[PATCH 1/2 v2] Allow greeter to start dbus

[PATCH 1/2 v2] Allow greeter to start dbus

[Sugar, David]

The display manager lightdm (and I think gdm) start a dbus binary.

This adds (and uses) new interface dbus_exec to start dbus in the xdm domain.

type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/dbus.if    | 21 +++++++++++++++++++++
 policy/modules/services/xserver.te |  1 +
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index ef829e30..d0eec745 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -17,6 +17,27 @@ interface(`dbus_stub',`
 	')
 ')
 
+########################################
+## <summary>
+##	Execute dbus in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_exec',`
+	gen_require(`
+		type dbusd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dbusd_exec_t)
+
+	allow $1 self:process getcap;
+')
+
 ########################################
 ## <summary>
 ##	Role access for dbus.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fa7ce88e..cc717e7f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -566,6 +566,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_exec(xdm_t)
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
 
-- 
2.20.1

[PATCH 2/2 v2] pam_faillock creates files in /run/faillock

[Sugar, David]

These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/sudo.if       |  2 +-
 policy/modules/services/xserver.te |  1 -
 policy/modules/system/authlogin.if | 21 +++++++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 01f408ef..1c1fbe7b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -116,8 +116,8 @@ template(`sudo_role_template',`
 	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
+	auth_use_pam($1_sudo_t)
 	auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
-	auth_use_nsswitch($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index cc717e7f..37fb2a71 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -484,7 +484,6 @@ term_setattr_unallocated_ttys(xdm_t)
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
-auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
 # Run telinit->init to shutdown.
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 9b5e0fe0..8d79af78 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -47,6 +47,7 @@ interface(`auth_use_pam',`
 	# for encrypted homedir
 	dev_read_sysfs($1)
 
+	auth_create_faillog($1)
 	auth_domtrans_chk_passwd($1)
 	auth_domtrans_upd_passwd($1)
 	auth_dontaudit_read_shadow($1)
@@ -744,6 +745,26 @@ interface(`auth_append_faillog',`
 	allow $1 faillog_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create fail log lock (in /run/faillock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_create_faillog',`
+	gen_require(`
+		type faillog_t;
+	')
+
+	auth_rw_faillog($1)
+	create_files_pattern($1, faillog_t, faillog_t)
+	setattr_files_pattern($1, faillog_t, faillog_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write the login failure log.
-- 
2.20.1

Re: [PATCH 1/2 v2] Allow greeter to start dbus

[Dominick Grift]

"Sugar, David" <dsugar@tresys.com> writes:

> The display manager lightdm (and I think gdm) start a dbus binary.
>
> This adds (and uses) new interface dbus_exec to start dbus in the xdm domain.
>
> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/dbus.if    | 21 +++++++++++++++++++++
>  policy/modules/services/xserver.te |  1 +
>  2 files changed, 22 insertions(+)
>
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index ef829e30..d0eec745 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -17,6 +17,27 @@ interface(`dbus_stub',`
>  	')
>  ')
>  
> +########################################
> +## <summary>
> +##	Execute dbus in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dbus_exec',`
> +	gen_require(`
> +		type dbusd_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, dbusd_exec_t)
> +
> +	allow $1 self:process getcap;

I would not enclose the getcap rule here. For example I do not believe
you need that permission to be able to `dbus-daemon --version`. Instead I
would add that rule to xserver.te:

allow xdm_t self:process getcap;

> +')
> +
>  ########################################
>  ## <summary>
>  ##	Role access for dbus.
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index fa7ce88e..cc717e7f 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -566,6 +566,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dbus_exec(xdm_t)
>  	dbus_system_bus_client(xdm_t)
>  	dbus_connect_system_bus(xdm_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Re: [PATCH 2/2 v2] pam_faillock creates files in /run/faillock

[Dominick Grift]

"Sugar, David" <dsugar@tresys.com> writes:

> These are changes needed when pam_fallock creates files in /run/faillock
> (which is labeled faillog_t).  sudo and xdm (and probably other domains)
> will create files in this directory for successful and failed login
> attempts.
>
> type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/admin/sudo.if       |  2 +-
>  policy/modules/services/xserver.te |  1 -
>  policy/modules/system/authlogin.if | 21 +++++++++++++++++++++
>  3 files changed, 22 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 01f408ef..1c1fbe7b 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -116,8 +116,8 @@ template(`sudo_role_template',`
>  	auth_run_chk_passwd($1_sudo_t, $2)
>  	# sudo stores a token in the pam_pid directory
>  	auth_manage_pam_pid($1_sudo_t)
> +	auth_use_pam($1_sudo_t)
>  	auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> -	auth_use_nsswitch($1_sudo_t)
>  
>  	init_rw_utmp($1_sudo_t)
>  
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index cc717e7f..37fb2a71 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -484,7 +484,6 @@ term_setattr_unallocated_ttys(xdm_t)
>  auth_domtrans_pam_console(xdm_t)
>  auth_manage_pam_pid(xdm_t)
>  auth_manage_pam_console_data(xdm_t)
> -auth_rw_faillog(xdm_t)
>  auth_write_login_records(xdm_t)
>  
>  # Run telinit->init to shutdown.
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 9b5e0fe0..8d79af78 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -47,6 +47,7 @@ interface(`auth_use_pam',`
>  	# for encrypted homedir
>  	dev_read_sysfs($1)
>  
> +	auth_create_faillog($1)

auth_create_faillog_files($1)
auth_rw_faillog($1)
auth_setattr_faillog_files($1)

