SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Russell Coker <russell@coker.com.au>
To: "Sugar, David" <dsugar@tresys.com>
Cc: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd
Date: Sat, 13 Apr 2019 12:33:25 +1000
Message-ID: <2319520.MOiGnKPAe5@liv> (raw)
In-Reply-To: <20190412193917.23886-4-dsugar@tresys.com>

What is netlink_kobject_uevent_socket?  Do we have a place we can document 
this sort of thing to make it easier to determine whether access is required 
and what the implications of such access are?

On Saturday, 13 April 2019 5:39:32 AM AEST Sugar, David wrote:
> type=AVC msg=audit(1554983723.772:784): avc:  denied  { create } for 
> pid=8123 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0
> tcontext=system_u:system_r:plymouthd_t:s0
> tclass=netlink_kobject_uevent_socket permissive=0
 
> type=AVC msg=audit(1555070131.882:1648): avc:  denied  { getattr } for 
> pid=8634 comm="plymouthd" path="/run/udev/data/c226:0" dev="tmpfs"
> ino=29946 scontext=system_u:system_r:plymouthd_t:s0
> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { open } for 
> pid=8634 comm="plymouthd" path="/run/udev/data/+drm:card0-DP-1" dev="tmpfs"
> ino=31856 scontext=system_u:system_r:plymouthd_t:s0
> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { read } for 
> pid=8634 comm="plymouthd" name="+drm:card0-DP-1" dev="tmpfs" ino=31856
> scontext=system_u:system_r:plymouthd_t:s0
> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/plymouthd.te | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/policy/modules/services/plymouthd.te
> b/policy/modules/services/plymouthd.te
 index 835ee035..6352375d 100644
> --- a/policy/modules/services/plymouthd.te
> +++ b/policy/modules/services/plymouthd.te
> @@ -38,6 +38,7 @@ dontaudit plymouthd_t self:capability dac_override;
>  allow plymouthd_t self:capability2 block_suspend;
>  allow plymouthd_t self:process { signal getsched };
>  allow plymouthd_t self:fifo_file rw_fifo_file_perms;
> +dontaudit plymouthd_t self:netlink_kobject_uevent_socket create;
>  allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>  
>  manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
> @@ -87,6 +88,10 @@ optional_policy(`
>  	gnome_read_generic_home_content(plymouthd_t)
>  ')
>  
> +optional_policy(`
> +	udev_dontaudit_rw_pid_files(plymouthd_t)
> +')
> +
>  optional_policy(`
>  	sssd_stream_connect(plymouthd_t)
>  ')
> -- 
> 2.20.1
> 


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




  reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-12 19:39 [PATCH 0/3] Resolve issues with plymouth in enforcing Sugar, David
2019-04-12 19:39 ` [PATCH 1/3] Allow xdm (lightdm) execute plymouth Sugar, David
2019-04-17  2:49   ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 2/3] Changes to support plymouth working in enforcing Sugar, David
2019-04-13  2:43   ` Russell Coker
2019-04-13  3:23     ` Sugar, David
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:51         ` Dominick Grift
2019-04-17  2:51           ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd Sugar, David
2019-04-13  2:33   ` Russell Coker [this message]
2019-04-13  3:26     ` Sugar, David
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:54         ` Dominick Grift
2019-04-17  2:53           ` Sugar, David
2019-04-14 17:49     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2319520.MOiGnKPAe5@liv \
    --to=russell@coker.com.au \
    --cc=dsugar@tresys.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox