (permalink / raw) To: refpolicy Hello Christopher ! Thanks for providing your valuable feedback. On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > Update for the gnome module: > > > > - target the dconf daemon, the gsettings user application, the > > ? gnome-settings-daemon and the at-spi daemon with all the > > ? needed domain transitions; > > - a new gstreamer_orcexec_t type and file context is introduced > > ? to support the OIL Runtime Compiler (ORC) optimized code > > ? execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > ? keyring domains; > > - add support for chat over dbus in the gconfd domain and in the > > ? new domains (dconf, gsettings, etc); > > - add support for a few needed fs and kernel permissions. > > - add support for reading the colord related files in the home > > ? directories (such as the ICC EDID profiles): requires the > > ? recent colord patch; > > - add support for for reading the colord related files in the home > > ? directories in the common user domain template; > > - add support for a new mime_info_t type to be used in the home > > ? directories; > > - includes minor modifications to the consolekit, dbus and > > ? policykit modules to support the new targeted gnome daemons > > ? and applications; > > - modifies the pulseaudio module to introduce new interfaces to > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > ? file descriptor; > > - provides better module encapsulation (i.e. dbus module). > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > This patch depends on the recent colord patch. > > > > Recent changes to the pulseaudio module depends on this patch ! > > Unfortunately, as Dominick pointed out, you've gone to the other end > of? > the patch organization spectrum and made too large of a patch.??If > you? > split it up into individual commits, git format-patch and git send- > email? > will make it easy to send a series of patches in commit order.??So > all? > you have to do is create reasonably-sized and logically-organized > commits. > > > I did not review everything, but here are a few things I noticed: > > > > > +######################################## > > +## <summary> > > +## Make a domain transition from a > > +## given source domain to another > > +## specified target domain using > > +## the DBUS executable file type. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Source domain. > > +## </summary> > > +## </param> > > +# > > +interface(`dbus_domain_transition',` > > I'm not clear why this is necessary. To encapsulate dbus related types in their own module (i.e. the dbus module). > > + gen_require(` > > + type dbusd_exec_t; > > + ') > > + > > + allow $1 dbusd_exec_t:file { entrypoint exec_file_perms }; > > Entrypoint should not be included here. I will check if this does not break the transition... > > + domtrans_pattern($1, dbusd_exec_t, $2) > > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if > > 2016-08-06 21:27:11.354094337 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2 > > 016-08-22 21:24:49.634876147 +0200 > > @@ -43,14 +43,39 @@ interface(`gnome_role',` > > ?template(`gnome_role_template',` > > ? gen_require(` > > ? attribute gnomedomain, gkeyringd_domain; > > + attribute_role dconf_roles; > > + attribute_role at_spi_roles; > > ? attribute_role gconfd_roles; > > - type gkeyringd_exec_t, gnome_keyring_home_t, > > gnome_keyring_tmp_t; > > + attribute_role gnome_settings_roles; > > + attribute_role gnome_settings_daemon_roles; > > Are all of these role attributes really necessary???Typically these > are? > only needed when there are long chains of transitions where the > original? > domain doesn't have any relation to latter domains.??For example: > > user_t ->??domain1_t -> domain2_t > > In this case, there is no link in the sources between user_t and? > domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's? > interfaces can collect up all the roles that run domain1 in a role? > attribute, and then use that attribute when running domain2. I will remove the roles which are not needed. > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > + type at_spi_t, at_spi_exec_t; > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > ? type gconf_home_t; > > + type gnome_settings_t, gnome_settings_exec_t; > > + type gnome_settings_daemon_t, > > gnome_settings_daemon_exec_t; > > + type gnome_settings_schemas_t; > > + type gkeyringd_exec_t, gnome_keyring_home_t, > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > + type mime_info_t; > > + type user_dbusd_t; > > This dbus type cannot be referenced directly in this module. If $1_dbusd_t is used to get the role/type prefix from the caller, then it doesn't compile for some reason which is not yet clear to me. Any idea ? > > > > ? optional_policy(` > > + dbus_connect_spec_session_bus(user, dconf_t) > > + dbus_connect_spec_session_bus(user, at_spi_t) > > + dbus_connect_spec_session_bus(user, > > gnome_settings_daemon_t) > > Prefixes can't be hardcoded like this. See above. > > > > + dbus_connect_system_bus(gnome_settings_daemon_t) > > + dbus_domain_transition(at_spi_t, user_dbusd_t) > > + dbus_domain_transition(gnome_settings_t, > > user_dbusd_t) > > + dbus_send_spec_session_bus(user, dconf_t) > > + dbus_send_spec_session_bus(user, at_spi_t) > > + dbus_send_spec_session_bus(user, > > gnome_settings_daemon_t) > > ? dbus_spec_session_domain($1, $1_gkeyringd_t, > > gkeyringd_exec_t) Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 12:44 ` Guido Trentalancia @ 2016-08-23 13:58 ` Guido Trentalancia 2016-08-23 23:02 ` Chris PeBenito 1 sibling, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-23 13:58 UTC (permalink / raw) To: refpolicy On Tue, 23/08/2016 at 14.44 +0200, Guido Trentalancia wrote: > Hello Christopher ! > > Thanks for providing your valuable feedback. > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > Update for the gnome module: > > > > > > - target the dconf daemon, the gsettings user application, the > > > ? gnome-settings-daemon and the at-spi daemon with all the > > > ? needed domain transitions; > > > - a new gstreamer_orcexec_t type and file context is introduced > > > ? to support the OIL Runtime Compiler (ORC) optimized code > > > ? execution (used for example by pulseaudio); > > > - add support for more permissions needed in gconfd_t and gnome > > > ? keyring domains; > > > - add support for chat over dbus in the gconfd domain and in the > > > ? new domains (dconf, gsettings, etc); > > > - add support for a few needed fs and kernel permissions. > > > - add support for reading the colord related files in the home > > > ? directories (such as the ICC EDID profiles): requires the > > > ? recent colord patch; > > > - add support for for reading the colord related files in the > > > home > > > ? directories in the common user domain template; > > > - add support for a new mime_info_t type to be used in the home > > > ? directories; > > > - includes minor modifications to the consolekit, dbus and > > > ? policykit modules to support the new targeted gnome daemons > > > ? and applications; > > > - modifies the pulseaudio module to introduce new interfaces to > > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > > ? file descriptor; > > > - provides better module encapsulation (i.e. dbus module). > > > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > > > This patch depends on the recent colord patch. > > > > > > Recent changes to the pulseaudio module depends on this patch ! [...] > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if > > > 2016-08-06 21:27:11.354094337 +0200 > > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if > > > 2 > > > 016-08-22 21:24:49.634876147 +0200 > > > @@ -43,14 +43,39 @@ interface(`gnome_role',` > > > ?template(`gnome_role_template',` > > > ? gen_require(` > > > ? attribute gnomedomain, gkeyringd_domain; > > > + attribute_role dconf_roles; > > > + attribute_role at_spi_roles; > > > ? attribute_role gconfd_roles; > > > - type gkeyringd_exec_t, gnome_keyring_home_t, > > > gnome_keyring_tmp_t; > > > + attribute_role gnome_settings_roles; > > > + attribute_role gnome_settings_daemon_roles; > > > > Are all of these role attributes really necessary???Typically these > > are? > > only needed when there are long chains of transitions where the > > original? > > domain doesn't have any relation to latter domains.??For example: > > > > user_t ->??domain1_t -> domain2_t > > > > In this case, there is no link in the sources between user_t and? > > domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's? > > interfaces can collect up all the roles that run domain1 in a role? > > attribute, and then use that attribute when running domain2. > > I will remove the roles which are not needed. I have tested the above and the conclusion is that only the dconf attribute can be removed without breaking the functionality. Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 12:44 ` Guido Trentalancia 2016-08-23 13:58 ` Guido Trentalancia @ 2016-08-23 23:02 ` Chris PeBenito 2016-08-23 23:31 ` Guido Trentalancia 2016-08-24 21:55 ` Guido Trentalancia 1 sibling, 2 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-23 23:02 UTC (permalink / raw) To: refpolicy On 08/23/16 08:44, Guido Trentalancia wrote: > Hello Christopher ! > > Thanks for providing your valuable feedback. > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >> On 08/22/16 15:39, Guido Trentalancia wrote: >>> >>> + type dconf_t, dconf_exec_t, dconf_home_t; >>> + type at_spi_t, at_spi_exec_t; >>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>> type gconf_home_t; >>> + type gnome_settings_t, gnome_settings_exec_t; >>> + type gnome_settings_daemon_t, >>> gnome_settings_daemon_exec_t; >>> + type gnome_settings_schemas_t; >>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>> + type mime_info_t; >>> + type user_dbusd_t; >> >> This dbus type cannot be referenced directly in this module. > > If $1_dbusd_t is used to get the role/type prefix from the caller, then > it doesn't compile for some reason which is not yet clear to me. > > Any idea ? The $1_dbusd_t rules need to be contained in the dbus module, not the gnome module. Beyond that, it's tough to say what the problem is, without knowing the error messages. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 23:02 ` Chris PeBenito @ 2016-08-23 23:31 ` Guido Trentalancia 2016-08-24 21:55 ` Guido Trentalancia 1 sibling, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-23 23:31 UTC (permalink / raw) To: refpolicy The error is: "Conflicting type rules". Unfortunately, the cil temporary file is destroyed before make gives the shell prompt back, so it is not possible to inspect the location of the problem. Guido On the 24th august 2016 01:02:29 CEST, Chris PeBenito <pebenito@ieee.org> wrote: >On 08/23/16 08:44, Guido Trentalancia wrote: >> Hello Christopher ! >> >> Thanks for providing your valuable feedback. >> >> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>> >>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>> + type at_spi_t, at_spi_exec_t; >>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>> type gconf_home_t; >>>> + type gnome_settings_t, gnome_settings_exec_t; >>>> + type gnome_settings_daemon_t, >>>> gnome_settings_daemon_exec_t; >>>> + type gnome_settings_schemas_t; >>>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>> + type mime_info_t; >>>> + type user_dbusd_t; >>> >>> This dbus type cannot be referenced directly in this module. >> >> If $1_dbusd_t is used to get the role/type prefix from the caller, >then >> it doesn't compile for some reason which is not yet clear to me. >> >> Any idea ? > >The $1_dbusd_t rules need to be contained in the dbus module, not the >gnome module. Beyond that, it's tough to say what the problem is, >without knowing the error messages. ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 23:02 ` Chris PeBenito 2016-08-23 23:31 ` Guido Trentalancia @ 2016-08-24 21:55 ` Guido Trentalancia 2016-08-24 22:10 ` Chris PeBenito 1 sibling, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-24 21:55 UTC (permalink / raw) To: refpolicy Hello Christopher. I have more detailed information about this problem... On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: > On 08/23/16 08:44, Guido Trentalancia wrote: > > > > Hello Christopher ! > > > > Thanks for providing your valuable feedback. > > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > > > + type at_spi_t, at_spi_exec_t; > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > > > ? type gconf_home_t; > > > > + type gnome_settings_t, gnome_settings_exec_t; > > > > + type gnome_settings_daemon_t, > > > > gnome_settings_daemon_exec_t; > > > > + type gnome_settings_schemas_t; > > > > + type gkeyringd_exec_t, gnome_keyring_home_t, > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > + type mime_info_t; > > > > + type user_dbusd_t; > > > > > > This dbus type cannot be referenced directly in this module. > > > > If $1_dbusd_t is used to get the role/type prefix from the caller, > > then > > it doesn't compile for some reason which is not yet clear to me. > > > > Any idea ? > > The $1_dbusd_t rules need to be contained in the dbus module, not > the? > gnome module.??Beyond that, it's tough to say what the problem is,? > without knowing the error messages. Suppose to have the following additional dbus interface: ####################################### ## <summary> ## Make a domain transition from a ## given source domain to the ## DBUS session bus domain using ## the DBUS executable file type. ## </summary> ## <param name="role_prefix"> ## <summary> ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dbus_domain_transition_session_bus',` gen_require(` type dbusd_exec_t; type $1_dbusd_t; ') allow $2 dbusd_exec_t:file exec_file_perms; domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) ') and suppose that it is called by the following statement: dbus_domain_transition_session_bus($1, at_spi_t) where $1 = "user". During policy load, the following error is generated: Conflicting type rules Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil Failed to generate binary /usr/sbin/semodule: Failed! make: *** [Rules.modular:58: load] Error 1 The temporary file is deleted automatically and cannot be inspected. I hope it is clear now... Do you have an idea ? It's the only thing missing before all the dbus rules are moved from the gnome to the dbus module and I can create a new version of this important patch. Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-24 21:55 ` Guido Trentalancia @ 2016-08-24 22:10 ` Chris PeBenito 2016-08-24 22:42 ` Guido Trentalancia ` (2 more replies) 0 siblings, 3 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-24 22:10 UTC (permalink / raw) To: refpolicy On 08/24/16 17:55, Guido Trentalancia wrote: > Hello Christopher. > > I have more detailed information about this problem... > > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >> On 08/23/16 08:44, Guido Trentalancia wrote: >>> >>> Hello Christopher ! >>> >>> Thanks for providing your valuable feedback. >>> >>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>> >>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>> >>>>> >>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>> + type at_spi_t, at_spi_exec_t; >>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>> type gconf_home_t; >>>>> + type gnome_settings_t, gnome_settings_exec_t; >>>>> + type gnome_settings_daemon_t, >>>>> gnome_settings_daemon_exec_t; >>>>> + type gnome_settings_schemas_t; >>>>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>> + type mime_info_t; >>>>> + type user_dbusd_t; >>>> >>>> This dbus type cannot be referenced directly in this module. >>> >>> If $1_dbusd_t is used to get the role/type prefix from the caller, >>> then >>> it doesn't compile for some reason which is not yet clear to me. >>> >>> Any idea ? >> >> The $1_dbusd_t rules need to be contained in the dbus module, not >> the >> gnome module. Beyond that, it's tough to say what the problem is, >> without knowing the error messages. > > Suppose to have the following additional dbus interface: > > ####################################### > ## <summary> > ## Make a domain transition from a > ## given source domain to the > ## DBUS session bus domain using > ## the DBUS executable file type. > ## </summary> > ## <param name="role_prefix"> > ## <summary> > ## The prefix of the user role (e.g., user > ## is the prefix for user_r). > ## </summary> > ## </param> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dbus_domain_transition_session_bus',` > gen_require(` > type dbusd_exec_t; > type $1_dbusd_t; > ') > > allow $2 dbusd_exec_t:file exec_file_perms; > domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > ') > > and suppose that it is called by the following statement: > > dbus_domain_transition_session_bus($1, at_spi_t) > > where $1 = "user". > > During policy load, the following error is generated: > > Conflicting type rules > Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > Failed to generate binary > /usr/sbin/semodule: Failed! > make: *** [Rules.modular:58: load] Error 1 > > The temporary file is deleted automatically and cannot be inspected. > > I hope it is clear now... > > Do you have an idea ? It's the only thing missing before all the dbus > rules are moved from the gnome to the dbus module and I can create a > new version of this important patch. It's not so helpful unfortunately. My guess is that it is a conflicting type_transition. Unfortunately the compiler error message isn't helpful. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-24 22:10 ` Chris PeBenito @ 2016-08-24 22:42 ` Guido Trentalancia 2016-08-25 7:25 ` Dominick Grift 2016-08-25 9:47 ` Guido Trentalancia 2016-08-27 17:08 ` Guido Trentalancia 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-24 22:42 UTC (permalink / raw) To: refpolicy It works fine in the latest version of this patch (from within the gnome module)!! So, why does it stop working when I create a dbus interface and call it from the gnome module? I am stuck with this unfortunately... How about the other missing patch for the "module_load" permission in the kernel and files modules? Have you found an alternative name for that interface? The patch for the kernel is waiting to get committed, along with the testcase and a small Makefile patch for the testsuite. I have also posted here a patch for the Reference Policy Makefile so that it integrates better with the SELinux testsuite (which at the moment works out of the box only on Red Hat). Best regards, Guido On the 25th August 2016 00:10:22 CEST, Chris PeBenito <pebenito@ieee.org> wrote: >On 08/24/16 17:55, Guido Trentalancia wrote: >> Hello Christopher. >> >> I have more detailed information about this problem... >> >> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >>> On 08/23/16 08:44, Guido Trentalancia wrote: >>>> >>>> Hello Christopher ! >>>> >>>> Thanks for providing your valuable feedback. >>>> >>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>>> >>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>> >>>>>> >>>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>>> + type at_spi_t, at_spi_exec_t; >>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>>> type gconf_home_t; >>>>>> + type gnome_settings_t, gnome_settings_exec_t; >>>>>> + type gnome_settings_daemon_t, >>>>>> gnome_settings_daemon_exec_t; >>>>>> + type gnome_settings_schemas_t; >>>>>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>> + type mime_info_t; >>>>>> + type user_dbusd_t; >>>>> >>>>> This dbus type cannot be referenced directly in this module. >>>> >>>> If $1_dbusd_t is used to get the role/type prefix from the caller, >>>> then >>>> it doesn't compile for some reason which is not yet clear to me. >>>> >>>> Any idea ? >>> >>> The $1_dbusd_t rules need to be contained in the dbus module, not >>> the >>> gnome module. Beyond that, it's tough to say what the problem is, >>> without knowing the error messages. >> >> Suppose to have the following additional dbus interface: >> >> ####################################### >> ## <summary> >> ## Make a domain transition from a >> ## given source domain to the >> ## DBUS session bus domain using >> ## the DBUS executable file type. >> ## </summary> >> ## <param name="role_prefix"> >> ## <summary> >> ## The prefix of the user role (e.g., user >> ## is the prefix for user_r). >> ## </summary> >> ## </param> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dbus_domain_transition_session_bus',` >> gen_require(` >> type dbusd_exec_t; >> type $1_dbusd_t; >> ') >> >> allow $2 dbusd_exec_t:file exec_file_perms; >> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >> ') >> >> and suppose that it is called by the following statement: >> >> dbus_domain_transition_session_bus($1, at_spi_t) >> >> where $1 = "user". >> >> During policy load, the following error is generated: >> >> Conflicting type rules >> Binary policy creation failed at line 29393 of >/var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >> Failed to generate binary >> /usr/sbin/semodule: Failed! >> make: *** [Rules.modular:58: load] Error 1 >> >> The temporary file is deleted automatically and cannot be inspected. >> >> I hope it is clear now... >> >> Do you have an idea ? It's the only thing missing before all the dbus >> rules are moved from the gnome to the dbus module and I can create a >> new version of this important patch. > >It's not so helpful unfortunately. My guess is that it is a >conflicting >type_transition. Unfortunately the compiler error message isn't >helpful. ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-24 22:42 ` Guido Trentalancia @ 2016-08-25 7:25 ` Dominick Grift 0 siblings, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-25 7:25 UTC (permalink / raw) To: refpolicy On 08/25/2016 12:42 AM, Guido Trentalancia via refpolicy wrote: > It works fine in the latest version of this patch (from within the gnome module)!! > > So, why does it stop working when I create a dbus interface and call it from the gnome module? > > I am stuck with this unfortunately... > I have been there before. I have attempted to confined desktops for years. Facing all kinds of limitations of the reference policy. I am not saying that the issue you are facing is related to limitations to the refpolicy, because I do not know for sure. What I do feel i know is that confining complex desktops with reference policy is difficult if not impossible. The CIL policy was designed to deal with complex requirements. My DSSP policy demonstrates that with CIL , complex desktops can be confined. Besides the techinical issues there is also the issue of design with confining complex desktops. There are many patterns that become visible later in the process. Causing one to have to refactor the policy. I already see things in your patch where I personally would have done things differently taking into account the bigger picture. Basically a good approach would be to first confine the desktop fully. then look at that from a distance, and then write it again with in mind all the things you've learned. > How about the other missing patch for the "module_load" permission in the kernel and files modules? Have you found an alternative name for that interface? > > The patch for the kernel is waiting to get committed, along with the testcase and a small Makefile patch for the testsuite. > > I have also posted here a patch for the Reference Policy Makefile so that it integrates better with the SELinux testsuite (which at the moment works out of the box only on Red Hat). > > Best regards, > > Guido > > On the 25th August 2016 00:10:22 CEST, Chris PeBenito <pebenito@ieee.org> wrote: >> On 08/24/16 17:55, Guido Trentalancia wrote: >>> Hello Christopher. >>> >>> I have more detailed information about this problem... >>> >>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >>>> On 08/23/16 08:44, Guido Trentalancia wrote: >>>>> >>>>> Hello Christopher ! >>>>> >>>>> Thanks for providing your valuable feedback. >>>>> >>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>>>> >>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>> >>>>>>> >>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>>>> type gconf_home_t; >>>>>>> + type gnome_settings_t, gnome_settings_exec_t; >>>>>>> + type gnome_settings_daemon_t, >>>>>>> gnome_settings_daemon_exec_t; >>>>>>> + type gnome_settings_schemas_t; >>>>>>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>> + type mime_info_t; >>>>>>> + type user_dbusd_t; >>>>>> >>>>>> This dbus type cannot be referenced directly in this module. >>>>> >>>>> If $1_dbusd_t is used to get the role/type prefix from the caller, >>>>> then >>>>> it doesn't compile for some reason which is not yet clear to me. >>>>> >>>>> Any idea ? >>>> >>>> The $1_dbusd_t rules need to be contained in the dbus module, not >>>> the >>>> gnome module. Beyond that, it's tough to say what the problem is, >>>> without knowing the error messages. >>> >>> Suppose to have the following additional dbus interface: >>> >>> ####################################### >>> ## <summary> >>> ## Make a domain transition from a >>> ## given source domain to the >>> ## DBUS session bus domain using >>> ## the DBUS executable file type. >>> ## </summary> >>> ## <param name="role_prefix"> >>> ## <summary> >>> ## The prefix of the user role (e.g., user >>> ## is the prefix for user_r). >>> ## </summary> >>> ## </param> >>> ## <param name="domain"> >>> ## <summary> >>> ## Domain allowed access. >>> ## </summary> >>> ## </param> >>> # >>> interface(`dbus_domain_transition_session_bus',` >>> gen_require(` >>> type dbusd_exec_t; >>> type $1_dbusd_t; >>> ') >>> >>> allow $2 dbusd_exec_t:file exec_file_perms; >>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>> ') >>> >>> and suppose that it is called by the following statement: >>> >>> dbus_domain_transition_session_bus($1, at_spi_t) >>> >>> where $1 = "user". >>> >>> During policy load, the following error is generated: >>> >>> Conflicting type rules >>> Binary policy creation failed at line 29393 of >> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>> Failed to generate binary >>> /usr/sbin/semodule: Failed! >>> make: *** [Rules.modular:58: load] Error 1 >>> >>> The temporary file is deleted automatically and cannot be inspected. >>> >>> I hope it is clear now... >>> >>> Do you have an idea ? It's the only thing missing before all the dbus >>> rules are moved from the gnome to the dbus module and I can create a >>> new version of this important patch. >> >> It's not so helpful unfortunately. My guess is that it is a >> conflicting >> type_transition. Unfortunately the compiler error message isn't >> helpful. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160825/7c684dac/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-24 22:10 ` Chris PeBenito 2016-08-24 22:42 ` Guido Trentalancia @ 2016-08-25 9:47 ` Guido Trentalancia 2016-08-25 22:49 ` Chris PeBenito 2016-08-27 17:08 ` Guido Trentalancia 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-25 9:47 UTC (permalink / raw) To: refpolicy Hello Christopher. I have more information on this problem. On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote: > On 08/24/16 17:55, Guido Trentalancia wrote: > > > > Hello Christopher. > > > > I have more detailed information about this problem... > > > > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: > > > > > > On 08/23/16 08:44, Guido Trentalancia wrote: > > > > > > > > > > > > Hello Christopher ! > > > > > > > > Thanks for providing your valuable feedback. > > > > > > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > > > > > > > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > > > > > > > > > > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > > > > > + type at_spi_t, at_spi_exec_t; > > > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > > > > > ? type gconf_home_t; > > > > > > + type gnome_settings_t, > > > > > > gnome_settings_exec_t; > > > > > > + type gnome_settings_daemon_t, > > > > > > gnome_settings_daemon_exec_t; > > > > > > + type gnome_settings_schemas_t; > > > > > > + type gkeyringd_exec_t, > > > > > > gnome_keyring_home_t, > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > > > + type mime_info_t; > > > > > > + type user_dbusd_t; > > > > > > > > > > This dbus type cannot be referenced directly in this module. > > > > > > > > If $1_dbusd_t is used to get the role/type prefix from the > > > > caller, > > > > then > > > > it doesn't compile for some reason which is not yet clear to > > > > me. > > > > > > > > Any idea ? > > > > > > The $1_dbusd_t rules need to be contained in the dbus module, not > > > the > > > gnome module.??Beyond that, it's tough to say what the problem > > > is, > > > without knowing the error messages. > > > > Suppose to have the following additional dbus interface: > > > > ####################################### > > ## <summary> > > ##??????Make a domain transition from a > > ##??????given source domain to the > > ##??????DBUS session bus domain using > > ##??????the DBUS executable file type. > > ## </summary> > > ## <param name="role_prefix"> > > ##??????<summary> > > ##??????The prefix of the user role (e.g., user > > ##??????is the prefix for user_r). > > ##??????</summary> > > ## </param> > > ## <param name="domain"> > > ##??????<summary> > > ##??????Domain allowed access. > > ##??????</summary> > > ## </param> > > # > > interface(`dbus_domain_transition_session_bus',` > > ????????gen_require(` > > ????????????????type dbusd_exec_t; > > ????????????????type $1_dbusd_t; > > ????????') > > > > ????????allow $2 dbusd_exec_t:file exec_file_perms; > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > > ') > > > > and suppose that it is called by the following statement: > > > > dbus_domain_transition_session_bus($1, at_spi_t) > > > > where $1 = "user". > > > > During policy load, the following error is generated: > > > > Conflicting type rules > > Binary policy creation failed at line 29393 of > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > > Failed to generate binary > > /usr/sbin/semodule:??Failed! > > make: *** [Rules.modular:58: load] Error 1 > > > > The temporary file is deleted automatically and cannot be > > inspected. > > > > I hope it is clear now... > > > > Do you have an idea ? It's the only thing missing before all the > > dbus > > rules are moved from the gnome to the dbus module and I can create > > a > > new version of this important patch. > > It's not so helpful unfortunately.??My guess is that it is a > conflicting? > type_transition.??Unfortunately the compiler error message isn't > helpful. I have tested and your guess is correct ! The above interface expands as follows: interface(`dbus_domain_transition_session_bus',` allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) # type_transition $2 dbusd_exec_t:process $1_dbusd_t; allow $1_dbusd_t $2:fd use; allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; allow $1_dbusd_t $2:process sigchld; ') The line that has been commented out (type_transition) is the problematic rule which leads to the "conflicting type rules" error upon loading the policy. Such rule comes from the domain_auto_transition_pattern provided by support/misc_patterns.spt. However, if I hardcode "user" instead of "$1", the type_transition works fine. I suspect, it stops functioning when $1 is replaced by "sysadm" or "staff". If I do manually substitute the two and try to recompile, the following happens: $1=sysadm ==> staff.te doesn't compile (unknown type error) $1=staff ==> sysadm.te doesn't compile (unknown type error) In some way, it sounds like a bug or some sort of limitation of the actual policy... Can you shed some light ? Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-25 9:47 ` Guido Trentalancia @ 2016-08-25 22:49 ` Chris PeBenito 2016-08-26 22:21 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Chris PeBenito @ 2016-08-25 22:49 UTC (permalink / raw) To: refpolicy On 08/25/16 05:47, Guido Trentalancia wrote: > Hello Christopher. > > I have more information on this problem. > > On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote: >> On 08/24/16 17:55, Guido Trentalancia wrote: >>> >>> Hello Christopher. >>> >>> I have more detailed information about this problem... >>> >>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >>>> >>>> On 08/23/16 08:44, Guido Trentalancia wrote: >>>>> >>>>> >>>>> Hello Christopher ! >>>>> >>>>> Thanks for providing your valuable feedback. >>>>> >>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>>>> >>>>>> >>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>>>> type gconf_home_t; >>>>>>> + type gnome_settings_t, >>>>>>> gnome_settings_exec_t; >>>>>>> + type gnome_settings_daemon_t, >>>>>>> gnome_settings_daemon_exec_t; >>>>>>> + type gnome_settings_schemas_t; >>>>>>> + type gkeyringd_exec_t, >>>>>>> gnome_keyring_home_t, >>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>> + type mime_info_t; >>>>>>> + type user_dbusd_t; >>>>>> >>>>>> This dbus type cannot be referenced directly in this module. >>>>> >>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>> caller, >>>>> then >>>>> it doesn't compile for some reason which is not yet clear to >>>>> me. >>>>> >>>>> Any idea ? >>>> >>>> The $1_dbusd_t rules need to be contained in the dbus module, not >>>> the >>>> gnome module. Beyond that, it's tough to say what the problem >>>> is, >>>> without knowing the error messages. >>> >>> Suppose to have the following additional dbus interface: >>> >>> ####################################### >>> ## <summary> >>> ## Make a domain transition from a >>> ## given source domain to the >>> ## DBUS session bus domain using >>> ## the DBUS executable file type. >>> ## </summary> >>> ## <param name="role_prefix"> >>> ## <summary> >>> ## The prefix of the user role (e.g., user >>> ## is the prefix for user_r). >>> ## </summary> >>> ## </param> >>> ## <param name="domain"> >>> ## <summary> >>> ## Domain allowed access. >>> ## </summary> >>> ## </param> >>> # >>> interface(`dbus_domain_transition_session_bus',` >>> gen_require(` >>> type dbusd_exec_t; >>> type $1_dbusd_t; >>> ') >>> >>> allow $2 dbusd_exec_t:file exec_file_perms; >>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>> ') >>> >>> and suppose that it is called by the following statement: >>> >>> dbus_domain_transition_session_bus($1, at_spi_t) >>> >>> where $1 = "user". >>> >>> During policy load, the following error is generated: >>> >>> Conflicting type rules >>> Binary policy creation failed at line 29393 of >>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>> Failed to generate binary >>> /usr/sbin/semodule: Failed! >>> make: *** [Rules.modular:58: load] Error 1 >>> >>> The temporary file is deleted automatically and cannot be >>> inspected. >>> >>> I hope it is clear now... >>> >>> Do you have an idea ? It's the only thing missing before all the >>> dbus >>> rules are moved from the gnome to the dbus module and I can create >>> a >>> new version of this important patch. >> >> It's not so helpful unfortunately. My guess is that it is a >> conflicting >> type_transition. Unfortunately the compiler error message isn't >> helpful. > > I have tested and your guess is correct ! > > The above interface expands as follows: > > interface(`dbus_domain_transition_session_bus',` > allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; > > domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) > # type_transition $2 dbusd_exec_t:process $1_dbusd_t; > > allow $1_dbusd_t $2:fd use; > allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; > allow $1_dbusd_t $2:process sigchld; > ') > > The line that has been commented out (type_transition) is the > problematic rule which leads to the "conflicting type rules" error upon > loading the policy. > > Such rule comes from the domain_auto_transition_pattern provided by > support/misc_patterns.spt. > > However, if I hardcode "user" instead of "$1", the type_transition > works fine. I suspect, it stops functioning when $1 is replaced by > "sysadm" or "staff". > > If I do manually substitute the two and try to recompile, the following > happens: > > $1=sysadm ==> staff.te doesn't compile (unknown type error) > > $1=staff ==> sysadm.te doesn't compile (unknown type error) > > In some way, it sounds like a bug or some sort of limitation of the > actual policy... Can you shed some light ? I'm not clear why you would see unknown types. You have to inspect the intermediate files. I believe if you add them to a .SECONDARY entry in the Makefile/Rules.*, it will not delete them when they're done. I'd be fine taking that patch too, so intermediate files are never deleted. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-25 22:49 ` Chris PeBenito @ 2016-08-26 22:21 ` Guido Trentalancia 2016-08-28 18:29 ` Chris PeBenito 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-26 22:21 UTC (permalink / raw) To: refpolicy Hello Christopher. On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote: [...] > > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + type dconf_t, dconf_exec_t, > > > > > > > > dconf_home_t; > > > > > > > > + type at_spi_t, at_spi_exec_t; > > > > > > > > ? type gconfd_t, gconfd_exec_t, > > > > > > > > gconf_tmp_t; > > > > > > > > ? type gconf_home_t; > > > > > > > > + type gnome_settings_t, > > > > > > > > gnome_settings_exec_t; > > > > > > > > + type gnome_settings_daemon_t, > > > > > > > > gnome_settings_daemon_exec_t; > > > > > > > > + type gnome_settings_schemas_t; > > > > > > > > + type gkeyringd_exec_t, > > > > > > > > gnome_keyring_home_t, > > > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > > > > > + type mime_info_t; > > > > > > > > + type user_dbusd_t; > > > > > > > > > > > > > > This dbus type cannot be referenced directly in this > > > > > > > module. > > > > > > > > > > > > If $1_dbusd_t is used to get the role/type prefix from the > > > > > > caller, > > > > > > then > > > > > > it doesn't compile for some reason which is not yet clear > > > > > > to > > > > > > me. > > > > > > > > > > > > Any idea ? > > > > > > > > > > The $1_dbusd_t rules need to be contained in the dbus module, > > > > > not > > > > > the > > > > > gnome module.??Beyond that, it's tough to say what the > > > > > problem > > > > > is, > > > > > without knowing the error messages. > > > > > > > > Suppose to have the following additional dbus interface: > > > > > > > > ####################################### > > > > ## <summary> > > > > ##??????Make a domain transition from a > > > > ##??????given source domain to the > > > > ##??????DBUS session bus domain using > > > > ##??????the DBUS executable file type. > > > > ## </summary> > > > > ## <param name="role_prefix"> > > > > ##??????<summary> > > > > ##??????The prefix of the user role (e.g., user > > > > ##??????is the prefix for user_r). > > > > ##??????</summary> > > > > ## </param> > > > > ## <param name="domain"> > > > > ##??????<summary> > > > > ##??????Domain allowed access. > > > > ##??????</summary> > > > > ## </param> > > > > # > > > > interface(`dbus_domain_transition_session_bus',` > > > > ????????gen_require(` > > > > ????????????????type dbusd_exec_t; > > > > ????????????????type $1_dbusd_t; > > > > ????????') > > > > > > > > ????????allow $2 dbusd_exec_t:file exec_file_perms; > > > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > > > > ') > > > > > > > > and suppose that it is called by the following statement: > > > > > > > > dbus_domain_transition_session_bus($1, at_spi_t) > > > > > > > > where $1 = "user". > > > > > > > > During policy load, the following error is generated: > > > > > > > > Conflicting type rules > > > > Binary policy creation failed at line 29393 of > > > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > > > > Failed to generate binary > > > > /usr/sbin/semodule:??Failed! > > > > make: *** [Rules.modular:58: load] Error 1 > > > > > > > > The temporary file is deleted automatically and cannot be > > > > inspected. > > > > > > > > I hope it is clear now... > > > > > > > > Do you have an idea ? It's the only thing missing before all > > > > the > > > > dbus > > > > rules are moved from the gnome to the dbus module and I can > > > > create > > > > a > > > > new version of this important patch. > > > > > > It's not so helpful unfortunately.??My guess is that it is a > > > conflicting > > > type_transition.??Unfortunately the compiler error message isn't > > > helpful. > > > > I have tested and your guess is correct ! > > > > The above interface expands as follows: > > > > interface(`dbus_domain_transition_session_bus',` > > ????????allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; > > > > ????????domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) > > #????????type_transition $2 dbusd_exec_t:process $1_dbusd_t; > > > > ????????allow $1_dbusd_t $2:fd use; > > ????????allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; > > ????????allow $1_dbusd_t $2:process sigchld; > > ') > > > > The line that has been commented out (type_transition) is the > > problematic rule which leads to the "conflicting type rules" error > > upon > > loading the policy. > > > > Such rule comes from the domain_auto_transition_pattern provided by > > support/misc_patterns.spt. > > > > However, if I hardcode "user" instead of "$1", the type_transition > > works fine. I suspect, it stops functioning when $1 is replaced by > > "sysadm" or "staff". > > > > If I do manually substitute the two and try to recompile, the > > following > > happens: > > > > $1=sysadm ==> staff.te doesn't compile (unknown type error) > > > > $1=staff ==> sysadm.te doesn't compile (unknown type error) > > > > In some way, it sounds like a bug or some sort of limitation of the > > actual policy... Can you shed some light ? > > I'm not clear why you would see unknown types.??You have to inspect > the? > intermediate files.??I believe if you add them to a .SECONDARY entry > in? > the Makefile/Rules.*, it will not delete them when they're done.??I'd > be? > fine taking that patch too, so intermediate files are never deleted. I think the files that you mention are stored in the "tmp" subdirectory of the policy source. I don't think there is a need to modify the Makefile or Rules.* files. The "Conflicting type rules" error comes from libsepol when one tries to load the policy using semodule (called by the policy Makefile). What semodule deleted (/var/lib/selinux/refpolicy- 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated by libsepol. In any case, it has nothing to do with the policy Makefile. Unfortunately, I have checked the temporary files in the "tmp" subdirectory of the build tree, but the only difference between the working version and the non-working version is that the static hardcoded "user" string ("user_dbusd_t") in the type_transition rule is replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on). I noticed that the dbus_role_template is also using that variable type ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or "xguest"). The problem seems to be that the $1_dbusd_t type defined by the dbus_role_template conflicts with the type defined by the new interface that is required by gnome (it conflicts with the type_transition rule). I believe this is a bug or some sort of limitation of the existing policy... Do you know how to fix it ? Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-26 22:21 ` Guido Trentalancia @ 2016-08-28 18:29 ` Chris PeBenito 0 siblings, 0 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-28 18:29 UTC (permalink / raw) To: refpolicy On 08/26/16 18:21, Guido Trentalancia wrote: > Hello Christopher. > > On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote: > > [...] > >>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> + type dconf_t, dconf_exec_t, >>>>>>>>> dconf_home_t; >>>>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>>>> type gconfd_t, gconfd_exec_t, >>>>>>>>> gconf_tmp_t; >>>>>>>>> type gconf_home_t; >>>>>>>>> + type gnome_settings_t, >>>>>>>>> gnome_settings_exec_t; >>>>>>>>> + type gnome_settings_daemon_t, >>>>>>>>> gnome_settings_daemon_exec_t; >>>>>>>>> + type gnome_settings_schemas_t; >>>>>>>>> + type gkeyringd_exec_t, >>>>>>>>> gnome_keyring_home_t, >>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>>>> + type mime_info_t; >>>>>>>>> + type user_dbusd_t; >>>>>>>> >>>>>>>> This dbus type cannot be referenced directly in this >>>>>>>> module. >>>>>>> >>>>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>>>> caller, >>>>>>> then >>>>>>> it doesn't compile for some reason which is not yet clear >>>>>>> to >>>>>>> me. >>>>>>> >>>>>>> Any idea ? >>>>>> >>>>>> The $1_dbusd_t rules need to be contained in the dbus module, >>>>>> not >>>>>> the >>>>>> gnome module. Beyond that, it's tough to say what the >>>>>> problem >>>>>> is, >>>>>> without knowing the error messages. >>>>> >>>>> Suppose to have the following additional dbus interface: >>>>> >>>>> ####################################### >>>>> ## <summary> >>>>> ## Make a domain transition from a >>>>> ## given source domain to the >>>>> ## DBUS session bus domain using >>>>> ## the DBUS executable file type. >>>>> ## </summary> >>>>> ## <param name="role_prefix"> >>>>> ## <summary> >>>>> ## The prefix of the user role (e.g., user >>>>> ## is the prefix for user_r). >>>>> ## </summary> >>>>> ## </param> >>>>> ## <param name="domain"> >>>>> ## <summary> >>>>> ## Domain allowed access. >>>>> ## </summary> >>>>> ## </param> >>>>> # >>>>> interface(`dbus_domain_transition_session_bus',` >>>>> gen_require(` >>>>> type dbusd_exec_t; >>>>> type $1_dbusd_t; >>>>> ') >>>>> >>>>> allow $2 dbusd_exec_t:file exec_file_perms; >>>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>>>> ') >>>>> >>>>> and suppose that it is called by the following statement: >>>>> >>>>> dbus_domain_transition_session_bus($1, at_spi_t) >>>>> >>>>> where $1 = "user". >>>>> >>>>> During policy load, the following error is generated: >>>>> >>>>> Conflicting type rules >>>>> Binary policy creation failed at line 29393 of >>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>>>> Failed to generate binary >>>>> /usr/sbin/semodule: Failed! >>>>> make: *** [Rules.modular:58: load] Error 1 >>>>> >>>>> The temporary file is deleted automatically and cannot be >>>>> inspected. >>>>> >>>>> I hope it is clear now... >>>>> >>>>> Do you have an idea ? It's the only thing missing before all >>>>> the >>>>> dbus >>>>> rules are moved from the gnome to the dbus module and I can >>>>> create >>>>> a >>>>> new version of this important patch. >>>> >>>> It's not so helpful unfortunately. My guess is that it is a >>>> conflicting >>>> type_transition. Unfortunately the compiler error message isn't >>>> helpful. >>> >>> I have tested and your guess is correct ! >>> >>> The above interface expands as follows: >>> >>> interface(`dbus_domain_transition_session_bus',` >>> allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; >>> >>> domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) >>> # type_transition $2 dbusd_exec_t:process $1_dbusd_t; >>> >>> allow $1_dbusd_t $2:fd use; >>> allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; >>> allow $1_dbusd_t $2:process sigchld; >>> ') >>> >>> The line that has been commented out (type_transition) is the >>> problematic rule which leads to the "conflicting type rules" error >>> upon >>> loading the policy. >>> >>> Such rule comes from the domain_auto_transition_pattern provided by >>> support/misc_patterns.spt. >>> >>> However, if I hardcode "user" instead of "$1", the type_transition >>> works fine. I suspect, it stops functioning when $1 is replaced by >>> "sysadm" or "staff". >>> >>> If I do manually substitute the two and try to recompile, the >>> following >>> happens: >>> >>> $1=sysadm ==> staff.te doesn't compile (unknown type error) >>> >>> $1=staff ==> sysadm.te doesn't compile (unknown type error) >>> >>> In some way, it sounds like a bug or some sort of limitation of the >>> actual policy... Can you shed some light ? >> >> I'm not clear why you would see unknown types. You have to inspect >> the >> intermediate files. I believe if you add them to a .SECONDARY entry >> in >> the Makefile/Rules.*, it will not delete them when they're done. I'd >> be >> fine taking that patch too, so intermediate files are never deleted. > > I think the files that you mention are stored in the "tmp" subdirectory > of the policy source. > > I don't think there is a need to modify the Makefile or Rules.* files. > > The "Conflicting type rules" error comes from libsepol when one tries > to load the policy using semodule (called by the policy Makefile). > > What semodule deleted (/var/lib/selinux/refpolicy- > 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated > by libsepol. In any case, it has nothing to do with the policy > Makefile. > > Unfortunately, I have checked the temporary files in the "tmp" > subdirectory of the build tree, but the only difference between the > working version and the non-working version is that the static > hardcoded "user" string ("user_dbusd_t") in the type_transition rule is > replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on). > > I noticed that the dbus_role_template is also using that variable type > ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or > "xguest"). > > The problem seems to be that the $1_dbusd_t type defined by the > dbus_role_template conflicts with the type defined by the new interface > that is required by gnome (it conflicts with the type_transition rule). > > I believe this is a bug or some sort of limitation of the existing > policy... Do you know how to fix it ? The dbus module is where *_dbusd_t should be declared, so *_dbusd_t declarations in a gnome module are incorrect. The only other issue that I can think of is in the past, if you required a type and then later declared it in the same file, that would hit a compiler limitation/bug that would (incorrectly) call it a duplicate type declaration. In terms of type_transition you'd have to inspect the intermediate file that is used to compile the binary to try to see where the conflict is. It may also be a conflict across multiple modules, which would make it more difficult to uncover. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-24 22:10 ` Chris PeBenito 2016-08-24 22:42 ` Guido Trentalancia 2016-08-25 9:47 ` Guido Trentalancia @ 2016-08-27 17:08 ` Guido Trentalancia 2016-08-27 17:10 ` Dominick Grift 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-27 17:08 UTC (permalink / raw) To: refpolicy Hello Christopher. On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote: > On 08/24/16 17:55, Guido Trentalancia wrote: > > > > Hello Christopher. > > > > I have more detailed information about this problem... > > > > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: > > > > > > On 08/23/16 08:44, Guido Trentalancia wrote: > > > > > > > > > > > > Hello Christopher ! > > > > > > > > Thanks for providing your valuable feedback. > > > > > > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > > > > > > > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > > > > > > > > > > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > > > > > + type at_spi_t, at_spi_exec_t; > > > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > > > > > ? type gconf_home_t; > > > > > > + type gnome_settings_t, > > > > > > gnome_settings_exec_t; > > > > > > + type gnome_settings_daemon_t, > > > > > > gnome_settings_daemon_exec_t; > > > > > > + type gnome_settings_schemas_t; > > > > > > + type gkeyringd_exec_t, > > > > > > gnome_keyring_home_t, > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > > > + type mime_info_t; > > > > > > + type user_dbusd_t; > > > > > > > > > > This dbus type cannot be referenced directly in this module. > > > > > > > > If $1_dbusd_t is used to get the role/type prefix from the > > > > caller, > > > > then > > > > it doesn't compile for some reason which is not yet clear to > > > > me. > > > > > > > > Any idea ? > > > > > > The $1_dbusd_t rules need to be contained in the dbus module, not > > > the > > > gnome module.??Beyond that, it's tough to say what the problem > > > is, > > > without knowing the error messages. > > > > Suppose to have the following additional dbus interface: > > > > ####################################### > > ## <summary> > > ##??????Make a domain transition from a > > ##??????given source domain to the > > ##??????DBUS session bus domain using > > ##??????the DBUS executable file type. > > ## </summary> > > ## <param name="role_prefix"> > > ##??????<summary> > > ##??????The prefix of the user role (e.g., user > > ##??????is the prefix for user_r). > > ##??????</summary> > > ## </param> > > ## <param name="domain"> > > ##??????<summary> > > ##??????Domain allowed access. > > ##??????</summary> > > ## </param> > > # > > interface(`dbus_domain_transition_session_bus',` > > ????????gen_require(` > > ????????????????type dbusd_exec_t; > > ????????????????type $1_dbusd_t; > > ????????') > > > > ????????allow $2 dbusd_exec_t:file exec_file_perms; > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > > ') > > > > and suppose that it is called by the following statement: > > > > dbus_domain_transition_session_bus($1, at_spi_t) > > > > where $1 = "user". > > > > During policy load, the following error is generated: > > > > Conflicting type rules > > Binary policy creation failed at line 29393 of > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > > Failed to generate binary > > /usr/sbin/semodule:??Failed! > > make: *** [Rules.modular:58: load] Error 1 > > > > The temporary file is deleted automatically and cannot be > > inspected. > > > > I hope it is clear now... > > > > Do you have an idea ? It's the only thing missing before all the > > dbus > > rules are moved from the gnome to the dbus module and I can create > > a > > new version of this important patch. > > It's not so helpful unfortunately.??My guess is that it is a > conflicting? > type_transition.??Unfortunately the compiler error message isn't > helpful. I have just posted a patch on the SELinux mailing list to produce a more meaningful error message for conflicting type rules, see the following thread: [PATCH] libsepol: Produce more meaningful error messages for conflicting type rules In this case, the conflicting type rule is: scontext=at_spi_t tcontext=dbusd_exec_t tclass=process result=sysadm_dbusd_t which confirms the previous debugging results (it's the type_transition rule). Another one is similar, with scontext=gnome_settings_t. What I suspect is that when it compiles, it quadruplicates the type transition for each of user, staff, sysadm and xguest, thus leading to conflicting rules. Therefore, the solution might be to use a common static name for the domain (for example, "session_dbusd_t" instead of "$1_dbusd_t"). Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 17:08 ` Guido Trentalancia @ 2016-08-27 17:10 ` Dominick Grift 2016-08-27 17:16 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-27 17:10 UTC (permalink / raw) To: refpolicy On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote: > Hello Christopher. > > On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote: >> On 08/24/16 17:55, Guido Trentalancia wrote: >>> >>> Hello Christopher. >>> >>> I have more detailed information about this problem... >>> >>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >>>> >>>> On 08/23/16 08:44, Guido Trentalancia wrote: >>>>> >>>>> >>>>> Hello Christopher ! >>>>> >>>>> Thanks for providing your valuable feedback. >>>>> >>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>>>> >>>>>> >>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>>>> type gconf_home_t; >>>>>>> + type gnome_settings_t, >>>>>>> gnome_settings_exec_t; >>>>>>> + type gnome_settings_daemon_t, >>>>>>> gnome_settings_daemon_exec_t; >>>>>>> + type gnome_settings_schemas_t; >>>>>>> + type gkeyringd_exec_t, >>>>>>> gnome_keyring_home_t, >>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>> + type mime_info_t; >>>>>>> + type user_dbusd_t; >>>>>> >>>>>> This dbus type cannot be referenced directly in this module. >>>>> >>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>> caller, >>>>> then >>>>> it doesn't compile for some reason which is not yet clear to >>>>> me. >>>>> >>>>> Any idea ? >>>> >>>> The $1_dbusd_t rules need to be contained in the dbus module, not >>>> the >>>> gnome module. Beyond that, it's tough to say what the problem >>>> is, >>>> without knowing the error messages. >>> >>> Suppose to have the following additional dbus interface: >>> >>> ####################################### >>> ## <summary> >>> ## Make a domain transition from a >>> ## given source domain to the >>> ## DBUS session bus domain using >>> ## the DBUS executable file type. >>> ## </summary> >>> ## <param name="role_prefix"> >>> ## <summary> >>> ## The prefix of the user role (e.g., user >>> ## is the prefix for user_r). >>> ## </summary> >>> ## </param> >>> ## <param name="domain"> >>> ## <summary> >>> ## Domain allowed access. >>> ## </summary> >>> ## </param> >>> # >>> interface(`dbus_domain_transition_session_bus',` >>> gen_require(` >>> type dbusd_exec_t; >>> type $1_dbusd_t; >>> ') >>> >>> allow $2 dbusd_exec_t:file exec_file_perms; >>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>> ') >>> >>> and suppose that it is called by the following statement: >>> >>> dbus_domain_transition_session_bus($1, at_spi_t) >>> >>> where $1 = "user". >>> >>> During policy load, the following error is generated: >>> >>> Conflicting type rules >>> Binary policy creation failed at line 29393 of >>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>> Failed to generate binary >>> /usr/sbin/semodule: Failed! >>> make: *** [Rules.modular:58: load] Error 1 >>> >>> The temporary file is deleted automatically and cannot be >>> inspected. >>> >>> I hope it is clear now... >>> >>> Do you have an idea ? It's the only thing missing before all the >>> dbus >>> rules are moved from the gnome to the dbus module and I can create >>> a >>> new version of this important patch. >> >> It's not so helpful unfortunately. My guess is that it is a >> conflicting >> type_transition. Unfortunately the compiler error message isn't >> helpful. > > I have just posted a patch on the SELinux mailing list to produce a > more meaningful error message for conflicting type rules, see the > following thread: > > [PATCH] libsepol: Produce more meaningful error messages for > conflicting type rules > > In this case, the conflicting type rule is: > > scontext=at_spi_t > tcontext=dbusd_exec_t > tclass=process > result=sysadm_dbusd_t > > which confirms the previous debugging results (it's the type_transition > rule). > > Another one is similar, with scontext=gnome_settings_t. > > What I suspect is that when it compiles, it quadruplicates the type > transition for each of user, staff, sysadm and xguest, thus leading to > conflicting rules. > > Therefore, the solution might be to use a common static name for the > domain (for example, "session_dbusd_t" instead of "$1_dbusd_t"). and that will introduce other issues. because the session bus must be able to run things on behalf of the caller > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/ba98bb1b/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 17:10 ` Dominick Grift @ 2016-08-27 17:16 ` Guido Trentalancia 2016-08-27 17:17 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-27 17:16 UTC (permalink / raw) To: refpolicy Hello Dominick. On Sat, 27/08/2016 at 19.10 +0200, Dominick Grift via refpolicy wrote: > On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote: [...] > > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + type dconf_t, dconf_exec_t, > > > > > > > > dconf_home_t; > > > > > > > > + type at_spi_t, at_spi_exec_t; > > > > > > > > ? type gconfd_t, gconfd_exec_t, > > > > > > > > gconf_tmp_t; > > > > > > > > ? type gconf_home_t; > > > > > > > > + type gnome_settings_t, > > > > > > > > gnome_settings_exec_t; > > > > > > > > + type gnome_settings_daemon_t, > > > > > > > > gnome_settings_daemon_exec_t; > > > > > > > > + type gnome_settings_schemas_t; > > > > > > > > + type gkeyringd_exec_t, > > > > > > > > gnome_keyring_home_t, > > > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > > > > > + type mime_info_t; > > > > > > > > + type user_dbusd_t; > > > > > > > > > > > > > > This dbus type cannot be referenced directly in this > > > > > > > module. > > > > > > > > > > > > If $1_dbusd_t is used to get the role/type prefix from the > > > > > > caller, > > > > > > then > > > > > > it doesn't compile for some reason which is not yet clear > > > > > > to > > > > > > me. > > > > > > > > > > > > Any idea ? > > > > > > > > > > The $1_dbusd_t rules need to be contained in the dbus module, > > > > > not > > > > > the > > > > > gnome module.??Beyond that, it's tough to say what the > > > > > problem > > > > > is, > > > > > without knowing the error messages. > > > > > > > > Suppose to have the following additional dbus interface: > > > > > > > > ####################################### > > > > ## <summary> > > > > ##??????Make a domain transition from a > > > > ##??????given source domain to the > > > > ##??????DBUS session bus domain using > > > > ##??????the DBUS executable file type. > > > > ## </summary> > > > > ## <param name="role_prefix"> > > > > ##??????<summary> > > > > ##??????The prefix of the user role (e.g., user > > > > ##??????is the prefix for user_r). > > > > ##??????</summary> > > > > ## </param> > > > > ## <param name="domain"> > > > > ##??????<summary> > > > > ##??????Domain allowed access. > > > > ##??????</summary> > > > > ## </param> > > > > # > > > > interface(`dbus_domain_transition_session_bus',` > > > > ????????gen_require(` > > > > ????????????????type dbusd_exec_t; > > > > ????????????????type $1_dbusd_t; > > > > ????????') > > > > > > > > ????????allow $2 dbusd_exec_t:file exec_file_perms; > > > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > > > > ') > > > > > > > > and suppose that it is called by the following statement: > > > > > > > > dbus_domain_transition_session_bus($1, at_spi_t) > > > > > > > > where $1 = "user". > > > > > > > > During policy load, the following error is generated: > > > > > > > > Conflicting type rules > > > > Binary policy creation failed at line 29393 of > > > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > > > > Failed to generate binary > > > > /usr/sbin/semodule:??Failed! > > > > make: *** [Rules.modular:58: load] Error 1 > > > > > > > > The temporary file is deleted automatically and cannot be > > > > inspected. > > > > > > > > I hope it is clear now... > > > > > > > > Do you have an idea ? It's the only thing missing before all > > > > the > > > > dbus > > > > rules are moved from the gnome to the dbus module and I can > > > > create > > > > a > > > > new version of this important patch. > > > > > > It's not so helpful unfortunately.??My guess is that it is a > > > conflicting? > > > type_transition.??Unfortunately the compiler error message isn't > > > helpful. > > > > I have just posted a patch on the SELinux mailing list to produce a > > more meaningful error message for conflicting type rules, see the > > following thread: > > > > [PATCH] libsepol: Produce more meaningful error messages for > > conflicting type rules > > > > In this case, the conflicting type rule is: > > > > scontext=at_spi_t > > tcontext=dbusd_exec_t > > tclass=process > > result=sysadm_dbusd_t > > > > which confirms the previous debugging results (it's the > > type_transition > > rule). > > > > Another one is similar, with scontext=gnome_settings_t. > > > > What I suspect is that when it compiles, it quadruplicates the type > > transition for each of user, staff, sysadm and xguest, thus leading > > to > > conflicting rules. > > > > Therefore, the solution might be to use a common static name for > > the > > domain (for example, "session_dbusd_t" instead of "$1_dbusd_t"). > > and that will introduce other issues. because the session bus must be > able to run things on behalf of the caller Thanks for providing a forecast of other issues. So, what's the way out of this damn loop ? I am almost getting lost... Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 17:16 ` Guido Trentalancia @ 2016-08-27 17:17 ` Dominick Grift 2016-08-27 20:41 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-27 17:17 UTC (permalink / raw) To: refpolicy On 08/27/2016 07:16 PM, Guido Trentalancia wrote: > Hello Dominick. > > On Sat, 27/08/2016 at 19.10 +0200, Dominick Grift via refpolicy wrote: >> On 08/27/2016 07:08 PM, Guido Trentalancia via refpolicy wrote: > > [...] > >>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> + type dconf_t, dconf_exec_t, >>>>>>>>> dconf_home_t; >>>>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>>>> type gconfd_t, gconfd_exec_t, >>>>>>>>> gconf_tmp_t; >>>>>>>>> type gconf_home_t; >>>>>>>>> + type gnome_settings_t, >>>>>>>>> gnome_settings_exec_t; >>>>>>>>> + type gnome_settings_daemon_t, >>>>>>>>> gnome_settings_daemon_exec_t; >>>>>>>>> + type gnome_settings_schemas_t; >>>>>>>>> + type gkeyringd_exec_t, >>>>>>>>> gnome_keyring_home_t, >>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>>>> + type mime_info_t; >>>>>>>>> + type user_dbusd_t; >>>>>>>> >>>>>>>> This dbus type cannot be referenced directly in this >>>>>>>> module. >>>>>>> >>>>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>>>> caller, >>>>>>> then >>>>>>> it doesn't compile for some reason which is not yet clear >>>>>>> to >>>>>>> me. >>>>>>> >>>>>>> Any idea ? >>>>>> >>>>>> The $1_dbusd_t rules need to be contained in the dbus module, >>>>>> not >>>>>> the >>>>>> gnome module. Beyond that, it's tough to say what the >>>>>> problem >>>>>> is, >>>>>> without knowing the error messages. >>>>> >>>>> Suppose to have the following additional dbus interface: >>>>> >>>>> ####################################### >>>>> ## <summary> >>>>> ## Make a domain transition from a >>>>> ## given source domain to the >>>>> ## DBUS session bus domain using >>>>> ## the DBUS executable file type. >>>>> ## </summary> >>>>> ## <param name="role_prefix"> >>>>> ## <summary> >>>>> ## The prefix of the user role (e.g., user >>>>> ## is the prefix for user_r). >>>>> ## </summary> >>>>> ## </param> >>>>> ## <param name="domain"> >>>>> ## <summary> >>>>> ## Domain allowed access. >>>>> ## </summary> >>>>> ## </param> >>>>> # >>>>> interface(`dbus_domain_transition_session_bus',` >>>>> gen_require(` >>>>> type dbusd_exec_t; >>>>> type $1_dbusd_t; >>>>> ') >>>>> >>>>> allow $2 dbusd_exec_t:file exec_file_perms; >>>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>>>> ') >>>>> >>>>> and suppose that it is called by the following statement: >>>>> >>>>> dbus_domain_transition_session_bus($1, at_spi_t) >>>>> >>>>> where $1 = "user". >>>>> >>>>> During policy load, the following error is generated: >>>>> >>>>> Conflicting type rules >>>>> Binary policy creation failed at line 29393 of >>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>>>> Failed to generate binary >>>>> /usr/sbin/semodule: Failed! >>>>> make: *** [Rules.modular:58: load] Error 1 >>>>> >>>>> The temporary file is deleted automatically and cannot be >>>>> inspected. >>>>> >>>>> I hope it is clear now... >>>>> >>>>> Do you have an idea ? It's the only thing missing before all >>>>> the >>>>> dbus >>>>> rules are moved from the gnome to the dbus module and I can >>>>> create >>>>> a >>>>> new version of this important patch. >>>> >>>> It's not so helpful unfortunately. My guess is that it is a >>>> conflicting >>>> type_transition. Unfortunately the compiler error message isn't >>>> helpful. >>> >>> I have just posted a patch on the SELinux mailing list to produce a >>> more meaningful error message for conflicting type rules, see the >>> following thread: >>> >>> [PATCH] libsepol: Produce more meaningful error messages for >>> conflicting type rules >>> >>> In this case, the conflicting type rule is: >>> >>> scontext=at_spi_t >>> tcontext=dbusd_exec_t >>> tclass=process >>> result=sysadm_dbusd_t >>> >>> which confirms the previous debugging results (it's the >>> type_transition >>> rule). >>> >>> Another one is similar, with scontext=gnome_settings_t. >>> >>> What I suspect is that when it compiles, it quadruplicates the type >>> transition for each of user, staff, sysadm and xguest, thus leading >>> to >>> conflicting rules. >>> >>> Therefore, the solution might be to use a common static name for >>> the >>> domain (for example, "session_dbusd_t" instead of "$1_dbusd_t"). >> >> and that will introduce other issues. because the session bus must be >> able to run things on behalf of the caller > > Thanks for providing a forecast of other issues. > > So, what's the way out of this damn loop ? > > I am almost getting lost... > I dont know. > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/5446cd68/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 17:17 ` Dominick Grift @ 2016-08-27 20:41 ` Guido Trentalancia 2016-08-27 20:57 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-27 20:41 UTC (permalink / raw) To: refpolicy On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: > On 08/27/2016 07:16 PM, Guido Trentalancia wrote: [...] > > > > > It's not so helpful unfortunately.??My guess is that it is a > > > > > conflicting? > > > > > type_transition.??Unfortunately the compiler error message > > > > > isn't > > > > > helpful. > > > > > > > > I have just posted a patch on the SELinux mailing list to > > > > produce a > > > > more meaningful error message for conflicting type rules, see > > > > the > > > > following thread: > > > > > > > > [PATCH] libsepol: Produce more meaningful error messages for > > > > conflicting type rules > > > > > > > > In this case, the conflicting type rule is: > > > > > > > > scontext=at_spi_t > > > > tcontext=dbusd_exec_t > > > > tclass=process > > > > result=sysadm_dbusd_t > > > > > > > > which confirms the previous debugging results (it's the > > > > type_transition > > > > rule). > > > > > > > > Another one is similar, with scontext=gnome_settings_t. > > > > > > > > What I suspect is that when it compiles, it quadruplicates the > > > > type > > > > transition for each of user, staff, sysadm and xguest, thus > > > > leading > > > > to > > > > conflicting rules. > > > > > > > > Therefore, the solution might be to use a common static name > > > > for > > > > the > > > > domain (for example, "session_dbusd_t" instead of > > > > "$1_dbusd_t"). > > > > > > and that will introduce other issues. because the session bus > > > must be > > > able to run things on behalf of the caller > > > > Thanks for providing a forecast of other issues. > > > > So, what's the way out of this damn loop ? > > > > I am almost getting lost... > > > > I dont know. We need to find a cure for this !! What prevents it from running things on behalf of the caller ? And what do you mean exactly for running things on behalf of the caller ? I have the following interface: allow $1 dbusd_exec_t:file exec_file_perms; domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) which is called with $1=at_spi_t and $1=gnome_settings_t but goes completely ignored ! If I search for "execute" or "transition" permissions using sesearch, it doesn't find anything, so for some strange reason the interface goes completely ignored ! Is that what you meant earlier ? Why is it happening ?? Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 20:41 ` Guido Trentalancia @ 2016-08-27 20:57 ` Dominick Grift 2016-08-27 21:48 ` Guido Trentalancia 2016-08-30 19:15 ` Guido Trentalancia 0 siblings, 2 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-27 20:57 UTC (permalink / raw) To: refpolicy On 08/27/2016 10:41 PM, Guido Trentalancia wrote: > On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: > > [...] > >>>>>> It's not so helpful unfortunately. My guess is that it is a >>>>>> conflicting >>>>>> type_transition. Unfortunately the compiler error message >>>>>> isn't >>>>>> helpful. >>>>> >>>>> I have just posted a patch on the SELinux mailing list to >>>>> produce a >>>>> more meaningful error message for conflicting type rules, see >>>>> the >>>>> following thread: >>>>> >>>>> [PATCH] libsepol: Produce more meaningful error messages for >>>>> conflicting type rules >>>>> >>>>> In this case, the conflicting type rule is: >>>>> >>>>> scontext=at_spi_t >>>>> tcontext=dbusd_exec_t >>>>> tclass=process >>>>> result=sysadm_dbusd_t >>>>> >>>>> which confirms the previous debugging results (it's the >>>>> type_transition >>>>> rule). >>>>> >>>>> Another one is similar, with scontext=gnome_settings_t. >>>>> >>>>> What I suspect is that when it compiles, it quadruplicates the >>>>> type >>>>> transition for each of user, staff, sysadm and xguest, thus >>>>> leading >>>>> to >>>>> conflicting rules. >>>>> >>>>> Therefore, the solution might be to use a common static name >>>>> for >>>>> the >>>>> domain (for example, "session_dbusd_t" instead of >>>>> "$1_dbusd_t"). >>>> >>>> and that will introduce other issues. because the session bus >>>> must be >>>> able to run things on behalf of the caller >>> >>> Thanks for providing a forecast of other issues. >>> >>> So, what's the way out of this damn loop ? >>> >>> I am almost getting lost... >>> >> >> I dont know. > > We need to find a cure for this !! I have been pleading for this for years. In my case the solution to these problems is DSSP and CIL. I was never able to solve these issues with reference policy unfortunately. > > What prevents it from running things on behalf of the caller ? And what > do you mean exactly for running things on behalf of the caller ? It hard to explain. The best way to appreciate what I mean is to experience it yourself. It will become clear as you move towards a fully confined desktop. A lot of programs can be started by the session bus. Many of these programs started by the session bus on behalf of users run other programs and so forth and so forth. Some of these programs need to eventually be able run shell with a domain transition back to the login shell domain. staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t To be able to do this we need to use derived types. You can't do it if theres a single session_dbus_t type. > > I have the following interface: > > allow $1 dbusd_exec_t:file exec_file_perms; > domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) > > which is called with $1=at_spi_t and $1=gnome_settings_t but goes > completely ignored ! > > If I search for "execute" or "transition" permissions using sesearch, > it doesn't find anything, so for some strange reason the interface goes > completely ignored ! > > Is that what you meant earlier ? Why is it happening ?? > > Regards, > > Guido > Maybe others know a way out. I really don't. Sorry. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160827/ce13f8cd/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 20:57 ` Dominick Grift @ 2016-08-27 21:48 ` Guido Trentalancia 2016-08-28 7:24 ` Dominick Grift 2016-08-30 19:15 ` Guido Trentalancia 1 sibling, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-27 21:48 UTC (permalink / raw) To: refpolicy Hello Dominick. Thanks for providing more information. On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: > On 08/27/2016 10:41 PM, Guido Trentalancia wrote: > > > > On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: > > > > > > On 08/27/2016 07:16 PM, Guido Trentalancia wrote: > > > > [...] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It's not so helpful unfortunately.??My guess is that it > > > > > > > is a > > > > > > > conflicting? > > > > > > > type_transition.??Unfortunately the compiler error > > > > > > > message > > > > > > > isn't > > > > > > > helpful. > > > > > > > > > > > > I have just posted a patch on the SELinux mailing list to > > > > > > produce a > > > > > > more meaningful error message for conflicting type rules, > > > > > > see > > > > > > the > > > > > > following thread: > > > > > > > > > > > > [PATCH] libsepol: Produce more meaningful error messages > > > > > > for > > > > > > conflicting type rules > > > > > > > > > > > > In this case, the conflicting type rule is: > > > > > > > > > > > > scontext=at_spi_t > > > > > > tcontext=dbusd_exec_t > > > > > > tclass=process > > > > > > result=sysadm_dbusd_t > > > > > > > > > > > > which confirms the previous debugging results (it's the > > > > > > type_transition > > > > > > rule). > > > > > > > > > > > > Another one is similar, with scontext=gnome_settings_t. > > > > > > > > > > > > What I suspect is that when it compiles, it quadruplicates > > > > > > the > > > > > > type > > > > > > transition for each of user, staff, sysadm and xguest, thus > > > > > > leading > > > > > > to > > > > > > conflicting rules. > > > > > > > > > > > > Therefore, the solution might be to use a common static > > > > > > name > > > > > > for > > > > > > the > > > > > > domain (for example, "session_dbusd_t" instead of > > > > > > "$1_dbusd_t"). > > > > > > > > > > and that will introduce other issues. because the session bus > > > > > must be > > > > > able to run things on behalf of the caller > > > > > > > > Thanks for providing a forecast of other issues. > > > > > > > > So, what's the way out of this damn loop ? > > > > > > > > I am almost getting lost... > > > > > > > > > > I dont know. > > > > We need to find a cure for this !! > > I have been pleading for this for years. In my case the solution to > these problems is DSSP and CIL. I was never able to solve these > issues > with reference policy unfortunately. There must be a way of solving this problem. > > What prevents it from running things on behalf of the caller ? And > > what > > do you mean exactly for running things on behalf of the caller ? > > It hard to explain. The best way to appreciate what I mean is to > experience it yourself. It will become clear as you move towards a > fully > confined desktop. > > A lot of programs can be started by the session bus. Many of these > programs started by the session bus on behalf of users run other > programs and so forth and so forth. Some of these programs need to > eventually be able run shell with a domain transition back to the > login > shell domain. > > staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t > > To be able to do this we need to use derived types. You can't do it > if > theres a single session_dbus_t type. In the case at hand, there isn't the need to get back to the initial domain. If I am not wrong, the whole transition is as follows: user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t (at_spi_exec_t)-> at_spi_t The last transition is not working for some reason (I have used the new dbus interface quoted below)... > > I have the following interface: > > > > allow $1 dbusd_exec_t:file exec_file_perms; > > domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) > > > > which is called with $1=at_spi_t and $1=gnome_settings_t but goes > > completely ignored ! > > > > If I search for "execute" or "transition" permissions using > > sesearch, > > it doesn't find anything, so for some strange reason the interface > > goes > > ?completely ignored ! > > > > Is that what you meant earlier ? Why is it happening ?? [...] > Maybe others know a way out. I really don't. Sorry. Don't worry about that. But with the help of others, we need to find a cure for this ! Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 21:48 ` Guido Trentalancia @ 2016-08-28 7:24 ` Dominick Grift 2016-08-28 8:03 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-28 7:24 UTC (permalink / raw) To: refpolicy On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote: > Hello Dominick. > > Thanks for providing more information. > > On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>> >>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>> >>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>> >>> [...] >>> >>>> >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>> is a >>>>>>>> conflicting >>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>> message >>>>>>>> isn't >>>>>>>> helpful. >>>>>>> >>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>> produce a >>>>>>> more meaningful error message for conflicting type rules, >>>>>>> see >>>>>>> the >>>>>>> following thread: >>>>>>> >>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>> for >>>>>>> conflicting type rules >>>>>>> >>>>>>> In this case, the conflicting type rule is: >>>>>>> >>>>>>> scontext=at_spi_t >>>>>>> tcontext=dbusd_exec_t >>>>>>> tclass=process >>>>>>> result=sysadm_dbusd_t >>>>>>> >>>>>>> which confirms the previous debugging results (it's the >>>>>>> type_transition >>>>>>> rule). >>>>>>> >>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>> >>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>> the >>>>>>> type >>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>> leading >>>>>>> to >>>>>>> conflicting rules. >>>>>>> >>>>>>> Therefore, the solution might be to use a common static >>>>>>> name >>>>>>> for >>>>>>> the >>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>> "$1_dbusd_t"). >>>>>> >>>>>> and that will introduce other issues. because the session bus >>>>>> must be >>>>>> able to run things on behalf of the caller >>>>> >>>>> Thanks for providing a forecast of other issues. >>>>> >>>>> So, what's the way out of this damn loop ? >>>>> >>>>> I am almost getting lost... >>>>> >>>> >>>> I dont know. >>> >>> We need to find a cure for this !! >> >> I have been pleading for this for years. In my case the solution to >> these problems is DSSP and CIL. I was never able to solve these >> issues >> with reference policy unfortunately. > > There must be a way of solving this problem. > >>> What prevents it from running things on behalf of the caller ? And >>> what >>> do you mean exactly for running things on behalf of the caller ? >> >> It hard to explain. The best way to appreciate what I mean is to >> experience it yourself. It will become clear as you move towards a >> fully >> confined desktop. >> >> A lot of programs can be started by the session bus. Many of these >> programs started by the session bus on behalf of users run other >> programs and so forth and so forth. Some of these programs need to >> eventually be able run shell with a domain transition back to the >> login >> shell domain. >> >> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >> >> To be able to do this we need to use derived types. You can't do it >> if >> theres a single session_dbus_t type. > > In the case at hand, there isn't the need to get back to the initial > domain. > > If I am not wrong, the whole transition is as follows: > > user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t > (at_spi_exec_t)-> at_spi_t > To see what i am trying to say you have to experience it for yourself. Gnome is this single body made up of individual entities. Just because atspi "may" not need to be prefixed doesnt mean that the session bus doesnt need to be prefixed. atspi isnt the only app executed by the session bus. And let me just remind you. atspi needs to be able to run the session bus if it is not currently running. Do you see the chicken and egg problem? > The last transition is not working for some reason (I have used the new > dbus interface quoted below)... > >>> I have the following interface: >>> >>> allow $1 dbusd_exec_t:file exec_file_perms; >>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) >>> >>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes >>> completely ignored ! >>> >>> If I search for "execute" or "transition" permissions using >>> sesearch, >>> it doesn't find anything, so for some strange reason the interface >>> goes >>> completely ignored ! >>> >>> Is that what you meant earlier ? Why is it happening ?? > > [...] > >> Maybe others know a way out. I really don't. Sorry. > > Don't worry about that. But with the help of others, we need to find a > cure for this ! > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/fa8c81c7/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 7:24 ` Dominick Grift @ 2016-08-28 8:03 ` Dominick Grift 2016-08-28 15:37 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-28 8:03 UTC (permalink / raw) To: refpolicy On 08/28/2016 09:24 AM, Dominick Grift wrote: > On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote: >> Hello Dominick. >> >> Thanks for providing more information. >> >> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>>> >>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>>> >>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>>> >>>> [...] >>>> >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>>> is a >>>>>>>>> conflicting >>>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>>> message >>>>>>>>> isn't >>>>>>>>> helpful. >>>>>>>> >>>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>>> produce a >>>>>>>> more meaningful error message for conflicting type rules, >>>>>>>> see >>>>>>>> the >>>>>>>> following thread: >>>>>>>> >>>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>>> for >>>>>>>> conflicting type rules >>>>>>>> >>>>>>>> In this case, the conflicting type rule is: >>>>>>>> >>>>>>>> scontext=at_spi_t >>>>>>>> tcontext=dbusd_exec_t >>>>>>>> tclass=process >>>>>>>> result=sysadm_dbusd_t >>>>>>>> >>>>>>>> which confirms the previous debugging results (it's the >>>>>>>> type_transition >>>>>>>> rule). >>>>>>>> >>>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>>> >>>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>>> the >>>>>>>> type >>>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>>> leading >>>>>>>> to >>>>>>>> conflicting rules. >>>>>>>> >>>>>>>> Therefore, the solution might be to use a common static >>>>>>>> name >>>>>>>> for >>>>>>>> the >>>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>>> "$1_dbusd_t"). >>>>>>> >>>>>>> and that will introduce other issues. because the session bus >>>>>>> must be >>>>>>> able to run things on behalf of the caller >>>>>> >>>>>> Thanks for providing a forecast of other issues. >>>>>> >>>>>> So, what's the way out of this damn loop ? >>>>>> >>>>>> I am almost getting lost... >>>>>> >>>>> >>>>> I dont know. >>>> >>>> We need to find a cure for this !! >>> >>> I have been pleading for this for years. In my case the solution to >>> these problems is DSSP and CIL. I was never able to solve these >>> issues >>> with reference policy unfortunately. >> >> There must be a way of solving this problem. >> >>>> What prevents it from running things on behalf of the caller ? And >>>> what >>>> do you mean exactly for running things on behalf of the caller ? >>> >>> It hard to explain. The best way to appreciate what I mean is to >>> experience it yourself. It will become clear as you move towards a >>> fully >>> confined desktop. >>> >>> A lot of programs can be started by the session bus. Many of these >>> programs started by the session bus on behalf of users run other >>> programs and so forth and so forth. Some of these programs need to >>> eventually be able run shell with a domain transition back to the >>> login >>> shell domain. >>> >>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >>> >>> To be able to do this we need to use derived types. You can't do it >>> if >>> theres a single session_dbus_t type. >> >> In the case at hand, there isn't the need to get back to the initial >> domain. >> >> If I am not wrong, the whole transition is as follows: >> >> user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t >> (at_spi_exec_t)-> at_spi_t >> > > To see what i am trying to say you have to experience it for yourself. > Gnome is this single body made up of individual entities. Just because > atspi "may" not need to be prefixed doesnt mean that the session bus > doesnt need to be prefixed. atspi isnt the only app executed by the > session bus. > > And let me just remind you. atspi needs to be able to run the session > bus if it is not currently running. Do you see the chicken and egg problem? > > You have to see the bigger picture. That is why i suggested you confine a minimal desktop first before you start submitting patches. Because once you have a broad overview you will see important issues that need to be resolved. You aren't able to identify them if you do not look at this as a whole. Things should just naturally work. We can't have the house of cards collapse on the first anomaly that happens. >> The last transition is not working for some reason (I have used the new >> dbus interface quoted below)... >> >>>> I have the following interface: >>>> >>>> allow $1 dbusd_exec_t:file exec_file_perms; >>>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) >>>> >>>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes >>>> completely ignored ! >>>> >>>> If I search for "execute" or "transition" permissions using >>>> sesearch, >>>> it doesn't find anything, so for some strange reason the interface >>>> goes >>>> completely ignored ! >>>> >>>> Is that what you meant earlier ? Why is it happening ?? >> >> [...] >> >>> Maybe others know a way out. I really don't. Sorry. >> >> Don't worry about that. But with the help of others, we need to find a >> cure for this ! >> >> Regards, >> >> Guido >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/6374cf5a/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 8:03 ` Dominick Grift @ 2016-08-28 15:37 ` Guido Trentalancia 2016-08-28 18:40 ` Chris PeBenito 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-28 15:37 UTC (permalink / raw) To: refpolicy Things are very far from working naturally as they are. On the other hand, the patches are surely far from being complete or stable yet, but at least every version allows to start the Gnome desktop. Now I met this major problem, it looks by all means a limitation of the existing framework, but I am sure that it will be sorted out... I am also waiting to hear from Christopher about this. Regards, Guido On the 28th of August 2016 10:03:17 CEST, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote: >On 08/28/2016 09:24 AM, Dominick Grift wrote: >> On 08/27/2016 11:48 PM, Guido Trentalancia via refpolicy wrote: >>> Hello Dominick. >>> >>> Thanks for providing more information. >>> >>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>>>> >>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>>>> >>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>>>> >>>>> [...] >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>>>> is a >>>>>>>>>> conflicting >>>>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>>>> message >>>>>>>>>> isn't >>>>>>>>>> helpful. >>>>>>>>> >>>>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>>>> produce a >>>>>>>>> more meaningful error message for conflicting type rules, >>>>>>>>> see >>>>>>>>> the >>>>>>>>> following thread: >>>>>>>>> >>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>>>> for >>>>>>>>> conflicting type rules >>>>>>>>> >>>>>>>>> In this case, the conflicting type rule is: >>>>>>>>> >>>>>>>>> scontext=at_spi_t >>>>>>>>> tcontext=dbusd_exec_t >>>>>>>>> tclass=process >>>>>>>>> result=sysadm_dbusd_t >>>>>>>>> >>>>>>>>> which confirms the previous debugging results (it's the >>>>>>>>> type_transition >>>>>>>>> rule). >>>>>>>>> >>>>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>>>> >>>>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>>>> the >>>>>>>>> type >>>>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>>>> leading >>>>>>>>> to >>>>>>>>> conflicting rules. >>>>>>>>> >>>>>>>>> Therefore, the solution might be to use a common static >>>>>>>>> name >>>>>>>>> for >>>>>>>>> the >>>>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>>>> "$1_dbusd_t"). >>>>>>>> >>>>>>>> and that will introduce other issues. because the session bus >>>>>>>> must be >>>>>>>> able to run things on behalf of the caller >>>>>>> >>>>>>> Thanks for providing a forecast of other issues. >>>>>>> >>>>>>> So, what's the way out of this damn loop ? >>>>>>> >>>>>>> I am almost getting lost... >>>>>>> >>>>>> >>>>>> I dont know. >>>>> >>>>> We need to find a cure for this !! >>>> >>>> I have been pleading for this for years. In my case the solution to >>>> these problems is DSSP and CIL. I was never able to solve these >>>> issues >>>> with reference policy unfortunately. >>> >>> There must be a way of solving this problem. >>> >>>>> What prevents it from running things on behalf of the caller ? And >>>>> what >>>>> do you mean exactly for running things on behalf of the caller ? >>>> >>>> It hard to explain. The best way to appreciate what I mean is to >>>> experience it yourself. It will become clear as you move towards a >>>> fully >>>> confined desktop. >>>> >>>> A lot of programs can be started by the session bus. Many of these >>>> programs started by the session bus on behalf of users run other >>>> programs and so forth and so forth. Some of these programs need to >>>> eventually be able run shell with a domain transition back to the >>>> login >>>> shell domain. >>>> >>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >>>> >>>> To be able to do this we need to use derived types. You can't do it >>>> if >>>> theres a single session_dbus_t type. >>> >>> In the case at hand, there isn't the need to get back to the initial >>> domain. >>> >>> If I am not wrong, the whole transition is as follows: >>> >>> user_t (at_spi_exec_t)-> at_spi_t (dbusd_exec_t)-> session_dbusd_t >>> (at_spi_exec_t)-> at_spi_t >>> >> >> To see what i am trying to say you have to experience it for >yourself. >> Gnome is this single body made up of individual entities. Just >because >> atspi "may" not need to be prefixed doesnt mean that the session bus >> doesnt need to be prefixed. atspi isnt the only app executed by the >> session bus. >> >> And let me just remind you. atspi needs to be able to run the session >> bus if it is not currently running. Do you see the chicken and egg >problem? >> >> > >You have to see the bigger picture. That is why i suggested you confine >a minimal desktop first before you start submitting patches. Because >once you have a broad overview you will see important issues that need >to be resolved. You aren't able to identify them if you do not look at >this as a whole. > >Things should just naturally work. We can't have the house of cards >collapse on the first anomaly that happens. > >>> The last transition is not working for some reason (I have used the >new >>> dbus interface quoted below)... >>> >>>>> I have the following interface: >>>>> >>>>> allow $1 dbusd_exec_t:file exec_file_perms; >>>>> domtrans_pattern($1, dbusd_exec_t, session_dbusd_t) >>>>> >>>>> which is called with $1=at_spi_t and $1=gnome_settings_t but goes >>>>> completely ignored ! >>>>> >>>>> If I search for "execute" or "transition" permissions using >>>>> sesearch, >>>>> it doesn't find anything, so for some strange reason the interface >>>>> goes >>>>> completely ignored ! >>>>> >>>>> Is that what you meant earlier ? Why is it happening ?? >>> >>> [...] >>> >>>> Maybe others know a way out. I really don't. Sorry. >>> >>> Don't worry about that. But with the help of others, we need to find >a >>> cure for this ! >>> >>> Regards, >>> >>> Guido >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> >> ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 15:37 ` Guido Trentalancia @ 2016-08-28 18:40 ` Chris PeBenito 2016-08-28 19:11 ` Guido Trentalancia ` (2 more replies) 0 siblings, 3 replies; 73+ messages in thread From: Chris PeBenito @ 2016-08-28 18:40 UTC (permalink / raw) To: refpolicy On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: > Things are very far from working naturally as they are. > > On the other hand, the patches are surely far from being complete or stable yet, but at least every version allows to start the Gnome desktop. > > Now I met this major problem, it looks by all means a limitation of the existing framework, but I am sure that it will be sorted out... > > I am also waiting to hear from Christopher about this. The way I see it is that general purpose desktops are incredibly complicated and are not designed with security in mind. I wonder if the policy complexity needed to confine it all actually buys a proportional amount of security gains. I'm not saying it shouldn't be done, but I am skeptical that it is worth it. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 18:40 ` Chris PeBenito @ 2016-08-28 19:11 ` Guido Trentalancia 2016-08-28 19:12 ` Dominick Grift 2016-08-30 19:23 ` Guido Trentalancia 2 siblings, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-28 19:11 UTC (permalink / raw) To: refpolicy Hello Christopher! I think it's definitely worth in terms of security confining the Gnome desktop (as well as the other applications) properly. The user domain is the most common vulnerable point, so it should have the most limited number of permissions possibile. By confining the desktop properly we get great security gains exactly in that direction. Any insight on the problem that I encountered? I couldn't get things working in the dbus module with the variable $1_dbusd_t type, so I am now moving to testing with a static type instead. Best regards, Guido On the 28th of August 2016 20:40:39 CEST, Chris PeBenito <pebenito@ieee.org> wrote: >On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >> Things are very far from working naturally as they are. >> >> On the other hand, the patches are surely far from being complete or >stable yet, but at least every version allows to start the Gnome >desktop. >> >> Now I met this major problem, it looks by all means a limitation of >the existing framework, but I am sure that it will be sorted out... >> >> I am also waiting to hear from Christopher about this. > >The way I see it is that general purpose desktops are incredibly >complicated and are not designed with security in mind. I wonder if >the >policy complexity needed to confine it all actually buys a proportional > >amount of security gains. I'm not saying it shouldn't be done, but I >am >skeptical that it is worth it. ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 18:40 ` Chris PeBenito 2016-08-28 19:11 ` Guido Trentalancia @ 2016-08-28 19:12 ` Dominick Grift 2016-08-29 8:20 ` Dominick Grift 2016-08-30 19:23 ` Guido Trentalancia 2 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-28 19:12 UTC (permalink / raw) To: refpolicy On 08/28/2016 08:40 PM, Chris PeBenito wrote: > On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >> Things are very far from working naturally as they are. >> >> On the other hand, the patches are surely far from being complete or >> stable yet, but at least every version allows to start the Gnome desktop. >> >> Now I met this major problem, it looks by all means a limitation of >> the existing framework, but I am sure that it will be sorted out... >> >> I am also waiting to hear from Christopher about this. > > The way I see it is that general purpose desktops are incredibly > complicated and are not designed with security in mind. I wonder if the > policy complexity needed to confine it all actually buys a proportional > amount of security gains. I'm not saying it shouldn't be done, but I am > skeptical that it is worth it. > It is expensive. I agree, but i would not go so far as to say that confining the desktop does not buy a proportional amount of security gains. It is telling though that you're not the only authority saying that using selinux to confine the desktop is not practical (Walsh shares your opinion). Anyhow DSSP fills a gap here. So if you value integrity on the desktop DSSP is be happy to take contributions :) -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160828/376db0aa/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 19:12 ` Dominick Grift @ 2016-08-29 8:20 ` Dominick Grift 2016-08-29 17:45 ` Naftuli Tzvi Kay 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-29 8:20 UTC (permalink / raw) To: refpolicy On 08/28/2016 09:12 PM, Dominick Grift wrote: > On 08/28/2016 08:40 PM, Chris PeBenito wrote: >> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >>> Things are very far from working naturally as they are. >>> >>> On the other hand, the patches are surely far from being complete or >>> stable yet, but at least every version allows to start the Gnome desktop. >>> >>> Now I met this major problem, it looks by all means a limitation of >>> the existing framework, but I am sure that it will be sorted out... >>> >>> I am also waiting to hear from Christopher about this. >> >> The way I see it is that general purpose desktops are incredibly >> complicated and are not designed with security in mind. I wonder if the >> policy complexity needed to confine it all actually buys a proportional >> amount of security gains. I'm not saying it shouldn't be done, but I am >> skeptical that it is worth it. >> > > It is expensive. I agree, but i would not go so far as to say that > confining the desktop does not buy a proportional amount of security gains. > > It is telling though that you're not the only authority saying that > using selinux to confine the desktop is not practical (Walsh shares your > opinion). > > Anyhow DSSP fills a gap here. So if you value integrity on the desktop > DSSP is be happy to take contributions :) > SELinux is a flexible MAC, and it is designed to be a framework to address the widest range of access control challenges. It is THE tool for this job. Were talking Access Control, this is not just about containing flawed or malicious code. We use access control to govern who can do what as well. I will be the first to agree that desktops aren't designed with security in mind. That is one of the reasons we need to contain it. Some of the code in there looks downright disturbing. My shell is "fragile" I will be the first to admit. But at least I have an excuse (dropped out of kindergarten), plus i know its "fragile" and so i contain my own code. SELinux is not "practical" at all (until its is the only tool left capable enough to do the job). Desktop or not. Ask 10 random people, and I am willing to bet that at least 8 of them agree. Heck security is not practical! Our identities. passwords and other authentication credentials are pretty much all we have on this network called Internet. We should do all we can to protect it. On a desktop, the desktop is generally the most vulnerable. Yes we need to contain the system side as well, but A desktop generally has much less of that compared to a server. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160829/a9e0bfcb/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-29 8:20 ` Dominick Grift @ 2016-08-29 17:45 ` Naftuli Tzvi Kay 0 siblings, 0 replies; 73+ messages in thread From: Naftuli Tzvi Kay @ 2016-08-29 17:45 UTC (permalink / raw) To: refpolicy @Dominick, absolutely. I was really upset (to put it lightly) to find out that Fedora 24 doesn't confine Google Chrome any more, which is completely unacceptable. I might become a contributor to DSSP for this reason. Thanks, - Naftuli Tzvi On Mon, Aug 29, 2016 at 1:20 AM, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote: > On 08/28/2016 09:12 PM, Dominick Grift wrote: >> On 08/28/2016 08:40 PM, Chris PeBenito wrote: >>> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >>>> Things are very far from working naturally as they are. >>>> >>>> On the other hand, the patches are surely far from being complete or >>>> stable yet, but at least every version allows to start the Gnome desktop. >>>> >>>> Now I met this major problem, it looks by all means a limitation of >>>> the existing framework, but I am sure that it will be sorted out... >>>> >>>> I am also waiting to hear from Christopher about this. >>> >>> The way I see it is that general purpose desktops are incredibly >>> complicated and are not designed with security in mind. I wonder if the >>> policy complexity needed to confine it all actually buys a proportional >>> amount of security gains. I'm not saying it shouldn't be done, but I am >>> skeptical that it is worth it. >>> >> >> It is expensive. I agree, but i would not go so far as to say that >> confining the desktop does not buy a proportional amount of security gains. >> >> It is telling though that you're not the only authority saying that >> using selinux to confine the desktop is not practical (Walsh shares your >> opinion). >> >> Anyhow DSSP fills a gap here. So if you value integrity on the desktop >> DSSP is be happy to take contributions :) >> > > SELinux is a flexible MAC, and it is designed to be a framework to > address the widest range of access control challenges. It is THE tool > for this job. > > Were talking Access Control, this is not just about containing flawed or > malicious code. We use access control to govern who can do what as well. > > I will be the first to agree that desktops aren't designed with security > in mind. That is one of the reasons we need to contain it. Some of the > code in there looks downright disturbing. > > My shell is "fragile" I will be the first to admit. But at least I have > an excuse (dropped out of kindergarten), plus i know its "fragile" and > so i contain my own code. > > SELinux is not "practical" at all (until its is the only tool left > capable enough to do the job). Desktop or not. Ask 10 random people, and > I am willing to bet that at least 8 of them agree. Heck security is not > practical! > > Our identities. passwords and other authentication credentials are > pretty much all we have on this network called Internet. We should do > all we can to protect it. > > On a desktop, the desktop is generally the most vulnerable. > Yes we need to contain the system side as well, but A desktop generally > has much less of that compared to a server. > > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-28 18:40 ` Chris PeBenito 2016-08-28 19:11 ` Guido Trentalancia 2016-08-28 19:12 ` Dominick Grift @ 2016-08-30 19:23 ` Guido Trentalancia 2016-08-30 21:37 ` Chris PeBenito 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-30 19:23 UTC (permalink / raw) To: refpolicy Hello Christopher. On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote: > On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: > > > > Things are very far from working naturally as they are. > > > > On the other hand, the patches are surely far from being complete > > or stable yet, but at least every version allows to start the Gnome > > desktop. > > > > Now I met this major problem, it looks by all means a limitation of > > the existing framework, but I am sure that it will be sorted out... > > > > I am also waiting to hear from Christopher about this. > > The way I see it is that general purpose desktops are incredibly? > complicated and are not designed with security in mind.??I wonder if > the? > policy complexity needed to confine it all actually buys a > proportional? > amount of security gains.??I'm not saying it shouldn't be done, but I > am? > skeptical that it is worth it. Apart from confining the whole desktop, what I recently proposed to Dominick for further evaluation is as follows: - we patch the libsepol code so that it creates all the conflicting type rules instead of aborting; - we also patch the policy enforcing code, so that when it needs to enforce one of such conflicting type rules, it first searches for duplicates and then it enforces the one that matches the calling context. Do you think the above is feasible (in particular, "matching the calling context") ? Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-30 19:23 ` Guido Trentalancia @ 2016-08-30 21:37 ` Chris PeBenito 2016-08-30 21:46 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Chris PeBenito @ 2016-08-30 21:37 UTC (permalink / raw) To: refpolicy On 08/30/16 15:23, Guido Trentalancia wrote: > Hello Christopher. > > On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote: >> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: >>> >>> Things are very far from working naturally as they are. >>> >>> On the other hand, the patches are surely far from being complete >>> or stable yet, but at least every version allows to start the Gnome >>> desktop. >>> >>> Now I met this major problem, it looks by all means a limitation of >>> the existing framework, but I am sure that it will be sorted out... >>> >>> I am also waiting to hear from Christopher about this. >> >> The way I see it is that general purpose desktops are incredibly >> complicated and are not designed with security in mind. I wonder if >> the >> policy complexity needed to confine it all actually buys a >> proportional >> amount of security gains. I'm not saying it shouldn't be done, but I >> am >> skeptical that it is worth it. > > Apart from confining the whole desktop, what I recently proposed to > Dominick for further evaluation is as follows: > > - we patch the libsepol code so that it creates all the conflicting > type rules instead of aborting; > - we also patch the policy enforcing code, so that when it needs to > enforce one of such conflicting type rules, it first searches for > duplicates and then it enforces the one that matches the calling > context. > > Do you think the above is feasible (in particular, "matching the > calling context") ? I don't know what you mean by "matching the calling context." A conflicting type transition looks like this: type_transition source_type exec_type:process new_domain; type_transition source_type exec_type:process other_new_domain; I don't see how you can decide between the two if they both exist in the policy (unless they are in opposite if/else blocks, which is valid). -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-30 21:37 ` Chris PeBenito @ 2016-08-30 21:46 ` Guido Trentalancia 0 siblings, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-30 21:46 UTC (permalink / raw) To: refpolicy On Tue, 30/08/2016 at 17.37 -0400, Chris PeBenito wrote: > On 08/30/16 15:23, Guido Trentalancia wrote: > > > > Hello Christopher. > > > > On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote: > > > > > > On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Things are very far from working naturally as they are. > > > > > > > > On the other hand, the patches are surely far from being > > > > complete > > > > or stable yet, but at least every version allows to start the > > > > Gnome > > > > desktop. > > > > > > > > Now I met this major problem, it looks by all means a > > > > limitation of > > > > the existing framework, but I am sure that it will be sorted > > > > out... > > > > > > > > I am also waiting to hear from Christopher about this. > > > > > > The way I see it is that general purpose desktops are incredibly > > > complicated and are not designed with security in mind.??I wonder > > > if > > > the > > > policy complexity needed to confine it all actually buys a > > > proportional > > > amount of security gains.??I'm not saying it shouldn't be done, > > > but I > > > am > > > skeptical that it is worth it. > > > > Apart from confining the whole desktop, what I recently proposed to > > Dominick for further evaluation is as follows: > > > > - we patch the libsepol code so that it creates all the conflicting > > type rules instead of aborting; > > - we also patch the policy enforcing code, so that when it needs to > > enforce one of such conflicting type rules, it first searches for > > duplicates and then it enforces the one that matches the calling > > context. > > > > Do you think the above is feasible (in particular, "matching the > > calling context") ? > > I don't know what you mean by "matching the calling context."??A? > conflicting type transition looks like this: > > type_transition source_type exec_type:process new_domain; > type_transition source_type exec_type:process other_new_domain; > > I don't see how you can decide between the two if they both exist in > the? > policy (unless they are in opposite if/else blocks, which is valid). type_transition session_dbusd_t bin_t:process user_t; type_transition session_dbusd_t bin_t:process staff_t; type_transition session_dbusd_t bin_t:process sysadm_t; type_transition session_dbusd_t bin_t:process xguest_t; At the moment, they cannot coexist (conflicting type rules). Imagine that we insert all of them into the policy. The process that is running as session_dbusd_t (the source) is actually classified as user_u:user_r:session_dbusd_t (or equivalently for the other three possible cases). So, for the case at hand, we know that the first rule should be considered for such process: we enforce: type_transition session_dbusd_t bin_t:process user_t; Theoretically, we can select the correct rule for each calling process by looking at the full context of such process. Am I missing something ? Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-27 20:57 ` Dominick Grift 2016-08-27 21:48 ` Guido Trentalancia @ 2016-08-30 19:15 ` Guido Trentalancia 2016-08-30 19:21 ` Dominick Grift 1 sibling, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-08-30 19:15 UTC (permalink / raw) To: refpolicy Hello Dominick. On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: > On 08/27/2016 10:41 PM, Guido Trentalancia wrote: > > > > On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: > > > > > > On 08/27/2016 07:16 PM, Guido Trentalancia wrote: > > > > [...] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It's not so helpful unfortunately.??My guess is that it > > > > > > > is a > > > > > > > conflicting? > > > > > > > type_transition.??Unfortunately the compiler error > > > > > > > message > > > > > > > isn't > > > > > > > helpful. > > > > > > > > > > > > I have just posted a patch on the SELinux mailing list to > > > > > > produce a > > > > > > more meaningful error message for conflicting type rules, > > > > > > see > > > > > > the > > > > > > following thread: > > > > > > > > > > > > [PATCH] libsepol: Produce more meaningful error messages > > > > > > for > > > > > > conflicting type rules > > > > > > > > > > > > In this case, the conflicting type rule is: > > > > > > > > > > > > scontext=at_spi_t > > > > > > tcontext=dbusd_exec_t > > > > > > tclass=process > > > > > > result=sysadm_dbusd_t > > > > > > > > > > > > which confirms the previous debugging results (it's the > > > > > > type_transition > > > > > > rule). > > > > > > > > > > > > Another one is similar, with scontext=gnome_settings_t. > > > > > > > > > > > > What I suspect is that when it compiles, it quadruplicates > > > > > > the > > > > > > type > > > > > > transition for each of user, staff, sysadm and xguest, thus > > > > > > leading > > > > > > to > > > > > > conflicting rules. > > > > > > > > > > > > Therefore, the solution might be to use a common static > > > > > > name > > > > > > for > > > > > > the > > > > > > domain (for example, "session_dbusd_t" instead of > > > > > > "$1_dbusd_t"). > > > > > > > > > > and that will introduce other issues. because the session bus > > > > > must be > > > > > able to run things on behalf of the caller > > > > > > > > Thanks for providing a forecast of other issues. > > > > > > > > So, what's the way out of this damn loop ? > > > > > > > > I am almost getting lost... > > > > > > > > > > I dont know. > > > > We need to find a cure for this !! > > I have been pleading for this for years. In my case the solution to > these problems is DSSP and CIL. I was never able to solve these > issues > with reference policy unfortunately. > > > > > > > What prevents it from running things on behalf of the caller ? And > > what > > do you mean exactly for running things on behalf of the caller ? > > It hard to explain. The best way to appreciate what I mean is to > experience it yourself. It will become clear as you move towards a > fully > confined desktop. > > A lot of programs can be started by the session bus. Many of these > programs started by the session bus on behalf of users run other > programs and so forth and so forth. Some of these programs need to > eventually be able run shell with a domain transition back to the > login > shell domain. > > staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t > > To be able to do this we need to use derived types. You can't do it > if > theres a single session_dbus_t type. I am hitting a similar situation at the moment with the modified gnome and dbus modules... user_t -> session_dbusd_t -> cannot execute bin_t or shell in the user_t domain Perhaps, it is possible to change the existing code so that it adds the conflicting type rules, but then when it actually needs to apply them, it looks up for duplicates and it only applies the one which matches the calling context. It should be feasible... What do you say ? We need to find a way out of this ! Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-30 19:15 ` Guido Trentalancia @ 2016-08-30 19:21 ` Dominick Grift 2016-08-30 21:39 ` Chris PeBenito 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-30 19:21 UTC (permalink / raw) To: refpolicy On 08/30/2016 09:15 PM, Guido Trentalancia wrote: > Hello Dominick. > > On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>> >>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>> >>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>> >>> [...] >>> >>>> >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>> is a >>>>>>>> conflicting >>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>> message >>>>>>>> isn't >>>>>>>> helpful. >>>>>>> >>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>> produce a >>>>>>> more meaningful error message for conflicting type rules, >>>>>>> see >>>>>>> the >>>>>>> following thread: >>>>>>> >>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>> for >>>>>>> conflicting type rules >>>>>>> >>>>>>> In this case, the conflicting type rule is: >>>>>>> >>>>>>> scontext=at_spi_t >>>>>>> tcontext=dbusd_exec_t >>>>>>> tclass=process >>>>>>> result=sysadm_dbusd_t >>>>>>> >>>>>>> which confirms the previous debugging results (it's the >>>>>>> type_transition >>>>>>> rule). >>>>>>> >>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>> >>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>> the >>>>>>> type >>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>> leading >>>>>>> to >>>>>>> conflicting rules. >>>>>>> >>>>>>> Therefore, the solution might be to use a common static >>>>>>> name >>>>>>> for >>>>>>> the >>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>> "$1_dbusd_t"). >>>>>> >>>>>> and that will introduce other issues. because the session bus >>>>>> must be >>>>>> able to run things on behalf of the caller >>>>> >>>>> Thanks for providing a forecast of other issues. >>>>> >>>>> So, what's the way out of this damn loop ? >>>>> >>>>> I am almost getting lost... >>>>> >>>> >>>> I dont know. >>> >>> We need to find a cure for this !! >> >> I have been pleading for this for years. In my case the solution to >> these problems is DSSP and CIL. I was never able to solve these >> issues >> with reference policy unfortunately. >> >>> >>> >>> What prevents it from running things on behalf of the caller ? And >>> what >>> do you mean exactly for running things on behalf of the caller ? >> >> It hard to explain. The best way to appreciate what I mean is to >> experience it yourself. It will become clear as you move towards a >> fully >> confined desktop. >> >> A lot of programs can be started by the session bus. Many of these >> programs started by the session bus on behalf of users run other >> programs and so forth and so forth. Some of these programs need to >> eventually be able run shell with a domain transition back to the >> login >> shell domain. >> >> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >> >> To be able to do this we need to use derived types. You can't do it >> if >> theres a single session_dbus_t type. > > I am hitting a similar situation at the moment with the modified gnome > and dbus modules... > > user_t -> session_dbusd_t -> cannot execute bin_t or shell in the > user_t domain > > Perhaps, it is possible to change the existing code so that it adds the > conflicting type rules, but then when it actually needs to apply them, > it looks up for duplicates and it only applies the one which matches > the calling context. > > It should be feasible... > > What do you say ? > I am saying what I said. This issue is very old and no one ever bothered to fix it. It is not going to happen. Module policy is legacy. A new superior language that does not have these issues is available. > We need to find a way out of this ! There is a way out but its not module policy > > Best regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160830/c9528686/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-30 19:21 ` Dominick Grift @ 2016-08-30 21:39 ` Chris PeBenito 2016-08-31 6:55 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Chris PeBenito @ 2016-08-30 21:39 UTC (permalink / raw) To: refpolicy On 08/30/16 15:21, Dominick Grift via refpolicy wrote: > On 08/30/2016 09:15 PM, Guido Trentalancia wrote: >> Hello Dominick. >> >> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>>> >>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>>> >>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>>> >>>> [...] >>>> >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>>> is a >>>>>>>>> conflicting >>>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>>> message >>>>>>>>> isn't >>>>>>>>> helpful. >>>>>>>> >>>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>>> produce a >>>>>>>> more meaningful error message for conflicting type rules, >>>>>>>> see >>>>>>>> the >>>>>>>> following thread: >>>>>>>> >>>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>>> for >>>>>>>> conflicting type rules >>>>>>>> >>>>>>>> In this case, the conflicting type rule is: >>>>>>>> >>>>>>>> scontext=at_spi_t >>>>>>>> tcontext=dbusd_exec_t >>>>>>>> tclass=process >>>>>>>> result=sysadm_dbusd_t >>>>>>>> >>>>>>>> which confirms the previous debugging results (it's the >>>>>>>> type_transition >>>>>>>> rule). >>>>>>>> >>>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>>> >>>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>>> the >>>>>>>> type >>>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>>> leading >>>>>>>> to >>>>>>>> conflicting rules. >>>>>>>> >>>>>>>> Therefore, the solution might be to use a common static >>>>>>>> name >>>>>>>> for >>>>>>>> the >>>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>>> "$1_dbusd_t"). >>>>>>> >>>>>>> and that will introduce other issues. because the session bus >>>>>>> must be >>>>>>> able to run things on behalf of the caller >>>>>> >>>>>> Thanks for providing a forecast of other issues. >>>>>> >>>>>> So, what's the way out of this damn loop ? >>>>>> >>>>>> I am almost getting lost... >>>>>> >>>>> >>>>> I dont know. >>>> >>>> We need to find a cure for this !! >>> >>> I have been pleading for this for years. In my case the solution to >>> these problems is DSSP and CIL. I was never able to solve these >>> issues >>> with reference policy unfortunately. >>> >>>> >>>> >>>> What prevents it from running things on behalf of the caller ? And >>>> what >>>> do you mean exactly for running things on behalf of the caller ? >>> >>> It hard to explain. The best way to appreciate what I mean is to >>> experience it yourself. It will become clear as you move towards a >>> fully >>> confined desktop. >>> >>> A lot of programs can be started by the session bus. Many of these >>> programs started by the session bus on behalf of users run other >>> programs and so forth and so forth. Some of these programs need to >>> eventually be able run shell with a domain transition back to the >>> login >>> shell domain. >>> >>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >>> >>> To be able to do this we need to use derived types. You can't do it >>> if >>> theres a single session_dbus_t type. >> >> I am hitting a similar situation at the moment with the modified gnome >> and dbus modules... >> >> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the >> user_t domain >> >> Perhaps, it is possible to change the existing code so that it adds the >> conflicting type rules, but then when it actually needs to apply them, >> it looks up for duplicates and it only applies the one which matches >> the calling context. >> >> It should be feasible... >> >> What do you say ? >> > > I am saying what I said. This issue is very old and no one ever bothered > to fix it. It is not going to happen. > > Module policy is legacy. A new superior language that does not have > these issues is available. > >> We need to find a way out of this ! > > There is a way out but its not module policy Perhaps you can structure the policy better, but a conflicting type transition is an error even if is written in CIL. -- Chris PeBenito ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-30 21:39 ` Chris PeBenito @ 2016-08-31 6:55 ` Dominick Grift 2016-08-31 7:31 ` Dominick Grift 0 siblings, 1 reply; 73+ messages in thread From: Dominick Grift @ 2016-08-31 6:55 UTC (permalink / raw) To: refpolicy On 08/30/2016 11:39 PM, Chris PeBenito wrote: > On 08/30/16 15:21, Dominick Grift via refpolicy wrote: >> On 08/30/2016 09:15 PM, Guido Trentalancia wrote: >>> Hello Dominick. >>> >>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>>>> >>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>>>> >>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>>>> >>>>> [...] >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>>>> is a >>>>>>>>>> conflicting >>>>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>>>> message >>>>>>>>>> isn't >>>>>>>>>> helpful. >>>>>>>>> >>>>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>>>> produce a >>>>>>>>> more meaningful error message for conflicting type rules, >>>>>>>>> see >>>>>>>>> the >>>>>>>>> following thread: >>>>>>>>> >>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>>>> for >>>>>>>>> conflicting type rules >>>>>>>>> >>>>>>>>> In this case, the conflicting type rule is: >>>>>>>>> >>>>>>>>> scontext=at_spi_t >>>>>>>>> tcontext=dbusd_exec_t >>>>>>>>> tclass=process >>>>>>>>> result=sysadm_dbusd_t >>>>>>>>> >>>>>>>>> which confirms the previous debugging results (it's the >>>>>>>>> type_transition >>>>>>>>> rule). >>>>>>>>> >>>>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>>>> >>>>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>>>> the >>>>>>>>> type >>>>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>>>> leading >>>>>>>>> to >>>>>>>>> conflicting rules. >>>>>>>>> >>>>>>>>> Therefore, the solution might be to use a common static >>>>>>>>> name >>>>>>>>> for >>>>>>>>> the >>>>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>>>> "$1_dbusd_t"). >>>>>>>> >>>>>>>> and that will introduce other issues. because the session bus >>>>>>>> must be >>>>>>>> able to run things on behalf of the caller >>>>>>> >>>>>>> Thanks for providing a forecast of other issues. >>>>>>> >>>>>>> So, what's the way out of this damn loop ? >>>>>>> >>>>>>> I am almost getting lost... >>>>>>> >>>>>> >>>>>> I dont know. >>>>> >>>>> We need to find a cure for this !! >>>> >>>> I have been pleading for this for years. In my case the solution to >>>> these problems is DSSP and CIL. I was never able to solve these >>>> issues >>>> with reference policy unfortunately. >>>> >>>>> >>>>> >>>>> What prevents it from running things on behalf of the caller ? And >>>>> what >>>>> do you mean exactly for running things on behalf of the caller ? >>>> >>>> It hard to explain. The best way to appreciate what I mean is to >>>> experience it yourself. It will become clear as you move towards a >>>> fully >>>> confined desktop. >>>> >>>> A lot of programs can be started by the session bus. Many of these >>>> programs started by the session bus on behalf of users run other >>>> programs and so forth and so forth. Some of these programs need to >>>> eventually be able run shell with a domain transition back to the >>>> login >>>> shell domain. >>>> >>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >>>> >>>> To be able to do this we need to use derived types. You can't do it >>>> if >>>> theres a single session_dbus_t type. >>> >>> I am hitting a similar situation at the moment with the modified gnome >>> and dbus modules... >>> >>> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the >>> user_t domain >>> >>> Perhaps, it is possible to change the existing code so that it adds the >>> conflicting type rules, but then when it actually needs to apply them, >>> it looks up for duplicates and it only applies the one which matches >>> the calling context. >>> >>> It should be feasible... >>> >>> What do you say ? >>> >> >> I am saying what I said. This issue is very old and no one ever bothered >> to fix it. It is not going to happen. >> >> Module policy is legacy. A new superior language that does not have >> these issues is available. >> >>> We need to find a way out of this ! >> >> There is a way out but its not module policy > > Perhaps you can structure the policy better, but a conflicting type > transition is an error even if is written in CIL. > > Sure. That is true. Maybe the ability to structure your policy better makes a big difference, aside from having the luxury of more meaningful compiler errors and warnings. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160831/f4aabd70/attachment-0001.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-31 6:55 ` Dominick Grift @ 2016-08-31 7:31 ` Dominick Grift 0 siblings, 0 replies; 73+ messages in thread From: Dominick Grift @ 2016-08-31 7:31 UTC (permalink / raw) To: refpolicy On 08/31/2016 08:55 AM, Dominick Grift wrote: > On 08/30/2016 11:39 PM, Chris PeBenito wrote: >> On 08/30/16 15:21, Dominick Grift via refpolicy wrote: >>> On 08/30/2016 09:15 PM, Guido Trentalancia wrote: >>>> Hello Dominick. >>>> >>>> On Sat, 27/08/2016 at 22.57 +0200, Dominick Grift wrote: >>>>> On 08/27/2016 10:41 PM, Guido Trentalancia wrote: >>>>>> >>>>>> On Sat, 27/08/2016 at 19.17 +0200, Dominick Grift wrote: >>>>>>> >>>>>>> On 08/27/2016 07:16 PM, Guido Trentalancia wrote: >>>>>> >>>>>> [...] >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It's not so helpful unfortunately. My guess is that it >>>>>>>>>>> is a >>>>>>>>>>> conflicting >>>>>>>>>>> type_transition. Unfortunately the compiler error >>>>>>>>>>> message >>>>>>>>>>> isn't >>>>>>>>>>> helpful. >>>>>>>>>> >>>>>>>>>> I have just posted a patch on the SELinux mailing list to >>>>>>>>>> produce a >>>>>>>>>> more meaningful error message for conflicting type rules, >>>>>>>>>> see >>>>>>>>>> the >>>>>>>>>> following thread: >>>>>>>>>> >>>>>>>>>> [PATCH] libsepol: Produce more meaningful error messages >>>>>>>>>> for >>>>>>>>>> conflicting type rules >>>>>>>>>> >>>>>>>>>> In this case, the conflicting type rule is: >>>>>>>>>> >>>>>>>>>> scontext=at_spi_t >>>>>>>>>> tcontext=dbusd_exec_t >>>>>>>>>> tclass=process >>>>>>>>>> result=sysadm_dbusd_t >>>>>>>>>> >>>>>>>>>> which confirms the previous debugging results (it's the >>>>>>>>>> type_transition >>>>>>>>>> rule). >>>>>>>>>> >>>>>>>>>> Another one is similar, with scontext=gnome_settings_t. >>>>>>>>>> >>>>>>>>>> What I suspect is that when it compiles, it quadruplicates >>>>>>>>>> the >>>>>>>>>> type >>>>>>>>>> transition for each of user, staff, sysadm and xguest, thus >>>>>>>>>> leading >>>>>>>>>> to >>>>>>>>>> conflicting rules. >>>>>>>>>> >>>>>>>>>> Therefore, the solution might be to use a common static >>>>>>>>>> name >>>>>>>>>> for >>>>>>>>>> the >>>>>>>>>> domain (for example, "session_dbusd_t" instead of >>>>>>>>>> "$1_dbusd_t"). >>>>>>>>> >>>>>>>>> and that will introduce other issues. because the session bus >>>>>>>>> must be >>>>>>>>> able to run things on behalf of the caller >>>>>>>> >>>>>>>> Thanks for providing a forecast of other issues. >>>>>>>> >>>>>>>> So, what's the way out of this damn loop ? >>>>>>>> >>>>>>>> I am almost getting lost... >>>>>>>> >>>>>>> >>>>>>> I dont know. >>>>>> >>>>>> We need to find a cure for this !! >>>>> >>>>> I have been pleading for this for years. In my case the solution to >>>>> these problems is DSSP and CIL. I was never able to solve these >>>>> issues >>>>> with reference policy unfortunately. >>>>> >>>>>> >>>>>> >>>>>> What prevents it from running things on behalf of the caller ? And >>>>>> what >>>>>> do you mean exactly for running things on behalf of the caller ? >>>>> >>>>> It hard to explain. The best way to appreciate what I mean is to >>>>> experience it yourself. It will become clear as you move towards a >>>>> fully >>>>> confined desktop. >>>>> >>>>> A lot of programs can be started by the session bus. Many of these >>>>> programs started by the session bus on behalf of users run other >>>>> programs and so forth and so forth. Some of these programs need to >>>>> eventually be able run shell with a domain transition back to the >>>>> login >>>>> shell domain. >>>>> >>>>> staff_t -> staff_dbus_t -> staff_myapp_t -> staff_t >>>>> >>>>> To be able to do this we need to use derived types. You can't do it >>>>> if >>>>> theres a single session_dbus_t type. >>>> >>>> I am hitting a similar situation at the moment with the modified gnome >>>> and dbus modules... >>>> >>>> user_t -> session_dbusd_t -> cannot execute bin_t or shell in the >>>> user_t domain >>>> >>>> Perhaps, it is possible to change the existing code so that it adds the >>>> conflicting type rules, but then when it actually needs to apply them, >>>> it looks up for duplicates and it only applies the one which matches >>>> the calling context. >>>> >>>> It should be feasible... >>>> >>>> What do you say ? >>>> >>> >>> I am saying what I said. This issue is very old and no one ever bothered >>> to fix it. It is not going to happen. >>> >>> Module policy is legacy. A new superior language that does not have >>> these issues is available. >>> >>>> We need to find a way out of this ! >>> >>> There is a way out but its not module policy >> >> Perhaps you can structure the policy better, but a conflicting type >> transition is an error even if is written in CIL. >> >> > > Sure. That is true. Maybe the ability to structure your policy better > makes a big difference, aside from having the luxury of more meaningful > compiler errors and warnings. > Not suggesting secilc is perfect. It is not. SECILC should identify and warn about any blockabstracts it finds in optional policy. Currently it allows them without any notification that it is not allowed and/or that it causes inconsistent behavior. This is bound to cause confusion. Even though these are documented "rules". The compiler should still catch it and prevent it from happening. