* [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files
@ 2017-12-04 21:49 David Sugar
2017-12-05 8:01 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: David Sugar @ 2017-12-04 21:49 UTC (permalink / raw)
To: refpolicy
Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/. These files get removed by systemd_logind.
type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5051b87c..6606d793 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -481,6 +481,7 @@ optional_policy(`
xserver_dbus_chat(systemd_logind_t)
xserver_dbus_chat_xdm(systemd_logind_t)
xserver_read_xdm_state(systemd_logind_t)
+ xserver_manage_xdm_tmp_files(systemd_logind_t)
')
optional_policy(`
--
2.13.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files
2017-12-04 21:49 [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files David Sugar
@ 2017-12-05 8:01 ` Dominick Grift
2017-12-05 13:25 ` David Sugar
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2017-12-05 8:01 UTC (permalink / raw)
To: refpolicy
On Mon, Dec 04, 2017 at 09:49:56PM +0000, David Sugar via refpolicy wrote:
> Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/. These files get removed by systemd_logind.
>
> type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
> type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/system/systemd.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 5051b87c..6606d793 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -481,6 +481,7 @@ optional_policy(`
> xserver_dbus_chat(systemd_logind_t)
> xserver_dbus_chat_xdm(systemd_logind_t)
> xserver_read_xdm_state(systemd_logind_t)
> + xserver_manage_xdm_tmp_files(systemd_logind_t)
It only needs to be able to delete it. plus this applies for all of XDG_RUNTIME_DIR and so you might be able to use a higher-level solution for this
> ')
>
> optional_policy(`
> --
> 2.13.6
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/99fbdce8/attachment.bin
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files
2017-12-05 8:01 ` Dominick Grift
@ 2017-12-05 13:25 ` David Sugar
2017-12-05 13:33 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: David Sugar @ 2017-12-05 13:25 UTC (permalink / raw)
To: refpolicy
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Tuesday, December 05, 2017 3:02 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage
> xdm_tmp_t files
>
> On Mon, Dec 04, 2017 at 09:49:56PM +0000, David Sugar via refpolicy
> wrote:
> > Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/.
> These files get removed by systemd_logind.
> >
> > type=AVC msg=audit(1511920346.734:199): avc: denied { read } for
> > pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > msg=audit(1511920346.734:199): avc: denied { open } for pid=1067
> > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067
> > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > msg=audit(1511920346.734:201): avc: denied { write } for pid=1067
> > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > msg=audit(1511920346.734:201): avc: denied { remove_name } for
> > pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067
> > comm="systemd-logind" name="user" dev="tmpfs" ino=14746
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC
> > msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067
> > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > scontext=system_u:system_r:systemd_logind_t:s0
> > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> >
> > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > ---
> > policy/modules/system/systemd.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/systemd.te
> > b/policy/modules/system/systemd.te
> > index 5051b87c..6606d793 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -481,6 +481,7 @@ optional_policy(`
> > xserver_dbus_chat(systemd_logind_t)
> > xserver_dbus_chat_xdm(systemd_logind_t)
> > xserver_read_xdm_state(systemd_logind_t)
> > + xserver_manage_xdm_tmp_files(systemd_logind_t)
>
> It only needs to be able to delete it. plus this applies for all of
> XDG_RUNTIME_DIR and so you might be able to use a higher-level solution
> for this
Are you suggesting something like creating an attribute 'user_runtime_type' then assigning that attribute to xdm_tmp_t. Then create an interface to allow deletion of files 'user_runtime_type' rather than using the xserver_manage_xdm_tmp_file interface?
I think that is what you are saying. There is already the interface 'userdom_delete_user_runtime_files' but I didn't see a way for xserver to create/write user_runtime_t files thus the filetrans commit.
>
> > ')
> >
> > optional_policy(`
> > --
> > 2.13.6
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
Dave Sugar
dsugar at tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files
2017-12-05 13:25 ` David Sugar
@ 2017-12-05 13:33 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2017-12-05 13:33 UTC (permalink / raw)
To: refpolicy
On Tue, Dec 05, 2017 at 01:25:58PM +0000, David Sugar via refpolicy wrote:
> > -----Original Message-----
> > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> > Sent: Tuesday, December 05, 2017 3:02 AM
> > To: refpolicy at oss.tresys.com
> > Subject: Re: [refpolicy] [PATCH 1/1] Allow systemd_logind to manage
> > xdm_tmp_t files
> >
> > On Mon, Dec 04, 2017 at 09:49:56PM +0000, David Sugar via refpolicy
> > wrote:
> > > Allow systemd_logind to manage xdm_tmp_t files in /run/user/$(UID)/.
> > These files get removed by systemd_logind.
> > >
> > > type=AVC msg=audit(1511920346.734:199): avc: denied { read } for
> > > pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > > msg=audit(1511920346.734:199): avc: denied { open } for pid=1067
> > > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > > msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067
> > > comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > > msg=audit(1511920346.734:201): avc: denied { write } for pid=1067
> > > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > > msg=audit(1511920346.734:201): avc: denied { remove_name } for
> > > pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC
> > > msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067
> > > comm="systemd-logind" name="user" dev="tmpfs" ino=14746
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC
> > > msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067
> > > comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745
> > > scontext=system_u:system_r:systemd_logind_t:s0
> > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
> > >
> > > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > > ---
> > > policy/modules/system/systemd.te | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/policy/modules/system/systemd.te
> > > b/policy/modules/system/systemd.te
> > > index 5051b87c..6606d793 100644
> > > --- a/policy/modules/system/systemd.te
> > > +++ b/policy/modules/system/systemd.te
> > > @@ -481,6 +481,7 @@ optional_policy(`
> > > xserver_dbus_chat(systemd_logind_t)
> > > xserver_dbus_chat_xdm(systemd_logind_t)
> > > xserver_read_xdm_state(systemd_logind_t)
> > > + xserver_manage_xdm_tmp_files(systemd_logind_t)
> >
> > It only needs to be able to delete it. plus this applies for all of
> > XDG_RUNTIME_DIR and so you might be able to use a higher-level solution
> > for this
>
> Are you suggesting something like creating an attribute 'user_runtime_type' then assigning that attribute to xdm_tmp_t. Then create an interface to allow deletion of files 'user_runtime_type' rather than using the xserver_manage_xdm_tmp_file interface?
>
> I think that is what you are saying. There is already the interface 'userdom_delete_user_runtime_files' but I didn't see a way for xserver to create/write user_runtime_t files thus the filetrans commit.
userdom_delete_user_runtime_files() probably wouldnt be good enough if the name implies what i think it does since:
- only applies to files and logind needs to be able to delete whatever objects are there (dirs, lnk_files, sock_files, fifo_files, files)
- seems to only apply to generic user_runtime_t type files?
logind wants to empty (delete) all of $XDG_RUNTIME_DIR before it unmounts the tmpfs.
>
> >
> > > ')
> > >
> > > optional_policy(`
> > > --
> > > 2.13.6
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
>
> Dave Sugar
> dsugar at tresys.com
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/eb373058/attachment.bin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-05 13:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-04 21:49 [refpolicy] [PATCH 1/1] Allow systemd_logind to manage xdm_tmp_t files David Sugar
2017-12-05 8:01 ` Dominick Grift
2017-12-05 13:25 ` David Sugar
2017-12-05 13:33 ` Dominick Grift
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).