From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC9C7C4360C for ; Sat, 12 Oct 2019 07:53:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B5CD52089C for ; Sat, 12 Oct 2019 07:53:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fbJGHtVf" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727117AbfJLHx0 (ORCPT ); Sat, 12 Oct 2019 03:53:26 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:33834 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727083AbfJLHx0 (ORCPT ); Sat, 12 Oct 2019 03:53:26 -0400 Received: by mail-ed1-f65.google.com with SMTP id p10so10639147edq.1 for ; Sat, 12 Oct 2019 00:53:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=o7gZUlWPbPLjTM2Taur02XWMMsS0w5Q09oeCYMWNNCs=; b=fbJGHtVfxabLgSO8RlHIfPBwciC499K+LIIJluxB+68aNQz2x7dDLEz0v4bs2OPQNk 1TsXANNwBOflxTFORsQuAoPmW22TV1sXLxBP/4owmLv1eJi9bVoIaCVBgyE72XfHzbfI T2yWf5Ya5q6aGlGaN34BYJnjqufKhmjmji6tYQeA3QHUQDwPvB1l1SJOGWK1rvUP6FrJ TpFhXAvhcglUFXIABSdu+3+Q7ykZ+2tEgB8GogWUS6et6Zr+6rthANW9/+27+NVJx6CD szRtUmnTXbBLEGTEJMDexH8TaZXy3xirEHbgdMit+j7z4lu6QSJizbII9KIDwQkXKhue jXNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=o7gZUlWPbPLjTM2Taur02XWMMsS0w5Q09oeCYMWNNCs=; b=Zx1TTfhiBbM6ai+2KcFubPJF2Qhjd6uBvNmIs7WjQv4JOx4jB8dnHrfeR4aqNysOMo 60ab8wCqMEmK60fGxItZYMLa/Eo6QROTPVQYEOH7+lYb804AIYU2LR9TZ3zif1hwvvDx BgrGWhw9RadfdPHaENBwVnTpz/VHOyqphEKXcFdMicKPNrHEuKyiJ7CxyYApGoEMw+EX xondu2DVBmtkwcVNFKDgYC6WWsKTJ7YOCNAACeTdo60SwDSnLniZpOVFvVbCnGhVSMjG mQQWrlkPNIxXgjizJLjHVhXqTmTluRjAogjPDrV+X9foB5ZOzAnhzFNqGGvjk1Me18/Z wfeQ== X-Gm-Message-State: APjAAAVrOirWeadeDo2eWlxpdldngAv5oKjeVVw865x5/mVOLXdPR0Ra HcqnD3/VXE4pvgdQeI6yTzA= X-Google-Smtp-Source: APXvYqxcB0dqTZ4iChp0sb5/6L3R5rIVnko/lL2iGe4SoiV2UZ4XLC1ifb89954CDwTbTJobPsE+ww== X-Received: by 2002:aa7:d687:: with SMTP id d7mr17782847edr.143.1570866802487; Sat, 12 Oct 2019 00:53:22 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id t4sm1881930edq.35.2019.10.12.00.53.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Oct 2019 00:53:21 -0700 (PDT) Date: Sat, 12 Oct 2019 09:53:20 +0200 From: Dominick Grift To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH 05/10] Allow colord_t to read the color profile stored in ~/.local/share/icc/ Message-ID: <20191012075320.GA716332@brutus.lan> Mail-Followup-To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: <20191011122416.14651-1-bigon@debian.org> <20191011122416.14651-5-bigon@debian.org> <20191011125423.GA279944@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline In-Reply-To: <20191011125423.GA279944@brutus.lan> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 11, 2019 at 02:54:23PM +0200, Dominick Grift wrote: > On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote: > > From: Laurent Bigonville > >=20 > > colord reads the color profiles files that are stored in > > ~/.local/share/icc/, The file descriptor to that file is passed over > > D-Bus so it needs to be inherited >=20 > This patch is cutting corners a little. It only takes unconfined_t into a= ccount and not the confined users (an alternative would be to call "userdom= _use_all_users_fds(colord_t)" instead. Which is arguable too broad as well = but closest you can get to "common users" without surgery. > Secondly xdg_read_data_files() is a little broad. > Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is ab= le to maintain generic xdg data files, which is arguable broad as well. >=20 > The second and third argument are subject to how far you want to take thi= ngs, and so I won't object if that is not addressed. > The fd use issue, in my view, should be addressed for all login (common) = users with colord access. Actually, I take this review back. I am not sure how to best deal with this= fd. >=20 > >=20 > > ---- > > time->Sat Oct 5 11:35:54 2019 > > type=3DAVC msg=3Daudit(1570268154.991:223): avc: denied { read } for = pid=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc0= 6dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_= u:system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclas= s=3Dfile permissive=3D1 > > type=3DAVC msg=3Daudit(1570268154.991:223): avc: denied { use } for = pid=3D852 comm=3D"gdbus" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc06= dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_u= :system_r:colord_t:s0 tcontext=3Dunconfined_u:unconfined_r:unconfined_t:s0-= s0:c0.c1023 tclass=3Dfd permissive=3D1 > > ---- > > time->Sat Oct 5 11:35:55 2019 > > type=3DAVC msg=3Daudit(1570268155.007:225): avc: denied { getattr } f= or pid=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd= 2cc06dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsys= tem_u:system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 t= class=3Dfile permissive=3D1 > > ---- > > time->Sat Oct 5 11:35:55 2019 > > type=3DAVC msg=3Daudit(1570268155.007:226): avc: denied { map } for = pid=3D852 comm=3D"colord" path=3D"/home/bigon/.local/share/icc/edid-fcd2cc0= 6dec015794261e6b7756cbcec.icc" dev=3D"dm-3" ino=3D413402 scontext=3Dsystem_= u:system_r:colord_t:s0 tcontext=3Dunconfined_u:object_r:xdg_data_t:s0 tclas= s=3Dfile permissive=3D1 > > ---- > >=20 > > Signed-off-by: Laurent Bigonville > > --- > > policy/modules/services/colord.te | 7 +++++++ > > 1 file changed, 7 insertions(+) > >=20 > > diff --git a/policy/modules/services/colord.te b/policy/modules/service= s/colord.te > > index fada3fb8..2fbb1835 100644 > > --- a/policy/modules/services/colord.te > > +++ b/policy/modules/services/colord.te > > @@ -141,6 +141,13 @@ optional_policy(` > > udev_read_pid_files(colord_t) > > ') > > =20 > > +# colord reads the color profiles files that are stored in ~/.local/sh= are/icc/, > > +# The file descriptor to that file is passed over D-Bus so it needs to= be inherited > > +optional_policy(` > > + unconfined_use_fds(colord_t) > > + xdg_read_data_files(colord_t) > > +') > > + > > optional_policy(` > > xserver_read_xdm_lib_files(colord_t) > > xserver_use_xdm_fds(colord_t) > > --=20 > > 2.23.0 > >=20 >=20 > --=20 > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 > Dominick Grift --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --zhXaljGHf11kAtnf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2hhmsACgkQJXSOVTf5 R2lsCAv/UoBUcf5z94UGFXSxks+w6BxzTc0xns/50fI5xd9sXDMw0SeOWtWVoA2v vhRMrgUy1Q/S/ix7jjkSEN/3LMxYERcVmB7493MqsYXJhLsALqd7tYC3E/PGdQz6 TOQsscsNa664OELcYGSiCn3Hjg691Cc5tbWK2sndi+607QCqyFrP//VsOlztOidB oEDLHYna0rKV69LkfJQRmjfrW7VyhQ7GV1RUut4fB82qLqSpaYW9EROnDiTdjn2Q CoW+bJAAehqhZFflSKZA2wv3EPeEA+9eMdMsoTvZZPc2xR5OOrLftgkHfW2RtmNU zycq68N+dSP8YdQb8MVSKxJWh8LMtThZM5buLK4ADV0tHMmQIioXTd7Q5bR4j6hp enrsfxC+PVO8D3jM++gf2ikaDCY+A+aPmCkQba63mIP6oHQ5/x6EIbWJUA4GKr09 xyjgh1guJGLyCdxWWrz2MKehkWFo1Mlzvf6bYN0tWbk+9560yXPJ/sQIYwGNCoLN EqfQlpCH =HViU -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf--