Here's the latest stuff, most of which is to make staff_t usable as a login
domain. Please merge whatever you think is good and skip the rest.
Index: refpolicy-2.20180701/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20180701/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
+ kernel_read_crypto_sysctls($1_t)
+ kernel_read_vm_overcommit_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
libs_exec_ld_so($1_t)
+ logging_send_syslog_msg($1_t)
+
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
sysnet_read_config($1_t)
+ userdom_write_all_user_runtime_named_sockets($1_t)
+
# kdeinit wants systemd status
init_get_system_status($1_t)
@@ -858,6 +864,10 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ udev_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
usernetctl_run($1_t, $1_r)
')
@@ -1205,6 +1215,12 @@ template(`userdom_unpriv_user_template',
optional_policy(`
systemd_dbus_chat_logind($1_t)
+ systemd_use_logind_fds($1_t)
+ # kwalletd5 inherits a socket from init
+ init_rw_inherited_stream_socket($1_t)
+ init_use_fds($1_t)
+ # for polkit-kde-auth
+ init_read_state($1_t)
')
')
@@ -3426,6 +3442,25 @@ interface(`userdom_delete_all_user_runti
')
########################################
+## <summary>
+## write user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
## <summary>
## Create objects in the pid directory
## with an automatic type transition to
Index: refpolicy-2.20180701/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20180701/policy/modules/roles/staff.te
@@ -32,6 +32,10 @@ optional_policy(`
')
optional_policy(`
+ modemmanager_dbus_chat(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te
@@ -21,6 +21,10 @@ optional_policy(`
')
optional_policy(`
+ modemmanager_dbus_chat(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_
files_manage_all_pid_dirs(systemd_tmpfiles_t)
files_delete_usr_files(systemd_tmpfiles_t)
files_list_home(systemd_tmpfiles_t)
+files_list_locks(systemd_tmpfiles_t)
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
files_manage_var_dirs(systemd_tmpfiles_t)
files_manage_var_lib_dirs(systemd_tmpfiles_t)
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfile
files_manage_etc_symlinks(systemd_tmpfiles_t)
fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
+fs_list_tmpfs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -166,6 +166,7 @@ ifdef(`distro_gentoo',`
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -197,6 +198,7 @@ ifdef(`distro_gentoo',`
/usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20180701/policy/modules/apps/pulseaudio.te
@@ -148,7 +148,7 @@ miscfiles_read_localization(pulseaudio_t
seutil_read_config(pulseaudio_t)
-userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_rw_user_tmpfs_files(pulseaudio_t)
userdom_map_user_tmpfs_files(pulseaudio_t)
userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
@@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
userdom_manage_user_tmp_dirs(pulseaudio_t)
userdom_manage_user_tmp_sockets(pulseaudio_t)
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
tunable_policy(`pulseaudio_execmem',`
allow pulseaudio_t self:process execmem;
@@ -225,6 +226,13 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(pulseaudio_t)
+ # for /run/systemd/users/$PID
+ systemd_read_logind_pids(pulseaudio_t)
+ # for /run/user/1000/systemd/notify
+')
+
+optional_policy(`
udev_read_pid_files(pulseaudio_t)
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
+miscfiles_read_generic_certs(ssh_t)
miscfiles_read_localization(ssh_t)
seutil_read_config(ssh_t)
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -90,6 +90,9 @@ interface(`xserver_restricted_role',`
# open office is looking for the following
dev_getattr_agp_dev($2)
dev_dontaudit_rw_dri($2)
+ tunable_policy(`xserver_allow_dri',`
+ dev_rw_dri($2)
+ ')
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
## </desc>
gen_tunable(xserver_object_manager, false)
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
attribute x_domain;
# X Events
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
')
optional_policy(`
+ xserver_link_xdm_keys(local_login_t)
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
xserver_rw_xdm_keys(local_login_t)
Index: refpolicy-2.20180701/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20180701/policy/modules/apps/chromium.te
@@ -150,6 +150,7 @@ dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
dev_read_rand(chromium_t)
+dev_rw_dri(chromium_t)
dev_rw_xserver_misc(chromium_t)
dev_map_xserver_misc(chromium_t)