From 8d05aa803e762d2e982af0c2dc7ce2176b7f2d3b Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 11 Sep 2024 13:29:09 +0200 Subject: [PATCH] Confine gnome-remote-desktop - add new gnome_remote_desktop_t port mapping for tcp 3389-3399 - add file type for /var/lib/gnome-remote-desktop(/.*)? - add new domain and transition for /usr/libexec/gnome-remote-desktop-daemon Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2271661 --- policy/modules.conf | 7 + policy/modules/contrib/dbus.te | 4 + .../modules/contrib/gnome_remote_desktop.fc | 3 + .../modules/contrib/gnome_remote_desktop.if | 178 ++++++++++++++++++ .../modules/contrib/gnome_remote_desktop.te | 73 +++++++ policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/services/xserver.te | 6 + 7 files changed, 272 insertions(+) create mode 100644 policy/modules/contrib/gnome_remote_desktop.fc create mode 100644 policy/modules/contrib/gnome_remote_desktop.if create mode 100644 policy/modules/contrib/gnome_remote_desktop.te diff --git a/policy/modules.conf b/policy/modules.conf index fff932e252..4212881a76 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -1086,6 +1086,13 @@ glusterd = module # gnome = module +# Layer: apps +# Module: gnome_remote_desktop +# +# gnome-remote-desktop +# +gnome_remote_desktop = module + # Layer: apps # Module: gpg # diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 73a0373aba..2c73880a91 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -410,3 +410,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg; kernel_stream_connect(session_bus_type) systemd_login_read_pid_files(session_bus_type) + +optional_policy(` + gnome_remote_desktop_rw_tcp_sockets(system_dbusd_t) +') diff --git a/policy/modules/contrib/gnome_remote_desktop.fc b/policy/modules/contrib/gnome_remote_desktop.fc new file mode 100644 index 0000000000..fcb60f6808 --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.fc @@ -0,0 +1,3 @@ +/usr/libexec/gnome-remote-desktop-daemon -- gen_context(system_u:object_r:gnome_remote_desktop_exec_t,s0) + +/var/lib/gnome-remote-desktop(/.*)? gen_context(system_u:object_r:gnome_remote_desktop_var_lib_t,s0) diff --git a/policy/modules/contrib/gnome_remote_desktop.if b/policy/modules/contrib/gnome_remote_desktop.if new file mode 100644 index 0000000000..68f7986ed0 --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.if @@ -0,0 +1,178 @@ + +## policy for gnome_remote_desktop + +######################################## +## +## Execute gnome_remote_desktop_exec_t in the gnome_remote_desktop domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gnome_remote_desktop_domtrans',` + gen_require(` + type gnome_remote_desktop_t, gnome_remote_desktop_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gnome_remote_desktop_exec_t, gnome_remote_desktop_t) +') + +###################################### +## +## Execute gnome_remote_desktop in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_exec',` + gen_require(` + type gnome_remote_desktop_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gnome_remote_desktop_exec_t) +') + +######################################## +## +## Search gnome_remote_desktop lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_search_lib',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + allow $1 gnome_remote_desktop_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read gnome_remote_desktop lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_read_lib_files',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + +######################################## +## +## Manage gnome_remote_desktop lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_manage_lib_files',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + +######################################## +## +## Manage gnome_remote_desktop lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_manage_lib_dirs',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + + +######################################## +## +## All of the rules required to administrate +## an gnome_remote_desktop environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`gnome_remote_desktop_admin',` + gen_require(` + type gnome_remote_desktop_t; + type gnome_remote_desktop_var_lib_t; + ') + + allow $1 gnome_remote_desktop_t:process { signal_perms }; + ps_process_pattern($1, gnome_remote_desktop_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 gnome_remote_desktop_t:process ptrace; + ') + + files_search_var_lib($1) + admin_pattern($1, gnome_remote_desktop_var_lib_t) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +## +## Read and write to TCP socket +## +## +##

+## Allow the specified domain to read and write to +## gnome_remote_desktop_port_t TCP socket +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_rw_tcp_sockets', ` + gen_require(` + type gnome_remote_desktop_t; + ') + + allow $1 gnome_remote_desktop_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te new file mode 100644 index 0000000000..e3d0514bea --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.te @@ -0,0 +1,73 @@ +policy_module(gnome_remote_desktop, 1.0.0) + +######################################## +# +# Declarations +# + +type gnome_remote_desktop_t; +type gnome_remote_desktop_exec_t; +domain_type(gnome_remote_desktop_t) +domain_entry_file(gnome_remote_desktop_t, gnome_remote_desktop_exec_t) +role system_r types gnome_remote_desktop_t; + +permissive gnome_remote_desktop_t; + +type gnome_remote_desktop_var_lib_t; +files_type(gnome_remote_desktop_var_lib_t) + +######################################## +# +# gnome_remote_desktop local policy +# + +kernel_dgram_send(gnome_remote_desktop_t) + +manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +files_var_lib_filetrans(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, { dir file lnk_file }) + +#============= gnome_remote_desktop_t ============== +corenet_tcp_bind_gnome_remote_desktop_port(gnome_remote_desktop_t) +allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms; +allow gnome_remote_desktop_t self:unix_dgram_socket create_socket_perms; + +domain_use_interactive_fds(gnome_remote_desktop_t) + +files_read_etc_files(gnome_remote_desktop_t) + +corenet_tcp_bind_generic_node(gnome_remote_desktop_t) +dev_read_sysfs(gnome_remote_desktop_t) +files_watch_usr_dirs(gnome_remote_desktop_t) +fs_getattr_cgroup(gnome_remote_desktop_t) +fs_getattr_xattr_fs(gnome_remote_desktop_t) +init_read_state(gnome_remote_desktop_t) + +optional_policy(` + dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t) +') + +optional_policy(` + kerberos_read_config(gnome_remote_desktop_t) +') + +optional_policy(` + logging_write_syslog_pid_socket(gnome_remote_desktop_t) +') + +optional_policy(` + miscfiles_read_certs(gnome_remote_desktop_t) + miscfiles_read_localization(gnome_remote_desktop_t) +') + +optional_policy(` + systemd_login_list_pid_dirs(gnome_remote_desktop_t) + systemd_login_read_pid_files(gnome_remote_desktop_t) + systemd_read_logind_sessions_files(gnome_remote_desktop_t) +') + +optional_policy(` + xserver_dbus_chat_xdm(gnome_remote_desktop_t) + xserver_read_xdm_state(gnome_remote_desktop_t) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index c570c29078..c88d967c08 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -186,6 +186,7 @@ network_port(git, tcp,9418,s0, udp,9418,s0) network_port(glance, tcp,9292,s0, udp,9292,s0) network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) +network_port(gnome_remote_desktop, tcp,3389-3399,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index fade794377..d22e0e7128 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1857,3 +1857,9 @@ tunable_policy(`selinuxuser_direct_dri_enabled',` ',` dev_dontaudit_rw_dri(dridomain) ') + +#============= xdm_t ============== +optional_policy(` + gnome_remote_desktop_rw_tcp_sockets(xdm_t) + dev_rw_dma_dev(xdm_t) +')