From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 9 Sep 2022 09:33:18 +0200 Subject: [PATCH] Allow login_userdomain watch various directories The inotify_add_watch(2) syscalls are called by plasmashell and some other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings). Addresses the following AVC denials examples: type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc: denied { watch } for pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004 type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc: denied { watch } for pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces were added. Signed-off-by: lujie42 --- policy/modules/contrib/rpc.if | 19 +++++++++++++++++++ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/system/userdomain.te | 13 +++++++++++++ 3 files changed, 50 insertions(+) diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if index 0c6410612..b234bca58 100644 --- a/policy/modules/contrib/rpc.if +++ b/policy/modules/contrib/rpc.if @@ -150,6 +150,25 @@ interface(`rpc_manage_exports',` manage_files_pattern($1, exports_t, exports_t) ') +######################################## +## +## Watch nfs file exports +## +## +## +## Domain allowed access. +## +## +# +interface(`rpc_watch_exports',` + gen_require(` + type exports_t; + ') + + files_search_etc($1) + allow $1 exports_t:file watch_file_perms; +') + ######################################## ## ## Execute domain in nfsd domain. diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 8ffd4988f..f669f866c 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',` allow $1 unlabeled_t:file rw_file_perms; ') +######################################## +## +## Watch unlabeled directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_watch_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir watch_dir_perms; +') + ######################################## ## ## Do not audit attempts by caller to get the diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 5576a97cb..1cf86a09e 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',` allow login_userdomain self:bluetooth_socket rw_stream_socket_perms; ') +kernel_watch_unlabeled_dirs(login_userdomain) + +auth_watch_passwd(login_userdomain) + +corecmd_watch_bin_dirs(login_userdomain) + dev_watch_generic_dirs(login_userdomain) files_map_var_lib_files(login_userdomain) files_read_var_lib_symlinks(login_userdomain) files_watch_etc_dirs(login_userdomain) files_watch_etc_files(login_userdomain) +files_watch_root_dirs(login_userdomain) files_watch_system_conf_dirs(login_userdomain) files_watch_usr_dirs(login_userdomain) files_watch_usr_files(login_userdomain) @@ -441,10 +448,16 @@ optional_policy(` pkcs_tmpfs_named_filetrans(login_userdomain) ') +optional_policy(` + rpc_watch_exports(login_userdomain) +') + + optional_policy(` systemd_login_watch_pid_dirs(login_userdomain) systemd_login_watch_session_dirs(login_userdomain) systemd_machined_watch_pid_dirs(login_userdomain) + systemd_resolved_watch_pid_dirs(login_userdomain) ') ############################################################ -- 2.27.0