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160831/b130d02a/attachment.bin ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-23 1:15 ` Chris PeBenito 2016-08-23 12:44 ` Guido Trentalancia @ 2016-08-23 16:06 ` Guido Trentalancia 1 sibling, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-08-23 16:06 UTC (permalink / raw) To: refpolicy On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > Update for the gnome module: > > > > - target the dconf daemon, the gsettings user application, the > > ? gnome-settings-daemon and the at-spi daemon with all the > > ? needed domain transitions; > > - a new gstreamer_orcexec_t type and file context is introduced > > ? to support the OIL Runtime Compiler (ORC) optimized code > > ? execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > ? keyring domains; > > - add support for chat over dbus in the gconfd domain and in the > > ? new domains (dconf, gsettings, etc); > > - add support for a few needed fs and kernel permissions. > > - add support for reading the colord related files in the home > > ? directories (such as the ICC EDID profiles): requires the > > ? recent colord patch; > > - add support for for reading the colord related files in the home > > ? directories in the common user domain template; > > - add support for a new mime_info_t type to be used in the home > > ? directories; > > - includes minor modifications to the consolekit, dbus and > > ? policykit modules to support the new targeted gnome daemons > > ? and applications; > > - modifies the pulseaudio module to introduce new interfaces to > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > ? file descriptor; > > - provides better module encapsulation (i.e. dbus module). > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > This patch depends on the recent colord patch. > > > > Recent changes to the pulseaudio module depends on this patch ! [...] > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > + type at_spi_t, at_spi_exec_t; > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > ? type gconf_home_t; > > + type gnome_settings_t, gnome_settings_exec_t; > > + type gnome_settings_daemon_t, > > gnome_settings_daemon_exec_t; > > + type gnome_settings_schemas_t; > > + type gkeyringd_exec_t, gnome_keyring_home_t, > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > + type mime_info_t; > > + type user_dbusd_t; > > This dbus type cannot be referenced directly in this module. It's not a dbus type, although it might resemble that from its naming... It's just a convenience private type used to create a domain for running non-system dbus sessions. > > > > ? optional_policy(` > > + dbus_connect_spec_session_bus(user, dconf_t) > > + dbus_connect_spec_session_bus(user, at_spi_t) > > + dbus_connect_spec_session_bus(user, > > gnome_settings_daemon_t) > > Prefixes can't be hardcoded like this. It's related to the above private type. It is used somewhat similarly to a variable in a program. It's not related to "user" as in the arguments "(user, user_r, user_t)". As already explained, it would fail to compile with a "conflicting type rule" error if I use the $1 argument. > > > > + dbus_connect_system_bus(gnome_settings_daemon_t) > > + dbus_domain_transition(at_spi_t, user_dbusd_t) > > + dbus_domain_transition(gnome_settings_t, > > user_dbusd_t) > > + dbus_send_spec_session_bus(user, dconf_t) > > + dbus_send_spec_session_bus(user, at_spi_t) > > + dbus_send_spec_session_bus(user, > > gnome_settings_daemon_t) > > ? dbus_spec_session_domain($1, $1_gkeyringd_t, > > gkeyringd_exec_t) Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-08-22 19:39 ` [refpolicy] [PATCH v4] " Guido Trentalancia 2016-08-23 1:15 ` Chris PeBenito @ 2016-09-01 4:20 ` Jason Zaman 2016-09-01 9:33 ` Guido Trentalancia 1 sibling, 1 reply; 73+ messages in thread From: Jason Zaman @ 2016-09-01 4:20 UTC (permalink / raw) To: refpolicy On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote: > Update for the gnome module: > > - target the dconf daemon, the gsettings user application, the > gnome-settings-daemon and the at-spi daemon with all the > needed domain transitions; > - a new gstreamer_orcexec_t type and file context is introduced > to support the OIL Runtime Compiler (ORC) optimized code > execution (used for example by pulseaudio); > - add support for more permissions needed in gconfd_t and gnome > keyring domains; > - add support for chat over dbus in the gconfd domain and in the > new domains (dconf, gsettings, etc); > - add support for a few needed fs and kernel permissions. > - add support for reading the colord related files in the home > directories (such as the ICC EDID profiles): requires the > recent colord patch; > - add support for for reading the colord related files in the home > directories in the common user domain template; > - add support for a new mime_info_t type to be used in the home > directories; > - includes minor modifications to the consolekit, dbus and > policykit modules to support the new targeted gnome daemons > and applications; > - modifies the pulseaudio module to introduce new interfaces to > read and write pulseaudio tmpfs files and to use the pulseaudio > file descriptor; > - provides better module encapsulation (i.e. dbus module). > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > This patch depends on the recent colord patch. > > Recent changes to the pulseaudio module depends on this patch ! Hey, I've been fairly busy lately so didnt closely follow this thread and its too long now for me to understand what exactly the problems are. If I followed correctly, it seems like the biggest problem currently is transitioning to/from dbus? can you show the "ps auxfZ | grep dbus" lines? How exactly are you running into problems? Can you post a very minimal command that triggers the problems? Is there some hello world I can put in /usr/share/dbus-1/services and a command to trigger the issue? A lot of these other problems in this patch seem to be issues with dbus so lets fix that first then the other ones will be easier. -- Jason ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 4:20 ` Jason Zaman @ 2016-09-01 9:33 ` Guido Trentalancia 2016-09-01 11:53 ` Jason Zaman 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-09-01 9:33 UTC (permalink / raw) To: refpolicy Hello Jason. On Thu, 01/09/2016 at 12.20 +0800, Jason Zaman wrote: > On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote: > > > > Update for the gnome module: [...] > Hey, > > I've been fairly busy lately so didnt closely follow this thread and > its > too long now for me to understand what exactly the problems are. I'll point you to a few right messages to read in this thread to understand the problem clearly... Please read the following messages in order: http://oss.tresys.com/pipermail/refpolicy/2016-August/008360.html?(non- quoted message text only) http://oss.tresys.com/pipermail/refpolicy/2016-August/008369.html?(non- quoted message text only) What Dominick added here is partly true, although at the I have had some success with re-writing the policy for the whole desktop (or most of it): http://oss.tresys.com/pipermail/refpolicy/2016-August/008370.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008374.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008382.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008385.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008384.html The following messages are about a possible way to solve the problem without changing the actual policy (which can be tricky): http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html So, you have an excellent excerpt now... > If I followed correctly, it seems like the biggest problem currently > is > transitioning to/from dbus? can you show the "ps auxfZ | grep dbus" > lines? The problem is transitioning from a user domain (user, staff, sysadm or xguest) to other domains such as dbus (or gkeyring) and then back to the initial user domain. At the moment the policy uses variable types built using the user argument ($1) passed to the gnome/dbus role() interface. Such approach has big limitations and the current framework is poorly designed with respect to the ability to perform the above mentioned transition. > How exactly are you running into problems? Can you post a very > minimal > command that triggers the problems? Is there some hello world I can > put > in /usr/share/dbus-1/services and a command to trigger the issue? It's more complex than just starting a command. There are problems in the underlying framework when the modified policy is loaded (conflicting type rules, i.e. conflicting type transitions). One way to solve the problem is by changing the policy. I have had some success so far, however it's tricky, expensive and it's not the optimal solution. A possible optimal solution is proposed in the last two or three messages that I posted (see the last two or three messages quoted above). > A lot of these other problems in this patch seem to be issues with > dbus > so lets fix that first then the other ones will be easier. If you want to help implementing a patch, we need to identify the code where such policy is actually enforced, so that there we can track the calling user domain to choose the right type transition. Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 9:33 ` Guido Trentalancia @ 2016-09-01 11:53 ` Jason Zaman 2016-09-01 12:28 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Jason Zaman @ 2016-09-01 11:53 UTC (permalink / raw) To: refpolicy On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote: > Hello Jason. > > On Thu, 01/09/2016 at 12.20 +0800, Jason Zaman wrote: > > On Mon, Aug 22, 2016 at 09:39:58PM +0200, Guido Trentalancia wrote: > > > > > > Update for the gnome module: > > [...] > > > Hey, > > > > I've been fairly busy lately so didnt closely follow this thread and > > its > > too long now for me to understand what exactly the problems are. > > I'll point you to a few right messages to read in this thread to > understand the problem clearly... > > Please read the following messages in order: > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008360.html?(non- > quoted message text only) > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008369.html?(non- > quoted message text only) > > What Dominick added here is partly true, although at the I have had > some success with re-writing the policy for the whole desktop (or most > of it): > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008370.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008374.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008382.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008385.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008384.html > > The following messages are about a possible way to solve the problem > without changing the actual policy (which can be tricky): > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html > > So, you have an excellent excerpt now... This helped a lot but I am still unclear what the original problem is. > > If I followed correctly, it seems like the biggest problem currently > > is > > transitioning to/from dbus? can you show the "ps auxfZ | grep dbus" > > lines? > > The problem is transitioning from a user domain (user, staff, sysadm or > xguest) to other domains such as dbus (or gkeyring) and then back to > the initial user domain. > > At the moment the policy uses variable types built using the user > argument ($1) passed to the gnome/dbus role() interface. > > Such approach has big limitations and the current framework is poorly > designed with respect to the ability to perform the above mentioned > transition. As you realized, this kind if thing is not allowed: type_transition session_dbusd_t bin_t:process user_t; type_transition session_dbusd_t bin_t:process staff_t; type_transition session_dbusd_t bin_t:process sysadm_t; type_transition session_dbusd_t bin_t:process xguest_t; There are typically two ways to fix it, the easiest is prefixed types so that the transitions become: type_transition user_dbusd_t bin_t:process user_t; type_transition staff_dbusd_t bin_t:process staff_t; dbus is currently setup like this along with most other kinds of programs that need their own domain but then need to transition back to the user's shell (eg staff_sudo_t, and a few login type things are what first come to mind). The other way is to have the program be selinux aware. Ie link with libselinux and query the policy for what should be used. For example, when running a user's cronjob, cron will look in /etc/selinux/mcs/contexts/default_contexts for the line and query all the role/type combos until it finds one that is allowed by the policy for that user. For these kinds of things the program basically does setexeccon() before the exec to manually set it so do not require the type_transition rules at all. DBus is also SELinux aware and it looks like logic for something like this might already exist. On my system I have: /etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure what should be in it. There are many ways to fix a problem like this depending on a lot of things. > > > How exactly are you running into problems? Can you post a very > > minimal > > command that triggers the problems? Is there some hello world I can > > put > > in /usr/share/dbus-1/services and a command to trigger the issue? > > It's more complex than just starting a command. There are problems in > the underlying framework when the modified policy is loaded > (conflicting type rules, i.e. conflicting type transitions). > > One way to solve the problem is by changing the policy. I have had some > success so far, however it's tricky, expensive and it's not the optimal > solution. > > A possible optimal solution is proposed in the last two or three > messages that I posted (see the last two or three messages quoted > above). I still do not understand exactly what problem you are trying to solve tho. What is running and what is it trying to do? Can you show some error messages? Are these lines the ones that are giving issues? Why do you need the lines at all? dbus_domain_transition(at_spi_t, user_dbusd_t) dbus_domain_transition(gnome_settings_t, user_dbusd_t) Wouldnt they just need dbus send_msg? Why does it need to exec the dbus daemon? It should already be running, they dont need to start it or anything. Can you show some error messages? > > A lot of these other problems in this patch seem to be issues with > > dbus > > so lets fix that first then the other ones will be easier. > > If you want to help implementing a patch, we need to identify the code > where such policy is actually enforced, so that there we can track the > calling user domain to choose the right type transition. We need to take a step back, there are too many issues mixed together with this patch. fixing the policy to allow conflicting types sounds like the wrong solution to whatever the problem is. -- Jason > Regards, > > Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 11:53 ` Jason Zaman @ 2016-09-01 12:28 ` Guido Trentalancia 2016-09-01 14:06 ` Jason Zaman 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-09-01 12:28 UTC (permalink / raw) To: refpolicy Hello Jason, thanks for getting back on this. On Thu, 01/09/2016 at 19.53 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote: [...] > > The following messages are about a possible way to solve the > > problem > > without changing the actual policy (which can be tricky): > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html > > > > So, you have an excellent excerpt now... > > This helped a lot but I am still unclear what the original problem > is. The original problem is that the patch that I posted to update the gnome policy and the gnome file contexts leads to the conflicting type rules issues. It's a limitation of the current situation. What the patch does (its description) has been posted here: http://oss.tresys.com/pipermail/refpolicy/2016-August/008324.html Try by yourself, by applying such patch, then modifying as indicated by Christopher (moving dbus related statements from the gnome role template to the dbus module) and finally using the prefixed types (at the moment it uses user_dbusd_t, which won't work for all users). It shouldn't take very long to apply the patch and modify it... At least you can touch the problem with your own hands. > > > If I followed correctly, it seems like the biggest problem > > > currently > > > is > > > transitioning to/from dbus? can you show the "ps auxfZ | grep > > > dbus" > > > lines? > > > > The problem is transitioning from a user domain (user, staff, > > sysadm or > > xguest) to other domains such as dbus (or gkeyring) and then back > > to > > the initial user domain. > > > > At the moment the policy uses variable types built using the user > > argument ($1) passed to the gnome/dbus role() interface. > > > > Such approach has big limitations and the current framework is > > poorly > > designed with respect to the ability to perform the above mentioned > > transition. > > As you realized, this kind if thing is not allowed: > ????type_transition session_dbusd_t bin_t:process user_t; > ????type_transition session_dbusd_t bin_t:process staff_t; > ????type_transition session_dbusd_t bin_t:process sysadm_t; > ????type_transition session_dbusd_t bin_t:process xguest_t; > > There are typically two ways to fix it, the easiest is prefixed types > so > that the transitions become: > ????type_transition user_dbusd_t bin_t:process user_t; > ????type_transition staff_dbusd_t bin_t:process staff_t; That is what doesn't work: the prefixed types. They lead to conflicting type rules. > dbus is currently setup like this along with most other kinds of > programs that need their own domain but then need to transition back > to > the user's shell (eg staff_sudo_t, and a few login type things are > what > first come to mind). > > The other way is to have the program be selinux aware. Ie link with > libselinux and query the policy for what should be used. > For example, when running a user's cronjob, cron will look in > /etc/selinux/mcs/contexts/default_contexts for the line and query all > the role/type combos until it finds one that is allowed by the policy > for that user. For these kinds of things the program basically does > setexeccon() before the exec to manually set it so do not require the > type_transition rules at all. I don't think this is the right approach for the problem at hand. > DBus is also SELinux aware and it looks like logic for something like > this might already exist. On my system I have: > /etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure > what > should be in it.? It's probably reserved for dbus file contexts. > There are many ways to fix a problem like this depending on a lot of > things. > > > > > > > > > > > How exactly are you running into problems? Can you post a very > > > minimal > > > command that triggers the problems? Is there some hello world I > > > can > > > put > > > in /usr/share/dbus-1/services and a command to trigger the issue? > > > > It's more complex than just starting a command. There are problems > > in > > the underlying framework when the modified policy is loaded > > (conflicting type rules, i.e. conflicting type transitions). > > > > One way to solve the problem is by changing the policy. I have had > > some > > success so far, however it's tricky, expensive and it's not the > > optimal > > solution. > > > > A possible optimal solution is proposed in the last two or three > > messages that I posted (see the last two or three messages quoted > > above). > > I still do not understand exactly what problem you are trying to > solve > tho. What is running and what is it trying to do? Can you show some > error messages? > > Are these lines the ones that are giving issues? Why do you need the > lines at all? > dbus_domain_transition(at_spi_t, user_dbusd_t) > dbus_domain_transition(gnome_settings_t, user_dbusd_t) At the moment the gnome desktop is not confined. It runs in the user domain. One of the things that the patch does is to start confining the gnome desktop. If you start doing so, you'll end up with needing transitions that apparently cannot be supported by the current framework. If you want to reproduce the problem, you need to start confining the gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and so on. A way to start doing so is to try the patch (v4) that I posted and modify it as indicated by Christopher in the review. > Wouldnt they just need dbus send_msg? Why does it need to exec the > dbus > daemon? It should already be running, they dont need to start it or > anything. Can you show some error messages? The system dbus daemon is running, not the session one. > > > A lot of these other problems in this patch seem to be issues > > > with > > > dbus > > > so lets fix that first then the other ones will be easier. All I can say, is that the prefixed types don't work when you start confining the gnome desktop. Try by yourself, it takes 5 minutes to apply the patch and modify it to use the prefixed types instead of "user_dbusd_t". > > If you want to help implementing a patch, we need to identify the > > code > > where such policy is actually enforced, so that there we can track > > the > > calling user domain to choose the right type transition. > > We need to take a step back, there are too many issues mixed together > with this patch. fixing the policy to allow conflicting types sounds > like the wrong solution to whatever the problem is. At the moment, I still believe that is the optimal solution: allowing conflicts in the policy and resolving them at runtime by exploiting the knowledge of the user and role parts of the context. Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 12:28 ` Guido Trentalancia @ 2016-09-01 14:06 ` Jason Zaman 2016-09-01 14:40 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Jason Zaman @ 2016-09-01 14:06 UTC (permalink / raw) To: refpolicy On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote: > Hello Jason, > > thanks for getting back on this. > > On Thu, 01/09/2016 at 19.53 +0800, Jason Zaman wrote: > > On Thu, Sep 01, 2016 at 11:33:00AM +0200, Guido Trentalancia wrote: > > [...] > > > > The following messages are about a possible way to solve the > > > problem > > > without changing the actual policy (which can be tricky): > > > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008397.html > > > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008398.html > > > > > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008400.html > > > > > > So, you have an excellent excerpt now... > > > > This helped a lot but I am still unclear what the original problem > > is. > > The original problem is that the patch that I posted to update the > gnome policy and the gnome file contexts leads to the conflicting type > rules issues. > > It's a limitation of the current situation. > > What the patch does (its description) has been posted here: > > http://oss.tresys.com/pipermail/refpolicy/2016-August/008324.html > > Try by yourself, by applying such patch, then modifying as indicated by > Christopher (moving dbus related statements from the gnome role > template to the dbus module) and finally using the prefixed types (at > the moment it uses user_dbusd_t, which won't work for all users). > > It shouldn't take very long to apply the patch and modify it... At > least you can touch the problem with your own hands. > > > > > If I followed correctly, it seems like the biggest problem > > > > currently > > > > is > > > > transitioning to/from dbus? can you show the "ps auxfZ | grep > > > > dbus" > > > > lines? > > > > > > The problem is transitioning from a user domain (user, staff, > > > sysadm or > > > xguest) to other domains such as dbus (or gkeyring) and then back > > > to > > > the initial user domain. > > > > > > At the moment the policy uses variable types built using the user > > > argument ($1) passed to the gnome/dbus role() interface. > > > > > > Such approach has big limitations and the current framework is > > > poorly > > > designed with respect to the ability to perform the above mentioned > > > transition. > > > > As you realized, this kind if thing is not allowed: > > ????type_transition session_dbusd_t bin_t:process user_t; > > ????type_transition session_dbusd_t bin_t:process staff_t; > > ????type_transition session_dbusd_t bin_t:process sysadm_t; > > ????type_transition session_dbusd_t bin_t:process xguest_t; > > > > There are typically two ways to fix it, the easiest is prefixed types > > so > > that the transitions become: > > ????type_transition user_dbusd_t bin_t:process user_t; > > ????type_transition staff_dbusd_t bin_t:process staff_t; > > That is what doesn't work: the prefixed types. They lead to conflicting > type rules. > > > dbus is currently setup like this along with most other kinds of > > programs that need their own domain but then need to transition back > > to > > the user's shell (eg staff_sudo_t, and a few login type things are > > what > > first come to mind). > > > > The other way is to have the program be selinux aware. Ie link with > > libselinux and query the policy for what should be used. > > For example, when running a user's cronjob, cron will look in > > /etc/selinux/mcs/contexts/default_contexts for the line and query all > > the role/type combos until it finds one that is allowed by the policy > > for that user. For these kinds of things the program basically does > > setexeccon() before the exec to manually set it so do not require the > > type_transition rules at all. > > I don't think this is the right approach for the problem at hand. > > > DBus is also SELinux aware and it looks like logic for something like > > this might already exist. On my system I have: > > /etc/selinux/mcs/contexts/dbus_contexts but it's empty so not sure > > what > > should be in it.? > > It's probably reserved for dbus file contexts. > > > There are many ways to fix a problem like this depending on a lot of > > things. > > > > > > > > > > > > > > > > How exactly are you running into problems? Can you post a very > > > > minimal > > > > command that triggers the problems? Is there some hello world I > > > > can > > > > put > > > > in /usr/share/dbus-1/services and a command to trigger the issue? > > > > > > It's more complex than just starting a command. There are problems > > > in > > > the underlying framework when the modified policy is loaded > > > (conflicting type rules, i.e. conflicting type transitions). > > > > > > One way to solve the problem is by changing the policy. I have had > > > some > > > success so far, however it's tricky, expensive and it's not the > > > optimal > > > solution. > > > > > > A possible optimal solution is proposed in the last two or three > > > messages that I posted (see the last two or three messages quoted > > > above). > > > > I still do not understand exactly what problem you are trying to > > solve > > tho. What is running and what is it trying to do? Can you show some > > error messages? > > > > Are these lines the ones that are giving issues? Why do you need the > > lines at all? > > dbus_domain_transition(at_spi_t, user_dbusd_t) > > dbus_domain_transition(gnome_settings_t, user_dbusd_t) > > At the moment the gnome desktop is not confined. It runs in the user > domain. > > One of the things that the patch does is to start confining the gnome > desktop. > > If you start doing so, you'll end up with needing transitions that > apparently cannot be supported by the current framework. > > If you want to reproduce the problem, you need to start confining the > gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and so > on. A way to start doing so is to try the patch (v4) that I posted and > modify it as indicated by Christopher in the review. > > > Wouldnt they just need dbus send_msg? Why does it need to exec the > > dbus > > daemon? It should already be running, they dont need to start it or > > anything. Can you show some error messages? > > The system dbus daemon is running, not the session one. The session dbus is supposed to be started when you login first thing. at-spi shouldnt be trying to start it. > > > > A lot of these other problems in this patch seem to be issues > > > > with > > > > dbus > > > > so lets fix that first then the other ones will be easier. > > All I can say, is that the prefixed types don't work when you start > confining the gnome desktop. You still haven't explained exactly what is trying to run what? What are the starting domains? what is the program? what is it trying to run? what are the domains (before and after the patch) of the things it tries to run? What are the error messages? > Try by yourself, it takes 5 minutes to apply the patch and modify it to > use the prefixed types instead of "user_dbusd_t". Yeah, I know the rules dont work, I can see that without even building. My question is why do you need the rules? You keep saying you need these rules but what *exactly* do they fix? Once we know that we can suggest other solutions. Using user_dbusd_t is useless. your patch would fix it for user_t, but staff_t and any others would be still broken. > > > If you want to help implementing a patch, we need to identify the > > > code > > > where such policy is actually enforced, so that there we can track > > > the > > > calling user domain to choose the right type transition. > > > > We need to take a step back, there are too many issues mixed together > > with this patch. fixing the policy to allow conflicting types sounds > > like the wrong solution to whatever the problem is. > > At the moment, I still believe that is the optimal solution: allowing > conflicts in the policy and resolving them at runtime by exploiting the > knowledge of the user and role parts of the context. > > Regards, > > Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 14:06 ` Jason Zaman @ 2016-09-01 14:40 ` Guido Trentalancia 2016-09-01 15:21 ` Jason Zaman 0 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-09-01 14:40 UTC (permalink / raw) To: refpolicy On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote: [...] > > At the moment the gnome desktop is not confined. It runs in the > > user > > domain. > > > > One of the things that the patch does is to start confining the > > gnome > > desktop. > > > > If you start doing so, you'll end up with needing transitions that > > apparently cannot be supported by the current framework. > > > > If you want to reproduce the problem, you need to start confining > > the > > gnome desktop: dconf, at-spi, gsettings, gnome-settings-daemon and > > so > > on. A way to start doing so is to try the patch (v4) that I posted > > and > > modify it as indicated by Christopher in the review. > > > > > > > > Wouldnt they just need dbus send_msg? Why does it need to exec > > > the > > > dbus > > > daemon? It should already be running, they dont need to start it > > > or > > > anything. Can you show some error messages? > > > > The system dbus daemon is running, not the session one. > > The session dbus is supposed to be started when you login first > thing. Yes, exactly. > at-spi shouldnt be trying to start it. Who said that ? At-spi starts with Gnome from the xdg autostart directory by default. > > > > > A lot of these other problems in this patch seem to be issues > > > > > with > > > > > dbus > > > > > so lets fix that first then the other ones will be easier. > > > > All I can say, is that the prefixed types don't work when you start > > confining the gnome desktop. > > You still haven't explained exactly what is trying to run what? What > are > the starting domains? what is the program? what is it trying to run? > what are the domains (before and after the patch) of the things it > tries > to run? What are the error messages? > > > > > Try by yourself, it takes 5 minutes to apply the patch and modify > > it to > > use the prefixed types instead of "user_dbusd_t". > > Yeah, I know the rules dont work, I can see that without even > building. > My question is why do you need the rules? You keep saying you need > these > rules but what *exactly* do they fix? Once we know that we can > suggest > other solutions. The new rules solve some problems in the current policy that don't let Gnome to start and also they confine other pieces of Gnome that are not currently confined (dconf, at-spi, gsd and so on). Other things that are tackled by the patch are listed at the top of it (description of the patch). It is several things all together. > Using user_dbusd_t is useless. your patch would fix it for user_t, > but > staff_t and any others would be still broken. Yes, I know. It was so because the prefixed types don't work properly. I think we are starting to loop around the same arguments... > > > > If you want to help implementing a patch, we need to identify > > > > the > > > > code > > > > where such policy is actually enforced, so that there we can > > > > track > > > > the > > > > calling user domain to choose the right type transition. > > > > > > We need to take a step back, there are too many issues mixed > > > together > > > with this patch. fixing the policy to allow conflicting types > > > sounds > > > like the wrong solution to whatever the problem is. > > > > At the moment, I still believe that is the optimal solution: > > allowing > > conflicts in the policy and resolving them at runtime by exploiting > > the > > knowledge of the user and role parts of the context. The above is what is needed to achieve an optimal solution to the problem that I encountered while developing this gnome patch. Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 14:40 ` Guido Trentalancia @ 2016-09-01 15:21 ` Jason Zaman 2016-09-01 16:18 ` Guido Trentalancia ` (2 more replies) 0 siblings, 3 replies; 73+ messages in thread From: Jason Zaman @ 2016-09-01 15:21 UTC (permalink / raw) To: refpolicy On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via refpolicy wrote: > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote: > Who said that ? At-spi starts with Gnome from the xdg autostart > directory by default. What happens if you start dbus-daemon --session from xdg autostart too? > > > > > If you want to help implementing a patch, we need to identify > > > > > the > > > > > code > > > > > where such policy is actually enforced, so that there we can > > > > > track > > > > > the > > > > > calling user domain to choose the right type transition. > > > > > > > > We need to take a step back, there are too many issues mixed > > > > together > > > > with this patch. fixing the policy to allow conflicting types > > > > sounds > > > > like the wrong solution to whatever the problem is. > > > > > > At the moment, I still believe that is the optimal solution: > > > allowing > > > conflicts in the policy and resolving them at runtime by exploiting > > > the > > > knowledge of the user and role parts of the context. > > The above is what is needed to achieve an optimal solution to the > problem that I encountered while developing this gnome patch. Again ... *what problem*? show me the error messages you get without this patch applied. You keep saying that what you have done is optimal to solve the problem but you have not explained what the problem is. Do you need atspi to be able to exec dbus-daemon? What happens if you start dbus-daemon before atspi? Why cant you just prefix the atspi domains too? type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; -- Jason ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 15:21 ` Jason Zaman @ 2016-09-01 16:18 ` Guido Trentalancia 2016-09-01 19:30 ` Guido Trentalancia 2016-09-03 13:34 ` Guido Trentalancia 2 siblings, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-09-01 16:18 UTC (permalink / raw) To: refpolicy On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? The DBUS session daemon is not designed to be started from xdg autostart. There must be multiple instances of it. > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is As already explained, without the patch applied, Gnome doesn't start, pulseaudio doesn't work fine, there are permissions granted that are not strictly needed and however it is not confined properly (there are Gnome processes running in the user domain, which instead should run in their own domain). > optimal > to solve the problem but you have not explained what the problem is. I have no other ways of explaining it. The others have understood the problem, perhaps you can read their replies to get more insight... > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > > Why cant you just prefix the atspi domains too? > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > -- Jason Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 15:21 ` Jason Zaman 2016-09-01 16:18 ` Guido Trentalancia @ 2016-09-01 19:30 ` Guido Trentalancia 2016-09-02 1:12 ` Jason Zaman 2016-09-03 13:34 ` Guido Trentalancia 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-09-01 19:30 UTC (permalink / raw) To: refpolicy Hello Jason, I'll try another time to answer your question... On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? > > > > > > > > > > > > > > > > > > > > > > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is > optimal > to solve the problem but you have not explained what the problem is. The main problem that the patch was trying to sort out is to allow Gnome to run with the Reference Policy and to confine it better (for a full description, please refer to the latest version of the patch). In this case, there isn't just one specific error message. There is a series of permissions denied in the log files and the desktop won't start (as in not passing the xdm login screen, for example) or it won't function properly. While developing the above mentioned patch, I came across a problem with the policy: conflicting type rules. The specific error message in this case is "Conflicting type rules" when loading the policy (it compiles fine). You can reproduce it by applying the patch and then changing the "user_dbusd_t" type that I have used initially to the prefixed type "$1_dbusd_t". To solve the latter problem, I believe that the optimal solution is not to change the policy further, but to: - change the existing source code so that it adds the conflicting type rules without generating an error; - resolve the conflict at runtime by exploiting the knowledge of the user and role parts of the context. I was asking other people what they think of such proposed solution and, provided that it sounds feasible to them, if they have specific ideas on its implementation. I hope it does make sense now... > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > Why cant you just prefix the atspi domains too? I don't know if prefixing the other domains works. However, if you post a revised patch, I can test it and let you know. At the moment, I have removed the prefixed types and I am working with static types prefixed by the keyword "session". It works, but it surely isn't what I would call optimal. > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; Regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 19:30 ` Guido Trentalancia @ 2016-09-02 1:12 ` Jason Zaman 0 siblings, 0 replies; 73+ messages in thread From: Jason Zaman @ 2016-09-02 1:12 UTC (permalink / raw) To: refpolicy On Thu, Sep 01, 2016 at 09:30:25PM +0200, Guido Trentalancia via refpolicy wrote: > > Why cant you just prefix the atspi domains too? > > I don't know if prefixing the other domains works. > However, if you post a revised patch, I can test it and let you know. > At the moment, I have removed the prefixed types and I am working with > static types prefixed by the keyword "session". It works, but it > surely isn't what I would call optimal. I'm pretty sure removing prefixes is the opposite direction from where you need to be going. Xfce uses at-spi-bus-launcher so I can confine that and gconfd first so we can get things working in general. If those work then the rest of the parts of gnome would follow the same pattern. -- Jason > > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-01 15:21 ` Jason Zaman 2016-09-01 16:18 ` Guido Trentalancia 2016-09-01 19:30 ` Guido Trentalancia @ 2016-09-03 13:34 ` Guido Trentalancia 2016-09-06 9:18 ` Jason Zaman 2 siblings, 1 reply; 73+ messages in thread From: Guido Trentalancia @ 2016-09-03 13:34 UTC (permalink / raw) To: refpolicy Hello Jason. I have an update about the advice that you kindly provided... On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? > > > > > > > > > > > > > > > > > > > > > > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is > optimal > to solve the problem but you have not explained what the problem is. > > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > > Why cant you just prefix the atspi domains too? > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; The latter (prefixing the other domains, such as at_spi, that at some point need to transition back to the user domain) solved the problem that I was experiencing ! Brilliant idea... Thanks very much for your advice !! Unfortunately, I don't know if I can really update this patch for the mailing list and resubmit it, because there are very strict requirements on its length. It's a shame, but I cannot split it in several parts because this patch is made of highly interdependent bits... Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-03 13:34 ` Guido Trentalancia @ 2016-09-06 9:18 ` Jason Zaman 2016-09-06 12:26 ` Guido Trentalancia 0 siblings, 1 reply; 73+ messages in thread From: Jason Zaman @ 2016-09-06 9:18 UTC (permalink / raw) To: refpolicy > On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > > Why cant you just prefix the atspi domains too? > > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > The latter (prefixing the other domains, such as at_spi, that at some > point need to transition back to the user domain) solved the problem > that I was experiencing ! > > Brilliant idea... Thanks very much for your advice !! > > Unfortunately, I don't know if I can really update this patch for the > mailing list and resubmit it, because there are very strict > requirements on its length. > > It's a shame, but I cannot split it in several parts because this patch > is made of highly interdependent bits... Great that it works! Can you rebase the patch on master then send me the file directly (not to the list since it's big). Then I can take a look and comment. If this works well for dbus session programs we probably want to make a few templates to handle the common stuff first. Then we can do the specific patches separately for atspi and the other programs afterwards. It's a big change but I'm sure we can figure out a good way to organise it. I use xfce so will check if there are more things that use dbus so we can make the templates good for everything at the same time. -- Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160906/6f094538/attachment.html ^ permalink raw reply [flat|nested] 73+ messages in thread
* [refpolicy] [PATCH v4] Update for the gnome policy and file contexts 2016-09-06 9:18 ` Jason Zaman @ 2016-09-06 12:26 ` Guido Trentalancia 0 siblings, 0 replies; 73+ messages in thread From: Guido Trentalancia @ 2016-09-06 12:26 UTC (permalink / raw) To: refpolicy Hello Jason. On Tue, 06/09/2016 at 17.18 +0800, Jason Zaman wrote: > > On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > > > Why cant you just prefix the atspi domains too? > > > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > > > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > > > The latter (prefixing the other domains, such as at_spi, that at > some > > point need to transition back to the user domain) solved the > problem > > that I was experiencing ! > > > > Brilliant idea... Thanks very much for your advice !! > > > > Unfortunately, I don't know if I can really update this patch for > the > > mailing list and resubmit it, because there are very strict > > requirements on its length. > > > > It's a shame, but I cannot split it in several parts because this > patch > > is made of highly interdependent bits... > Great that it works! Yes, thanks very much to your advice ! > Can you rebase the patch on master then send me the file directly > (not to the list since it's big). Then I can take a look and comment. I am still completing it. There are still bits that are getting changed and improved every now and then while it gets tested better. > If this works well for dbus session programs we probably want to make > a few templates to handle the common stuff first. Then we can do the > specific patches separately for atspi and the other programs > afterwards. It's a big change but I'm sure we can figure out a good > way to organise it. I really hope it will get committed. > I use xfce so will check if there are more things that use dbus so we > can make the templates good for everything at the same time. There is only one strange thing happening: when I start gnome-terminal from the gnome-shell menu (it executes /usr/bin/gnome-terminal, which then executes /usr/libexec/gnome-terminal-server), it runs in the $1_dbusd_t domain. Other applications when are started from the gnome-shell menu do not end up running in the $1_dbusd_t domain but in the user domain, as desirable. It am not sure why the above is happening. I can get it to transition from $1_dbusd_t to $1_t, which sorts things out, but it would be better if it was running in gnome_terminal_t and gnome_terminal_server_t respectively. Best regards, Guido ^ permalink raw reply [flat|nested] 73+ messages in thread
end of thread, other threads:[~2016-09-06 12:26 UTC | newest] Thread overview: 73+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-08-13 14:45 [refpolicy] [PATCH] Update for the gnome policy and file contexts Guido Trentalancia 2016-08-13 14:51 ` Dominick Grift 2016-08-13 20:09 ` Guido Trentalancia 2016-08-13 20:20 ` Dominick Grift 2016-08-14 17:35 ` Guido Trentalancia 2016-08-14 17:45 ` Dominick Grift 2016-08-14 21:14 ` Guido Trentalancia 2016-08-14 21:19 ` Dominick Grift 2016-08-14 21:33 ` Guido Trentalancia 2016-08-14 21:35 ` Dominick Grift 2016-08-14 22:13 ` Guido Trentalancia 2016-08-15 6:00 ` Dominick Grift 2016-08-15 8:29 ` Dominick Grift 2016-08-16 19:26 ` Guido Trentalancia 2016-08-16 19:30 ` Dominick Grift 2016-08-15 21:33 ` [refpolicy] [PATCH v2] " Guido Trentalancia 2016-08-15 20:08 ` Chris PeBenito 2016-08-20 14:52 ` [refpolicy] [PATCH v3] " Guido Trentalancia 2016-08-21 18:49 ` Dominick Grift 2016-08-21 19:02 ` Guido Trentalancia 2016-08-21 19:05 ` Dominick Grift 2016-08-21 19:44 ` Guido Trentalancia 2016-08-22 19:39 ` [refpolicy] [PATCH v4] " Guido Trentalancia 2016-08-23 1:15 ` Chris PeBenito 2016-08-23 12:44 ` Guido Trentalancia 2016-08-23 13:58 ` Guido Trentalancia 2016-08-23 23:02 ` Chris PeBenito 2016-08-23 23:31 ` Guido Trentalancia 2016-08-24 21:55 ` Guido Trentalancia 2016-08-24 22:10 ` Chris PeBenito 2016-08-24 22:42 ` Guido Trentalancia 2016-08-25 7:25 ` Dominick Grift 2016-08-25 9:47 ` Guido Trentalancia 2016-08-25 22:49 ` Chris PeBenito 2016-08-26 22:21 ` Guido Trentalancia 2016-08-28 18:29 ` Chris PeBenito 2016-08-27 17:08 ` Guido Trentalancia 2016-08-27 17:10 ` Dominick Grift 2016-08-27 17:16 ` Guido Trentalancia 2016-08-27 17:17 ` Dominick Grift 2016-08-27 20:41 ` Guido Trentalancia 2016-08-27 20:57 ` Dominick Grift 2016-08-27 21:48 ` Guido Trentalancia 2016-08-28 7:24 ` Dominick Grift 2016-08-28 8:03 ` Dominick Grift 2016-08-28 15:37 ` Guido Trentalancia 2016-08-28 18:40 ` Chris PeBenito 2016-08-28 19:11 ` Guido Trentalancia 2016-08-28 19:12 ` Dominick Grift 2016-08-29 8:20 ` Dominick Grift 2016-08-29 17:45 ` Naftuli Tzvi Kay 2016-08-30 19:23 ` Guido Trentalancia 2016-08-30 21:37 ` Chris PeBenito 2016-08-30 21:46 ` Guido Trentalancia 2016-08-30 19:15 ` Guido Trentalancia 2016-08-30 19:21 ` Dominick Grift 2016-08-30 21:39 ` Chris PeBenito 2016-08-31 6:55 ` Dominick Grift 2016-08-31 7:31 ` Dominick Grift 2016-08-23 16:06 ` Guido Trentalancia 2016-09-01 4:20 ` Jason Zaman 2016-09-01 9:33 ` Guido Trentalancia 2016-09-01 11:53 ` Jason Zaman 2016-09-01 12:28 ` Guido Trentalancia 2016-09-01 14:06 ` Jason Zaman 2016-09-01 14:40 ` Guido Trentalancia 2016-09-01 15:21 ` Jason Zaman 2016-09-01 16:18 ` Guido Trentalancia 2016-09-01 19:30 ` Guido Trentalancia 2016-09-02 1:12 ` Jason Zaman 2016-09-03 13:34 ` Guido Trentalancia 2016-09-06 9:18 ` Jason Zaman 2016-09-06 12:26 ` Guido Trentalancia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.