packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-login_userdomain-watch-various-directories.patch
lujie42 8f5a7284a7 update upstream patches
2022-11-28 10:41:07 +08:00

134 lines
5.6 KiB
Diff
Raw Blame History

From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 09:33:18 +0200
Subject: [PATCH] Allow login_userdomain watch various directories
The inotify_add_watch(2) syscalls are called by plasmashell and some
other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings).
Addresses the following AVC denials examples:
type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn
type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc: denied { watch } for pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004
type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc: denied { watch } for pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces
were added.
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/rpc.if | 19 +++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.te | 13 +++++++++++++
3 files changed, 50 insertions(+)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 0c6410612..b234bca58 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',`
manage_files_pattern($1, exports_t, exports_t)
')
+########################################
+## <summary>
+## Watch nfs file exports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_watch_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 exports_t:file watch_file_perms;
+')
+
########################################
## <summary>
## Execute domain in nfsd domain.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8ffd4988f..f669f866c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',`
allow $1 unlabeled_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Watch unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_watch_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir watch_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts by caller to get the
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5576a97cb..1cf86a09e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',`
allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
')
+kernel_watch_unlabeled_dirs(login_userdomain)
+
+auth_watch_passwd(login_userdomain)
+
+corecmd_watch_bin_dirs(login_userdomain)
+
dev_watch_generic_dirs(login_userdomain)
files_map_var_lib_files(login_userdomain)
files_read_var_lib_symlinks(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
+files_watch_root_dirs(login_userdomain)
files_watch_system_conf_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_usr_files(login_userdomain)
@@ -441,10 +448,16 @@ optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
+optional_policy(`
+ rpc_watch_exports(login_userdomain)
+')
+
+
optional_policy(`
systemd_login_watch_pid_dirs(login_userdomain)
systemd_login_watch_session_dirs(login_userdomain)
systemd_machined_watch_pid_dirs(login_userdomain)
+ systemd_resolved_watch_pid_dirs(login_userdomain)
')
############################################################
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink