[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/services/

Sven Vermeulen Thu, 18 Jan 2018 08:16:45 -0800

commit:     fe73a7e41325536c918f4da90cf251b731d37824
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:24 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe73a7e4


Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t 
(user_runtime_content_type)

Setup type  xdm_runtime_t for files and directories created in 
/run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our 
private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 
comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 
comm="at-spi-bus-laun" name="dconf" 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 
comm="at-spi-bus-laun" name="dconf" 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 
comm="at-spi-bus-laun" name="user" 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  
pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" 
ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  
pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 
comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  
pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 
comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  
pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 
comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/services/xserver.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index efd965a7..6564c7f4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -186,6 +186,10 @@ files_type(xdm_var_lib_t)
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+# type for /run/user/%{USERID}/*
+type xdm_runtime_t;
+userdom_user_runtime_content(xdm_runtime_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
@@ -345,6 +349,10 @@ files_lock_filetrans(xdm_t, xdm_lock_t, file)
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
 
+# files in /run/user/%{USERID}/*
+manage_dirs_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+manage_files_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+
 manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -493,6 +501,7 @@ userdom_create_all_users_keys(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_user_runtime_filetrans(xdm_t, xdm_runtime_t, dir)
 
 # for .dmrc: this was used by the Gnome Display Manager (gdm)
 # and it is now obsolete in Gnome3

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/services/

Reply via email to