SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH 05/10] Allow colord_t to read the color profile stored in ~/.local/share/icc/
Date: Fri, 11 Oct 2019 14:54:23 +0200
Message-ID: <20191011125423.GA279944@brutus.lan> (raw)
In-Reply-To: <20191011122416.14651-5-bigon@debian.org>

[-- Attachment #1: Type: text/plain, Size: 3371 bytes --]

On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> colord reads the color profiles files that are stored in
> ~/.local/share/icc/, The file descriptor to that file is passed over
> D-Bus so it needs to be inherited

This patch is cutting corners a little. It only takes unconfined_t into account and not the confined users (an alternative would be to call "userdom_use_all_users_fds(colord_t)" instead. Which is arguable too broad as well but closest you can get to "common users" without surgery.
Secondly xdg_read_data_files() is a little broad.
Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is able to maintain generic xdg data files, which is arguable broad as well.

The second and third argument are subject to how far you want to take things, and so I won't object if that is not addressed.
The fd use issue, in my view, should be addressed for all login (common) users with colord access.

> 
> ----
> time->Sat Oct  5 11:35:54 2019
> type=AVC msg=audit(1570268154.991:223): avc:  denied  { read } for  pid=852 comm="gdbus" path="/home/bigon/.local/share/icc/edid-fcd2cc06dec015794261e6b7756cbcec.icc" dev="dm-3" ino=413402 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:xdg_data_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1570268154.991:223): avc:  denied  { use } for  pid=852 comm="gdbus" path="/home/bigon/.local/share/icc/edid-fcd2cc06dec015794261e6b7756cbcec.icc" dev="dm-3" ino=413402 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fd permissive=1
> ----
> time->Sat Oct  5 11:35:55 2019
> type=AVC msg=audit(1570268155.007:225): avc:  denied  { getattr } for  pid=852 comm="colord" path="/home/bigon/.local/share/icc/edid-fcd2cc06dec015794261e6b7756cbcec.icc" dev="dm-3" ino=413402 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:xdg_data_t:s0 tclass=file permissive=1
> ----
> time->Sat Oct  5 11:35:55 2019
> type=AVC msg=audit(1570268155.007:226): avc:  denied  { map } for  pid=852 comm="colord" path="/home/bigon/.local/share/icc/edid-fcd2cc06dec015794261e6b7756cbcec.icc" dev="dm-3" ino=413402 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:xdg_data_t:s0 tclass=file permissive=1
> ----
> 
> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
> ---
>  policy/modules/services/colord.te | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
> index fada3fb8..2fbb1835 100644
> --- a/policy/modules/services/colord.te
> +++ b/policy/modules/services/colord.te
> @@ -141,6 +141,13 @@ optional_policy(`
>  	udev_read_pid_files(colord_t)
>  ')
>  
> +# colord reads the color profiles files that are stored in ~/.local/share/icc/,
> +# The file descriptor to that file is passed over D-Bus so it needs to be inherited
> +optional_policy(`
> +	unconfined_use_fds(colord_t)
> +	xdg_read_data_files(colord_t)
> +')
> +
>  optional_policy(`
>  	xserver_read_xdm_lib_files(colord_t)
>  	xserver_use_xdm_fds(colord_t)
> -- 
> 2.23.0
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

  reply index

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-11 12:24 [PATCH 01/10] Allow the systemd dbus-daemon to talk to systemd Laurent Bigonville
2019-10-11 12:24 ` [PATCH 02/10] Allow geoclue to log in syslog Laurent Bigonville
2019-10-11 12:24 ` [PATCH 03/10] Allow colord_t to exec colord_exec_t type Laurent Bigonville
2019-10-11 12:24 ` [PATCH 04/10] Allow realmd_t to read localization files Laurent Bigonville
2019-10-11 12:24 ` [PATCH 05/10] Allow colord_t to read the color profile stored in ~/.local/share/icc/ Laurent Bigonville
2019-10-11 12:54   ` Dominick Grift [this message]
2019-10-12  7:53     ` Dominick Grift
2019-10-12 15:51       ` Chris PeBenito
2019-10-12 16:09         ` Dominick Grift
2019-10-15 13:09           ` Laurent Bigonville
2019-10-11 12:24 ` [PATCH 06/10] Allow alsa_t to create alsa_runtime_t file as well Laurent Bigonville
2019-10-12 15:52   ` Chris PeBenito
2019-10-15 13:10     ` Laurent Bigonville
2019-10-11 12:24 ` [PATCH 07/10] Allow alsa_t to set scheduling priority and send signal to itself Laurent Bigonville
2019-10-11 12:24 ` [PATCH 08/10] Allow colord_t to read snmpd_var_lib_t files Laurent Bigonville
2019-10-11 12:24 ` [PATCH 09/10] Allow systemd_locale_t to talk to systemd notify socket Laurent Bigonville
2019-10-11 12:24 ` [PATCH 10/10] Allow vpnc to create and write its pid file in /run/NetworkManager Laurent Bigonville

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191011125423.GA279944@brutus.lan \
    --to=dac.override@gmail.com \
    --cc=bigon@debian.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox