SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 01/10] fstools: add zfs-auto-snapshot
@ 2020-02-16  8:54 Jason Zaman
  2020-02-16  8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
                   ` (8 more replies)
  0 siblings, 9 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman, Jason Zaman

Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
---
 policy/modules/system/fstools.fc | 1 +
 policy/modules/system/fstools.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
 /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4ad6e65f..4ae0301a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for zfs/zpool
+mount_exec(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 02/10] udev: Add watch perms
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16  8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
---
 policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
 policy/modules/system/udev.te    |  3 +++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index c14bb13b..f9dcbaf5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Watch fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_watch_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file watch;
+	allow $1 fixed_disk_device_t:chr_file watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ccbcb51..e0e27a9d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
 
+storage_watch_fixed_disk(udev_t)
+
 auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
@@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
+allow udevadm_t udev_runtime_t:dir watch;
 
 list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
 read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 03/10] accountsd: Add watch perms
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
  2020-02-16  8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
@ 2020-02-16  8:54 ` " Jason Zaman
  2020-02-16  8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
 policy/modules/services/accountsd.te |  2 ++
 policy/modules/system/logging.if     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
 files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
 
 userdom_read_user_tmp_files(accountsd_t)
 userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
 	manage_files_pattern($1, var_log_t, var_log_t)
 ')
 
+########################################
+## <summary>
+##	Watch generic log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 04/10] cron: watch cron spool
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
  2020-02-16  8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
  2020-02-16  8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16  8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
---
 policy/modules/services/cron.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016..dbbd9dbf 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
 files_pid_filetrans(crond_t, crond_runtime_t, file)
 
 manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;
 
 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;
 
 manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 05/10] colord: add watch perms
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (2 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16  8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
---
 policy/modules/services/colord.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 24eda8a9..44f2b049 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
 manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+allow colord_t colord_var_lib_t:dir watch;
 
 kernel_read_crypto_sysctls(colord_t)
 kernel_read_device_sysctls(colord_t)
@@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
 files_list_mnt(colord_t)
 files_read_usr_files(colord_t)
 files_map_usr_files(colord_t)
+files_watch_usr_dirs(colord_t)
 
 fs_getattr_noxattr_fs(colord_t)
 fs_getattr_tmpfs(colord_t)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 06/10] policykit devicekit: Add watch perms
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (3 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
@ 2020-02-16  8:54 ` " Jason Zaman
  2020-02-16  8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
 policy/modules/services/consolekit.if | 18 ++++++++++++++++++
 policy/modules/services/devicekit.te  |  1 +
 policy/modules/services/policykit.te  |  3 +++
 3 files changed, 22 insertions(+)

diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 9aa0dbce..422c19cd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
 	allow $1 consolekit_runtime_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
 ')
+
+########################################
+## <summary>
+##	Watch consolekit runtime dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_watch_runtime_dir',`
+	gen_require(`
+		type consolekit_runtime_t;
+	')
+
+	allow $1 consolekit_runtime_t:dir watch;
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f58a7a19..ed88f10b 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
 files_read_usr_files(devicekit_disk_t)
+files_watch_etc_dirs(devicekit_disk_t)
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 04e88500..4989157c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
 domain_read_all_domains_state(policykit_t)
 
 files_dontaudit_search_all_mountpoints(policykit_t)
+files_watch_etc_dirs(policykit_t)
+files_watch_usr_dirs(policykit_t)
 
 fs_getattr_xattr_fs(policykit_t)
 fs_list_inotifyfs(policykit_t)
@@ -127,6 +129,7 @@ optional_policy(`
 
 optional_policy(`
 	consolekit_read_pid_files(policykit_t)
+	consolekit_watch_runtime_dir(policykit_t)
 ')
 
 optional_policy(`
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 07/10] userdomain: Add watch on home dirs
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (4 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16 15:48   ` Chris PeBenito
  2020-02-16  8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
                   ` (2 subsequent siblings)
  8 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
---
 policy/modules/services/xserver.if  |  11 +-
 policy/modules/system/miscfiles.if  |  37 ++++++
 policy/modules/system/userdomain.if |   5 +
 policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
 4 files changed, 250 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c95a6b04..6c22b3c6 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
 	dev_rw_usbfs($2)
 
 	miscfiles_read_fonts($2)
+	miscfiles_watch_fonts($2)
 
 	xserver_common_x_domain_template(user, $2)
 	xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
 	optional_policy(`
 		xdg_manage_all_cache($2)
 		xdg_relabel_all_cache($2)
+		xdg_watch_all_cache_dirs($2)
 		xdg_manage_all_config($2)
 		xdg_relabel_all_config($2)
+		xdg_watch_all_config_dirs($2)
 		xdg_manage_all_data($2)
 		xdg_relabel_all_data($2)
+		xdg_watch_all_data_dirs($2)
 
 		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
 
 		xdg_manage_documents($2)
 		xdg_relabel_documents($2)
+		xdg_watch_documents_dirs($2)
 		xdg_manage_downloads($2)
 		xdg_relabel_downloads($2)
+		xdg_watch_downloads_dirs($2)
 		xdg_manage_music($2)
 		xdg_relabel_music($2)
+		xdg_watch_music_dirs($2)
 		xdg_manage_pictures($2)
 		xdg_relabel_pictures($2)
+		xdg_watch_pictures_dirs($2)
 		xdg_manage_videos($2)
 		xdg_relabel_videos($2)
+		xdg_watch_videos_dirs($2)
 
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
 	')
 
 	# Read per user fonts
-	allow $1 user_fonts_t:dir list_dir_perms;
+	allow $1 user_fonts_t:dir { list_dir_perms watch };
 	allow $1 user_fonts_t:file { map read_file_perms };
 
 	# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 47330a48..f11fee25 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
 	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
 ')
 
+########################################
+## <summary>
+##	Watch fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_watch_fonts',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	allow $1 fonts_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read fonts.
@@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
 	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
 ')
 
+########################################
+## <summary>
+##	Watch public files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+	gen_require(`
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_rw_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dd555850..0ffa000f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	allow $2 { user_home_t user_home_dir_t }:dir watch;
+
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 
@@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
 	files_read_var_lib_files($1_t)
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
+	files_watch_etc_dirs($1_t)
+	files_watch_usr_dirs($1_t)
 
 	fs_rw_cgroup_files($1_t)
 
@@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
 	files_exec_usr_files($1_t)
 
 	miscfiles_manage_public_files($1_t)
+	miscfiles_watch_public_dirs($1_t)
 
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 11fc4306..82304241 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+	gen_require(`
+		type xdg_cache_t;
+	')
+
+	allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+	gen_require(`
+		attribute xdg_cache_type;
+	')
+
+	allow $1 xdg_cache_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+	gen_require(`
+		attribute xdg_config_type;
+	')
+
+	allow $1 xdg_config_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+	gen_require(`
+		attribute xdg_data_type;
+	')
+
+	allow $1 xdg_data_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+	gen_require(`
+		type xdg_documents_t;
+	')
+
+	allow $1 xdg_documents_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+	gen_require(`
+		type xdg_downloads_t;
+	')
+
+	allow $1 xdg_downloads_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+	gen_require(`
+		type xdg_pictures_t;
+	')
+
+	allow $1 xdg_pictures_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+	gen_require(`
+		type xdg_music_t;
+	')
+
+	allow $1 xdg_music_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg video content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+	gen_require(`
+		type xdg_videos_t;
+	')
+
+	allow $1 xdg_videos_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user video content
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 08/10] dbus: add watch perms
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (5 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16  8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
  2020-02-16  8:54 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
---
 policy/modules/services/dbus.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4e395f7f..6f9835c6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
 allow session_bus_type dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+allow session_bus_type dbusd_etc_t:dir watch;
 
 manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
 manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
@@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)
 
 files_list_home(session_bus_type)
 files_read_usr_files(session_bus_type)
+files_watch_usr_dirs(session_bus_type)
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 09/10] chromium: watch etc dirs
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (6 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  2020-02-16  8:54 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
 policy/modules/apps/chromium.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 255ef557..0e8cc1e5 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -156,6 +156,7 @@ files_search_home(chromium_t)
 files_read_usr_files(chromium_t)
 files_map_usr_files(chromium_t)
 files_read_etc_files(chromium_t)
+files_watch_etc_dirs(chromium_t)
 # During find for /etc/whatever-release we get lots of output otherwise
 files_dontaudit_getattr_all_dirs(chromium_t)
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 10/10] gpg: add watch perms for agent
  2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (7 preceding siblings ...)
  2020-02-16  8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
@ 2020-02-16  8:54 ` Jason Zaman
  8 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2020-02-16  8:54 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
---
 policy/modules/apps/gpg.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
 userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 07/10] userdomain: Add watch on home dirs
  2020-02-16  8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
@ 2020-02-16 15:48   ` Chris PeBenito
  0 siblings, 0 replies; 13+ messages in thread
From: Chris PeBenito @ 2020-02-16 15:48 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy; +Cc: Jason Zaman


On 2/16/20 3:54 AM, Jason Zaman wrote:
 > From: Jason Zaman <perfinion@gentoo.org>
 >
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" 
dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/home/jason/Desktop" dev="zfs" ino=33153 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12574 comm="gmain" 
path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=11795 comm="gmain" 
path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/home/jason/downloads/pics" dev="zfs" ino=38173 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
 > ---
 >   policy/modules/services/xserver.if  |  11 +-
 >   policy/modules/system/miscfiles.if  |  37 ++++++
 >   policy/modules/system/userdomain.if |   5 +
 >   policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
 >   4 files changed, 250 insertions(+), 1 deletion(-)


This patch series is matching signed-off-by.

Comments below.  The other patches look mergeable as-is.

 > diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
 > index c95a6b04..6c22b3c6 100644
 > --- a/policy/modules/services/xserver.if
 > +++ b/policy/modules/services/xserver.if
 > @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
 >       dev_rw_usbfs($2)
 >         miscfiles_read_fonts($2)
 > +    miscfiles_watch_fonts($2)
 >         xserver_common_x_domain_template(user, $2)
 >       xserver_domtrans($2)
 > @@ -186,10 +187,13 @@ interface(`xserver_role',`
 >       optional_policy(`
 >           xdg_manage_all_cache($2)
 >           xdg_relabel_all_cache($2)
 > +        xdg_watch_all_cache_dirs($2)
 >           xdg_manage_all_config($2)
 >           xdg_relabel_all_config($2)
 > +        xdg_watch_all_config_dirs($2)
 >           xdg_manage_all_data($2)
 >           xdg_relabel_all_data($2)
 > +        xdg_watch_all_data_dirs($2)
 >             xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 >           xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
 > @@ -203,14 +207,19 @@ interface(`xserver_role',`
 >             xdg_manage_documents($2)
 >           xdg_relabel_documents($2)
 > +        xdg_watch_documents_dirs($2)
 >           xdg_manage_downloads($2)
 >           xdg_relabel_downloads($2)
 > +        xdg_watch_downloads_dirs($2)
 >           xdg_manage_music($2)
 >           xdg_relabel_music($2)
 > +        xdg_watch_music_dirs($2)
 >           xdg_manage_pictures($2)
 >           xdg_relabel_pictures($2)
 > +        xdg_watch_pictures_dirs($2)
 >           xdg_manage_videos($2)
 >           xdg_relabel_videos($2)
 > +        xdg_watch_videos_dirs($2)
 >             xdg_cache_filetrans($2, mesa_shader_cache_t, dir, 
"mesa_shader_cache")
 >       ')
 > @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
 >       ')
 >         # Read per user fonts
 > -    allow $1 user_fonts_t:dir list_dir_perms;
 > +    allow $1 user_fonts_t:dir { list_dir_perms watch };
 >       allow $1 user_fonts_t:file { map read_file_perms };
 >         # Manipulate the global font cache
 > diff --git a/policy/modules/system/miscfiles.if 
b/policy/modules/system/miscfiles.if
 > index 47330a48..f11fee25 100644
 > --- a/policy/modules/system/miscfiles.if
 > +++ b/policy/modules/system/miscfiles.if
 > @@ -252,6 +252,25 @@ 
interface(`miscfiles_manage_generic_tls_privkey_files',`
 >       read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch fonts.
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +## <rolecap/>
 > +#
 > +interface(`miscfiles_watch_fonts',`

miscfiles_watch_fonts_dirs


 > +    gen_require(`
 > +        type fonts_t;
 > +    ')
 > +
 > +    allow $1 fonts_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read fonts.
 > @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
 >       manage_lnk_files_pattern($1, public_content_rw_t, 
public_content_rw_t)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch public files
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`miscfiles_watch_public_dirs',`
 > +    gen_require(`
 > +        type public_content_rw_t;
 > +    ')
 > +
 > +    allow $1 public_content_rw_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read TeX data
 > diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
 > index dd555850..0ffa000f 100644
 > --- a/policy/modules/system/userdomain.if
 > +++ b/policy/modules/system/userdomain.if
 > @@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
 >       # cjp: this should probably be removed:
 >       allow $2 user_home_dir_t:dir { manage_dir_perms 
relabel_dir_perms };
 >   +    allow $2 { user_home_t user_home_dir_t }:dir watch;

The user_home_t access should probably be increased to all the 
non-device file classes and probably should apply to all user content 
too.  I don't have a problem with a userdomain watching anything in 
their home dir.

Please add similar access to the ro home role too.  While it might be ro 
to the user, it could be changed by other means.


 >       userdom_manage_user_certs($2)
 >       userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 >   @@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
 >       files_read_var_lib_files($1_t)
 >       # Stat lost+found.
 >       files_getattr_lost_found_dirs($1_t)
 > +    files_watch_etc_dirs($1_t)
 > +    files_watch_usr_dirs($1_t)
 >         fs_rw_cgroup_files($1_t)
 >   @@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
 >       files_exec_usr_files($1_t)
 >         miscfiles_manage_public_files($1_t)
 > +    miscfiles_watch_public_dirs($1_t)
 >         tunable_policy(`user_dmesg',`
 >           kernel_read_ring_buffer($1_t)
 > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
 > index 11fc4306..82304241 100644
 > --- a/policy/modules/system/xdg.if
 > +++ b/policy/modules/system/xdg.if
 > @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg cache home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_cache_dirs',`
 > +    gen_require(`
 > +        type xdg_cache_t;
 > +    ')
 > +
 > +    allow $1 xdg_cache_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg cache home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_cache_dirs',`
 > +    gen_require(`
 > +        attribute xdg_cache_type;
 > +    ')
 > +
 > +    allow $1 xdg_cache_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg cache home files
 > @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg config home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_config_dirs',`
 > +    gen_require(`
 > +        type xdg_config_t;
 > +    ')
 > +
 > +    allow $1 xdg_config_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg config home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_config_dirs',`
 > +    gen_require(`
 > +        attribute xdg_config_type;
 > +    ')
 > +
 > +    allow $1 xdg_config_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg config home files
 > @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg data home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_data_dirs',`
 > +    gen_require(`
 > +        type xdg_data_t;
 > +    ')
 > +
 > +    allow $1 xdg_data_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg data home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_data_dirs',`
 > +    gen_require(`
 > +        attribute xdg_data_type;
 > +    ')
 > +
 > +    allow $1 xdg_data_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg data home files
 > @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg documents home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_documents_dirs',`
 > +    gen_require(`
 > +        type xdg_documents_t;
 > +    ')
 > +
 > +    allow $1 xdg_documents_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Create objects in the user home dir with an automatic type 
transition to
 > @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg downloads home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_downloads_dirs',`
 > +    gen_require(`
 > +        type xdg_downloads_t;
 > +    ')
 > +
 > +    allow $1 xdg_downloads_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read downloaded content
 > @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg pictures home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_pictures_dirs',`
 > +    gen_require(`
 > +        type xdg_pictures_t;
 > +    ')
 > +
 > +    allow $1 xdg_pictures_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user pictures content
 > @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg music home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_music_dirs',`
 > +    gen_require(`
 > +        type xdg_music_t;
 > +    ')
 > +
 > +    allow $1 xdg_music_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user music content
 > @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg video content
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_videos_dirs',`
 > +    gen_require(`
 > +        type xdg_videos_t;
 > +    ')
 > +
 > +    allow $1 xdg_videos_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user video content
 >


-- 
Chris PeBenito

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 03/10] accountsd: Add watch perms
  2020-02-16 20:03 ` [PATCH 03/10] accountsd: Add watch perms Jason Zaman
@ 2020-02-17 18:27   ` Chris PeBenito
  0 siblings, 0 replies; 13+ messages in thread
From: Chris PeBenito @ 2020-02-17 18:27 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/accountsd.te |  2 ++
>   policy/modules/system/logging.if     | 18 ++++++++++++++++++
>   2 files changed, 20 insertions(+)
> 
> diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
> index 9bf5962a..2e13e943 100644
> --- a/policy/modules/services/accountsd.te
> +++ b/policy/modules/services/accountsd.te
> @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
>   
>   files_read_mnt_files(accountsd_t)
>   files_read_usr_files(accountsd_t)
> +files_watch_etc_dirs(accountsd_t)
>   
>   fs_getattr_xattr_fs(accountsd_t)
>   fs_list_inotifyfs(accountsd_t)
> @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
>   logging_list_logs(accountsd_t)
>   logging_send_syslog_msg(accountsd_t)
>   logging_set_loginuid(accountsd_t)
> +logging_watch_generic_logs_dir(accountsd_t)
>   
>   userdom_read_user_tmp_files(accountsd_t)
>   userdom_read_user_home_content_files(accountsd_t)
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 9c7a0dba..b2bba984 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
>   	manage_files_pattern($1, var_log_t, var_log_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch generic log dirs.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_watch_generic_logs_dir',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	allow $1 var_log_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	All of the rules required to administrate

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 03/10] accountsd: Add watch perms
  2020-02-16 20:03 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
@ 2020-02-16 20:03 ` Jason Zaman
  2020-02-17 18:27   ` Chris PeBenito
  0 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2020-02-16 20:03 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/accountsd.te |  2 ++
 policy/modules/system/logging.if     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
 files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
 
 userdom_read_user_tmp_files(accountsd_t)
 userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
 	manage_files_pattern($1, var_log_t, var_log_t)
 ')
 
+########################################
+## <summary>
+##	Watch generic log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-- 
2.24.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, back to index

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16  8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
2020-02-16  8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
2020-02-16  8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
2020-02-16  8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-16 15:48   ` Chris PeBenito
2020-02-16  8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
2020-02-16  8:54 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
2020-02-16 20:03 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 20:03 ` [PATCH 03/10] accountsd: Add watch perms Jason Zaman
2020-02-17 18:27   ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git