Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4035378ybv;
        Sun, 16 Feb 2020 12:04:01 -0800 (PST)
X-Google-Smtp-Source: APXvYqykXXfIn55p/nq1agWnl9lH7IWcMoNR+7vxwLcWL/dVOEZQNt7vihhPTJYjjq2Gk1pzmWfw
X-Received: by 2002:a05:6830:1d55:: with SMTP id p21mr9690922oth.145.1581883441756;
        Sun, 16 Feb 2020 12:04:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581883441; cv=none;
        d=google.com; s=arc-20160816;
        b=SJZXerA3JpHB930EZvd2o4NRJR/ACN16wza5GBaJT8eDH5C6YIjmGV3u+mhZPXSvdb
         oZQiNKykYf3MzCO+7cG2D8wqXybPQKP+NyntX1NA69MEMx8/1p2MgzWhCYsIAapW5HJQ
         51S65LQryuu/YzDrxm4RS0WSLANLD66fX0WOylO1Zx4gXHpleEe2U93x1GpUVn0TzrSg
         EPZHnYyE60olXtuNTD2fVs/Bh4J87DvipWZsSlCKHnOS6cnzYOdYftEAkx7n22zsBlmF
         I9Jx+ZjWDkaYhfWWOv8LT5y9WoImi6oDwq1UarVGcWsnpN90/lCiSV/qG5YBK2y3QA7f
         eqTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=1BjJ7DZfhZbL7IXmJtsJGhhSEhbTy/Kxm8ZO3OYUGsk=;
        b=airHXksWXYbIlPKA3JyX9+4S7cb2U3RGe+qfQzXarsIo33hVb1xXiz0Ny8Mjgr2Ic+
         jK4snbhrs0p8O9hHFbj+gWIiFEhJWzihW63Bv4ajDHjfyIWkN2o+8oZBpsi5/MECzWL4
         2b4lEWz8Rilkcm8G6lkhsCxwWKfLEwp16WqCK+JIuHhEgW3WkBgljSRxR7tt+sR3Vq7r
         yAAbPQNS80ZTK8stafzijUzqgSOOd8VtJO37SkyBYKnXb1JEzRy6/ikduU4drqTrjt3u
         vtY2U9N8ODAjXV78V4Q25sF+W8O6WRIhW4hoIOG1cxBtaXYtoTW65PZyQjV1mX6OXBMD
         V4zg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=VAsZzf34;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s22si5287396oij.35.2020.02.16.12.03.59;
        Sun, 16 Feb 2020 12:04:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=VAsZzf34;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726036AbgBPUD7 (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Sun, 16 Feb 2020 15:03:59 -0500
Received: from mail-pf1-f196.google.com ([209.85.210.196]:43831 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726020AbgBPUD7 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 16 Feb 2020 15:03:59 -0500
Received: by mail-pf1-f196.google.com with SMTP id s1so7707127pfh.10
        for <selinux-refpolicy@vger.kernel.org>; Sun, 16 Feb 2020 12:03:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=perfinion-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=1BjJ7DZfhZbL7IXmJtsJGhhSEhbTy/Kxm8ZO3OYUGsk=;
        b=VAsZzf34J4OiEs1ZS1aZ2sEItpSX7t/1R83oxy8P//0cvfoy/3OGqWjm/0p1CJh3Ce
         MMhca8zrXOLzZexsoya1zGQOLhZ/x8E3BsU2UVZ3mTRawBctkZepKAfAFAasp/IeUZ3k
         p5QynXC9Uqlh1dCUDBpEwguqbo/subVnjJLtliiHENv5AwRz+xVF/VjfyLz6yp41AuSd
         1U5MyGTV6Xk/SRsYUFYttL+I3utScb7gPsILlURSdo1g5OEFaOZSsyp6u4BjeIC2Sgek
         f+wwRrOitiecCaKcxa4/mA4rmvP1O2vFyJleDH3DZoxHGJpsB/jsSU6e8MX35rzel4fy
         zxxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=1BjJ7DZfhZbL7IXmJtsJGhhSEhbTy/Kxm8ZO3OYUGsk=;
        b=axkdYWYQLc4Ra2SHACtytZqM/ceVlfpQ6sKwCe7yfWzVu6eEfyIYFTdpD5O8zqNGuA
         n20eNKTqU8Edy5zKMmUvr0I0aiIJGgPwPskSjO7s43z1gw9ACshQFMW/I9VPB4YC9KHJ
         8AxXi7b8HP8paXptPNiyofgnKDt4CJvOpUKzhhLrv/KhFpLV8LTE/Mf8Tw0g8bGb0Huy
         AwWqkQrcqg/eTbFSFAYL427zjwRQ/IbRjydppc04tgY2MbKcfY6blSjiFg50h1GZE7iV
         XnPCKstWw21iOlkDiq/21fObHI9+ObW6Vno7oP1kiR0b1ZWz/AmXeuaJEtELXSOrKc1Z
         oD4Q==
X-Gm-Message-State: APjAAAUYEvhnC131b/XFasECL1/FplHDB5c/MPyq0uS7IeOXUQ2FILsw
        QIcRIkKdUGquzf4UXFXzNVQd/HRA0Zg=
X-Received: by 2002:a63:5809:: with SMTP id m9mr13928299pgb.26.1581883437771;
        Sun, 16 Feb 2020 12:03:57 -0800 (PST)
Received: from localhost ([101.127.140.252])
        by smtp.gmail.com with ESMTPSA id x10sm14186070pfi.180.2020.02.16.12.03.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 16 Feb 2020 12:03:57 -0800 (PST)
From:   Jason Zaman <jason@perfinion.com>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Jason Zaman <jason@perfinion.com>
Subject: [PATCH 05/10] colord: add watch perms
Date:   Mon, 17 Feb 2020 04:03:14 +0800
Message-Id: <20200216200319.39337-5-jason@perfinion.com>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200216200319.39337-1-jason@perfinion.com>
References: <20200216200319.39337-1-jason@perfinion.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/colord.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 24eda8a9..44f2b049 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
 manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+allow colord_t colord_var_lib_t:dir watch;
 
 kernel_read_crypto_sysctls(colord_t)
 kernel_read_device_sysctls(colord_t)
@@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
 files_list_mnt(colord_t)
 files_read_usr_files(colord_t)
 files_map_usr_files(colord_t)
+files_watch_usr_dirs(colord_t)
 
 fs_getattr_noxattr_fs(colord_t)
 fs_getattr_tmpfs(colord_t)
-- 
2.24.1