From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 09:33:18 +0200
Subject: [PATCH] Allow login_userdomain watch various directories

The inotify_add_watch(2) syscalls are called by plasmashell and some
other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings).

Addresses the following AVC denials examples:

type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn
type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc:  denied  { watch } for  pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004
type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc:  denied  { watch } for  pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces
were added.

Signed-off-by: lujie42 <lujie54@huawei.com>
---
 policy/modules/contrib/rpc.if       | 19 +++++++++++++++++++
 policy/modules/kernel/kernel.if     | 18 ++++++++++++++++++
 policy/modules/system/userdomain.te | 13 +++++++++++++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 0c6410612..b234bca58 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',`
 	manage_files_pattern($1, exports_t, exports_t)
 ')
 
+########################################
+## <summary>
+##	Watch nfs file exports
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_watch_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	files_search_etc($1)
+	allow $1 exports_t:file watch_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute domain in nfsd domain.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8ffd4988f..f669f866c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',`
 	allow $1 unlabeled_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Watch unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_watch_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir watch_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get the
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5576a97cb..1cf86a09e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',`
 	allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
 ')
 
+kernel_watch_unlabeled_dirs(login_userdomain)
+
+auth_watch_passwd(login_userdomain)
+
+corecmd_watch_bin_dirs(login_userdomain)
+
 dev_watch_generic_dirs(login_userdomain)
 
 files_map_var_lib_files(login_userdomain)
 files_read_var_lib_symlinks(login_userdomain)
 files_watch_etc_dirs(login_userdomain)
 files_watch_etc_files(login_userdomain)
+files_watch_root_dirs(login_userdomain)
 files_watch_system_conf_dirs(login_userdomain)
 files_watch_usr_dirs(login_userdomain)
 files_watch_usr_files(login_userdomain)
@@ -441,10 +448,16 @@ optional_policy(`
 	pkcs_tmpfs_named_filetrans(login_userdomain)
 ')
 
+optional_policy(`
+	rpc_watch_exports(login_userdomain)
+')
+
+
 optional_policy(`
 	systemd_login_watch_pid_dirs(login_userdomain)
 	systemd_login_watch_session_dirs(login_userdomain)
 	systemd_machined_watch_pid_dirs(login_userdomain)
+	systemd_resolved_watch_pid_dirs(login_userdomain)
 ')
 
 ############################################################
-- 
2.27.0