From f5bd2a768aa0e99b5f5fa4dd98c249fc19a41a54 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 4 Sep 2024 18:30:13 +0200 Subject: [PATCH 1/9] Update bootupd policy when ESP is not mounted bootupd needs to check if device exists before mounting it, then uses "cp -a" to update the bootloader. The commit addresses the following AVC denials: type=AVC msg=audit(1725385838.182:370): avc: denied { getattr } for pid=3034 comm="bootupctl" path="/dev/vda1" dev="devtmpfs" ino=311 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 type=AVC msg=audit(1725385843.983:373): avc: denied { setfscreate } for pid=3046 comm="cp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:bootupd_t:s0 tclass=process permissive=1 Resolves: https://github.com/fedora-selinux/selinux-policy/issues/2341 --- policy/modules/contrib/bootupd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te index f4fb56f610..f86ed6efed 100644 --- a/policy/modules/contrib/bootupd.te +++ b/policy/modules/contrib/bootupd.te @@ -20,7 +20,7 @@ files_pid_file(bootupd_var_run_t) # bootupd local policy # allow bootupd_t self:capability { setgid setuid }; -allow bootupd_t self:process { fork setpgid }; +allow bootupd_t self:process { fork setfscreate setpgid }; allow bootupd_t self:fifo_file rw_fifo_file_perms; allow bootupd_t self:unix_dgram_socket create_socket_perms; allow bootupd_t self:unix_stream_socket create_stream_socket_perms; @@ -46,6 +46,8 @@ fs_manage_dos_dirs(bootupd_t) fs_manage_dos_files(bootupd_t) fs_search_efivarfs_dirs(bootupd_t) +storage_getattr_fixed_disk_dev(bootupd_t) + optional_policy(` bootloader_domtrans(bootupd_t) ') From d62b0d353cb8d537e8673b32a943ef2279f0c54a Mon Sep 17 00:00:00 2001 From: krishjainx Date: Wed, 4 Sep 2024 12:35:10 -0400 Subject: [PATCH 2/9] Fix SELinux policy for sandbox X server to fix 'sandbox -X' command --- policy/modules/contrib/sandboxX.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/sandboxX.te b/policy/modules/contrib/sandboxX.te index a9b560db05..dae6fa9b1c 100644 --- a/policy/modules/contrib/sandboxX.te +++ b/policy/modules/contrib/sandboxX.te @@ -65,7 +65,10 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map; + kernel_dontaudit_request_load_module(sandbox_xserver_t) +kernel_read_device_sysctls(sandbox_xserver_t) kernel_read_system_state(sandbox_xserver_t) corecmd_exec_bin(sandbox_xserver_t) @@ -93,6 +96,7 @@ domain_use_interactive_fds(sandbox_xserver_t) files_read_config_files(sandbox_xserver_t) files_search_home(sandbox_xserver_t) fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) +fs_getattr_xattr_fs(sandbox_xserver_t) fs_search_auto_mountpoints(sandbox_xserver_t) miscfiles_read_fonts(sandbox_xserver_t) From d9cd36064f88d29da549c9525725abdc7b6c2bb4 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 2 Sep 2024 18:39:29 +0200 Subject: [PATCH 3/9] Allow virtstoraged get attributes of configfs dirs The commit addresses the following AVC denial: type=AVC msg=audit(1724038118.935:800): avc: denied { getattr } for pid=16121 comm="daemon-init" path="/sys/kernel/config" dev="configfs" ino=6163 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1 Resolves: rhbz#2305656 --- policy/modules/contrib/virt.te | 1 + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 6a7ab05fcb..504ec6eef6 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2339,6 +2339,7 @@ kernel_io_uring_use(virtstoraged_t) corecmd_exec_bin(virtstoraged_t) fs_getattr_all_fs(virtstoraged_t) +fs_getattr_configfs_dirs(virtstoraged_t) userdom_read_user_home_content_files(virtstoraged_t) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index ddf32d8c85..5a874c341f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2062,6 +2062,24 @@ interface(`fs_dontaudit_write_configfs_dirs',` dontaudit $1 configfs_t:dir write; ') +####################################### +## +## Getattr dirs on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_configfs_dirs',` + gen_require(` + type configfs_t; + ') + + allow $1 configfs_t:dir getattr; +') + ####################################### ## ## Read dirs From 1849ca30ae63909ecc1aceec269eef1b75e4a4f3 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 2 Sep 2024 18:31:09 +0200 Subject: [PATCH 4/9] Update policy for rpc-virtstorage In particular, domain transition on udev and parted execution and r/w operations on fixed disk devices were allowed. Resolves: rhbz#2305564 --- policy/modules/contrib/virt.te | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 504ec6eef6..b634ab90ac 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2334,6 +2334,7 @@ manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t) +kernel_get_sysvipc_info(virtstoraged_t) kernel_io_uring_use(virtstoraged_t) corecmd_exec_bin(virtstoraged_t) @@ -2341,16 +2342,27 @@ corecmd_exec_bin(virtstoraged_t) fs_getattr_all_fs(virtstoraged_t) fs_getattr_configfs_dirs(virtstoraged_t) +storage_raw_read_fixed_disk(virtstoraged_t) +storage_raw_write_fixed_disk(virtstoraged_t) + userdom_read_user_home_content_files(virtstoraged_t) optional_policy(` dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t) ') +optional_policy(` + fstools_domtrans(virtstoraged_t) +') + optional_policy(` lvm_domtrans(virtstoraged_t) ') +optional_policy(` + udev_domtrans(virtstoraged_t) +') + ####################################### # # virtvboxd local policy From b57d1fd1203e81f5bd19ebd21b8e2ccca47534c9 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 4 Sep 2024 15:57:50 +0200 Subject: [PATCH 5/9] Sync users with Fedora targeted users --- policy/users | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/policy/users b/policy/users index e12211daf8..1c16e2bdba 100644 --- a/policy/users +++ b/policy/users @@ -24,8 +24,8 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # -gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # @@ -35,4 +35,7 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) From 1d355565fafbf2a4534fb34a9de6a270f9822b96 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 26 Aug 2024 13:17:44 +0200 Subject: [PATCH 6/9] Label /etc/mdevctl.d with mdevctl_conf_t Allow virtnodedevd create /etc/mdevctl.d with a file transition and manage mdevctl_conf_t files. Resolves: RHEL-39893 --- policy/modules/contrib/virt.te | 2 ++ policy/modules/kernel/files.fc | 1 + policy/modules/kernel/files.if | 37 ++++++++++++++++++++++++++++++++++ policy/modules/kernel/files.te | 3 +++ 4 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b634ab90ac..1ef50c9dde 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2009,6 +2009,8 @@ dev_write_sysfs_dirs(virtnodedevd_t) files_map_var_lib_files(virtnodedevd_t) files_watch_etc_dirs(virtnodedevd_t) +files_etc_filetrans_mdevctl_conf(virtnodedevd_t) +files_manage_mdevctl_conf_files(virtnodedevd_t) miscfiles_read_hwdata(virtnodedevd_t) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 13920e5839..249ee19e6f 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -60,6 +60,7 @@ ifdef(`distro_suse',` /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mdevctl\.d(/.*) gen_context(system_u:object_r:mdevctl_conf_t,s0) /etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 9828bde921..55fc099ee4 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6028,6 +6028,43 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +####################################### +## +## Manage mdevctl configuration files +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_mdevctl_conf_files',` + gen_require(` + type mdevctl_conf_t; + ') + + files_search_etc(mdevctl_conf_t) + manage_files_pattern($1, mdevctl_conf_t, mdevctl_conf_t) +') + +################################### +## +## Create /etc/mdevctl.d with the correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`files_etc_filetrans_mdevctl_conf',` + gen_require(` + type etc_t, mdevctl_conf_t; + ') + + filetrans_pattern($1, etc_t, mdevctl_conf_t, dir, "mdevctl.d") +') + ####################################### ## ## Read manageable system configuration files in /etc diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 7cd4518545..f86e4572cf 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -80,6 +80,9 @@ files_ro_base_file(system_conf_t) # compatibility aliases for removed type: typealias system_conf_t alias iptables_conf_t; +# mdevctl_conf_t is a type for files in /etc/mdevctl.d +type mdevctl_conf_t, configfile; + # system_db_t is a new type of various # db files. type system_db_t; From 9ff60a4a80fbe2df85983dba2014a1381e2ba77a Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 11 Sep 2024 09:39:24 +0200 Subject: [PATCH 7/9] Make mdevctl_conf_t member of the file_type attribute In the 1d355565faf commit ("Label /etc/mdevctl.d with mdevctl_conf_t"), a new file type defined, but it was not made a part of the file_type attribute. Resolves: rhbz#2311359 --- policy/modules/kernel/files.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index f86e4572cf..926441521c 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -82,6 +82,7 @@ typealias system_conf_t alias iptables_conf_t; # mdevctl_conf_t is a type for files in /etc/mdevctl.d type mdevctl_conf_t, configfile; +files_type(mdevctl_conf_t) # system_db_t is a new type of various # db files. From 51776c857cb6e602b72e23f31e0c260c3f296372 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 11 Sep 2024 09:46:30 +0200 Subject: [PATCH 8/9] Allow virtstoraged execute mount programs in the mount domain The commit addresses the following AVC denial: type=PROCTITLE msg=audit(09/10/2024 09:02:19.765:1406) : proctitle=/usr/bin/mount -o nodev,nosuid,noexec -t auto /dev/vdb1 /var/lib/libvirt/images/vm-mountpoint-1 type=EXECVE msg=audit(09/10/2024 09:02:19.765:1406) : argc=7 a0=/usr/bin/mount a1=-o a2=nodev,nosuid,noexec a3=-t a4=auto a5=/dev/vdb1 a6=/var/lib/libvirt/images/vm-mountpoint-1 type=SYSCALL msg=audit(09/10/2024 09:02:19.765:1406) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fe308002410 a1=0x7fe308001f60 a2=0x7ffe9070c6a8 a3=0x0 items=1 ppid=7130 pid=7232 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mount exe=/usr/bin/mount subj=system_u:system_r:virtstoraged_t:s0 key=(null) type=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc: denied { map } for pid=7232 comm=mount path=/usr/bin/mount dev="vda3" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc: denied { execute_no_trans } for pid=7232 comm=rpc-virtstorage path=/usr/bin/mount dev="vda3" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc: denied { execute } for pid=7232 comm=rpc-virtstorage name=mount dev="vda3" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 Resolves: rhbz#2311178 --- policy/modules/contrib/virt.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 1ef50c9dde..5507fa37d3 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2361,6 +2361,10 @@ optional_policy(` lvm_domtrans(virtstoraged_t) ') +optional_policy(` + mount_domtrans(virtstoraged_t) +') + optional_policy(` udev_domtrans(virtstoraged_t) ') From ce83836afdaadb358512903a68e1e8866e399d77 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 11 Sep 2024 13:29:09 +0200 Subject: [PATCH 9/9] Confine gnome-remote-desktop - add new gnome_remote_desktop_t port mapping for tcp 3389-3399 - add file type for /var/lib/gnome-remote-desktop(/.*)? - add new domain and transition for /usr/libexec/gnome-remote-desktop-daemon Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2271661 --- policy/modules.conf | 7 + policy/modules/contrib/dbus.te | 4 + .../modules/contrib/gnome_remote_desktop.fc | 3 + .../modules/contrib/gnome_remote_desktop.if | 178 ++++++++++++++++++ .../modules/contrib/gnome_remote_desktop.te | 73 +++++++ policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/services/xserver.te | 6 + 7 files changed, 272 insertions(+) create mode 100644 policy/modules/contrib/gnome_remote_desktop.fc create mode 100644 policy/modules/contrib/gnome_remote_desktop.if create mode 100644 policy/modules/contrib/gnome_remote_desktop.te diff --git a/policy/modules.conf b/policy/modules.conf index fff932e252..4212881a76 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -1086,6 +1086,13 @@ glusterd = module # gnome = module +# Layer: apps +# Module: gnome_remote_desktop +# +# gnome-remote-desktop +# +gnome_remote_desktop = module + # Layer: apps # Module: gpg # diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 73a0373aba..2c73880a91 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -410,3 +410,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg; kernel_stream_connect(session_bus_type) systemd_login_read_pid_files(session_bus_type) + +optional_policy(` + gnome_remote_desktop_rw_tcp_sockets(system_dbusd_t) +') diff --git a/policy/modules/contrib/gnome_remote_desktop.fc b/policy/modules/contrib/gnome_remote_desktop.fc new file mode 100644 index 0000000000..fcb60f6808 --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.fc @@ -0,0 +1,3 @@ +/usr/libexec/gnome-remote-desktop-daemon -- gen_context(system_u:object_r:gnome_remote_desktop_exec_t,s0) + +/var/lib/gnome-remote-desktop(/.*)? gen_context(system_u:object_r:gnome_remote_desktop_var_lib_t,s0) diff --git a/policy/modules/contrib/gnome_remote_desktop.if b/policy/modules/contrib/gnome_remote_desktop.if new file mode 100644 index 0000000000..68f7986ed0 --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.if @@ -0,0 +1,178 @@ + +## policy for gnome_remote_desktop + +######################################## +## +## Execute gnome_remote_desktop_exec_t in the gnome_remote_desktop domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gnome_remote_desktop_domtrans',` + gen_require(` + type gnome_remote_desktop_t, gnome_remote_desktop_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gnome_remote_desktop_exec_t, gnome_remote_desktop_t) +') + +###################################### +## +## Execute gnome_remote_desktop in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_exec',` + gen_require(` + type gnome_remote_desktop_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gnome_remote_desktop_exec_t) +') + +######################################## +## +## Search gnome_remote_desktop lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_search_lib',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + allow $1 gnome_remote_desktop_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read gnome_remote_desktop lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_read_lib_files',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + +######################################## +## +## Manage gnome_remote_desktop lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_manage_lib_files',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + +######################################## +## +## Manage gnome_remote_desktop lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_manage_lib_dirs',` + gen_require(` + type gnome_remote_desktop_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +') + + +######################################## +## +## All of the rules required to administrate +## an gnome_remote_desktop environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`gnome_remote_desktop_admin',` + gen_require(` + type gnome_remote_desktop_t; + type gnome_remote_desktop_var_lib_t; + ') + + allow $1 gnome_remote_desktop_t:process { signal_perms }; + ps_process_pattern($1, gnome_remote_desktop_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 gnome_remote_desktop_t:process ptrace; + ') + + files_search_var_lib($1) + admin_pattern($1, gnome_remote_desktop_var_lib_t) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +## +## Read and write to TCP socket +## +## +##

+## Allow the specified domain to read and write to +## gnome_remote_desktop_port_t TCP socket +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_remote_desktop_rw_tcp_sockets', ` + gen_require(` + type gnome_remote_desktop_t; + ') + + allow $1 gnome_remote_desktop_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te new file mode 100644 index 0000000000..e3d0514bea --- /dev/null +++ b/policy/modules/contrib/gnome_remote_desktop.te @@ -0,0 +1,73 @@ +policy_module(gnome_remote_desktop, 1.0.0) + +######################################## +# +# Declarations +# + +type gnome_remote_desktop_t; +type gnome_remote_desktop_exec_t; +domain_type(gnome_remote_desktop_t) +domain_entry_file(gnome_remote_desktop_t, gnome_remote_desktop_exec_t) +role system_r types gnome_remote_desktop_t; + +permissive gnome_remote_desktop_t; + +type gnome_remote_desktop_var_lib_t; +files_type(gnome_remote_desktop_var_lib_t) + +######################################## +# +# gnome_remote_desktop local policy +# + +kernel_dgram_send(gnome_remote_desktop_t) + +manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t) +files_var_lib_filetrans(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, { dir file lnk_file }) + +#============= gnome_remote_desktop_t ============== +corenet_tcp_bind_gnome_remote_desktop_port(gnome_remote_desktop_t) +allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms; +allow gnome_remote_desktop_t self:unix_dgram_socket create_socket_perms; + +domain_use_interactive_fds(gnome_remote_desktop_t) + +files_read_etc_files(gnome_remote_desktop_t) + +corenet_tcp_bind_generic_node(gnome_remote_desktop_t) +dev_read_sysfs(gnome_remote_desktop_t) +files_watch_usr_dirs(gnome_remote_desktop_t) +fs_getattr_cgroup(gnome_remote_desktop_t) +fs_getattr_xattr_fs(gnome_remote_desktop_t) +init_read_state(gnome_remote_desktop_t) + +optional_policy(` + dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t) +') + +optional_policy(` + kerberos_read_config(gnome_remote_desktop_t) +') + +optional_policy(` + logging_write_syslog_pid_socket(gnome_remote_desktop_t) +') + +optional_policy(` + miscfiles_read_certs(gnome_remote_desktop_t) + miscfiles_read_localization(gnome_remote_desktop_t) +') + +optional_policy(` + systemd_login_list_pid_dirs(gnome_remote_desktop_t) + systemd_login_read_pid_files(gnome_remote_desktop_t) + systemd_read_logind_sessions_files(gnome_remote_desktop_t) +') + +optional_policy(` + xserver_dbus_chat_xdm(gnome_remote_desktop_t) + xserver_read_xdm_state(gnome_remote_desktop_t) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index c570c29078..c88d967c08 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -186,6 +186,7 @@ network_port(git, tcp,9418,s0, udp,9418,s0) network_port(glance, tcp,9292,s0, udp,9292,s0) network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) +network_port(gnome_remote_desktop, tcp,3389-3399,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index fade794377..d22e0e7128 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1857,3 +1857,9 @@ tunable_policy(`selinuxuser_direct_dri_enabled',` ',` dev_dontaudit_rw_dri(dridomain) ') + +#============= xdm_t ============== +optional_policy(` + gnome_remote_desktop_rw_tcp_sockets(xdm_t) + dev_rw_dma_dev(xdm_t) +')