>  	auth_domtrans_chk_passwd($1)
>  	auth_domtrans_upd_passwd($1)
>  	auth_dontaudit_read_shadow($1)
> @@ -744,6 +745,26 @@ interface(`auth_append_faillog',`
>  	allow $1 faillog_t:file append_file_perms;
>  ')
>  
> +########################################
> +## <summary>
> +##	Create fail log lock (in /run/faillock).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_create_faillog',`
> +	gen_require(`
> +		type faillog_t;
> +	')
> +
> +	auth_rw_faillog($1)
> +	create_files_pattern($1, faillog_t, faillog_t)
> +	setattr_files_pattern($1, faillog_t, faillog_t)
> +')

interface name is not accurate: auth_create_faillog_files()
auth_rw_faillog does not belong here
setattr needs a seperate interface: auth_setattr_faillog_files()

> +
>  ########################################
>  ## <summary>
>  ##	Read and write the login failure log.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Re: [PATCH 1/2 v2] Allow greeter to start dbus

[Sugar, David]

On 1/6/19 7:40 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@tresys.com> writes:
>
>> The display manager lightdm (and I think gdm) start a dbus binary.
>>
>> This adds (and uses) new interface dbus_exec to start dbus in the xdm domain.
>>
>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/services/dbus.if    | 21 +++++++++++++++++++++
>>   policy/modules/services/xserver.te |  1 +
>>   2 files changed, 22 insertions(+)
>>
>> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
>> index ef829e30..d0eec745 100644
>> --- a/policy/modules/services/dbus.if
>> +++ b/policy/modules/services/dbus.if
>> @@ -17,6 +17,27 @@ interface(`dbus_stub',`
>>   	')
>>   ')
>>   
>> +########################################
>> +## <summary>
>> +##	Execute dbus in the caller domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +##	Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`dbus_exec',`
>> +	gen_require(`
>> +		type dbusd_exec_t;
>> +	')
>> +
>> +	corecmd_search_bin($1)
>> +	can_exec($1, dbusd_exec_t)
>> +
>> +	allow $1 self:process getcap;
> I would not enclose the getcap rule here. For example I do not believe
> you need that permission to be able to `dbus-daemon --version`. Instead I
> would add that rule to xserver.te:
>
> allow xdm_t self:process getcap;

I did it this way due to the fact that it is dbus-daemon needing the 
getcap permission not lightdm.  So other processes that use the 
dbus_exec interface will also need this permission.  I'm happy separate 
just worry it won't be clear why getcap will be added in several places 
due to this.

>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##	Role access for dbus.
>> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
>> index fa7ce88e..cc717e7f 100644
>> --- a/policy/modules/services/xserver.te
>> +++ b/policy/modules/services/xserver.te
>> @@ -566,6 +566,7 @@ optional_policy(`
>>   ')
>>   
>>   optional_policy(`
>> +	dbus_exec(xdm_t)
>>   	dbus_system_bus_client(xdm_t)
>>   	dbus_connect_system_bus(xdm_t)

Re: [PATCH 1/2 v2] Allow greeter to start dbus

[Dominick Grift]

"Sugar, David" <dsugar@tresys.com> writes:

> On 1/6/19 7:40 AM, Dominick Grift wrote:
>> "Sugar, David" <dsugar@tresys.com> writes:
>>
>>> The display manager lightdm (and I think gdm) start a dbus binary.
>>>
>>> This adds (and uses) new interface dbus_exec to start dbus in the xdm domain.
>>>
>>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>>> type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
>>> type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
>>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>>   policy/modules/services/dbus.if    | 21 +++++++++++++++++++++
>>>   policy/modules/services/xserver.te |  1 +
>>>   2 files changed, 22 insertions(+)
>>>
>>> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
>>> index ef829e30..d0eec745 100644
>>> --- a/policy/modules/services/dbus.if
>>> +++ b/policy/modules/services/dbus.if
>>> @@ -17,6 +17,27 @@ interface(`dbus_stub',`
>>>   	')
>>>   ')
>>>   
>>> +########################################
>>> +## <summary>
>>> +##	Execute dbus in the caller domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +##	Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`dbus_exec',`
>>> +	gen_require(`
>>> +		type dbusd_exec_t;
>>> +	')
>>> +
>>> +	corecmd_search_bin($1)
>>> +	can_exec($1, dbusd_exec_t)
>>> +
>>> +	allow $1 self:process getcap;
>> I would not enclose the getcap rule here. For example I do not believe
>> you need that permission to be able to `dbus-daemon --version`. Instead I
>> would add that rule to xserver.te:
>>
>> allow xdm_t self:process getcap;
>
> I did it this way due to the fact that it is dbus-daemon needing the 
> getcap permission not lightdm.  So other processes that use the 
> dbus_exec interface will also need this permission.  I'm happy separate 
> just worry it won't be clear why getcap will be added in several places 
> due to this.
>

`dbus-daemon --version` does not seem to require getcap

executing dbus potentially requires many permissions but that does not
mean that we should add these permissions to dbus_exec()

>>> +')
>>> +
>>>   ########################################
>>>   ## <summary>
>>>   ##	Role access for dbus.
>>> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
>>> index fa7ce88e..cc717e7f 100644
>>> --- a/policy/modules/services/xserver.te
>>> +++ b/policy/modules/services/xserver.te
>>> @@ -566,6 +566,7 @@ optional_policy(`
>>>   ')
>>>   
>>>   optional_policy(`
>>> +	dbus_exec(xdm_t)
>>>   	dbus_system_bus_client(xdm_t)
>>>   	dbus_connect_system_bus(xdm_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift