Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3036252pxb;
        Tue, 12 Jan 2021 04:57:57 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyTzoHsy6Wxe+F92Hm/VhRiMh3H1IMphSj/fy/s6/REEdgtnX1Cy4F0/C4T7c+zHh+5g1eD
X-Received: by 2002:a50:d646:: with SMTP id c6mr3261930edj.177.1610456277735;
        Tue, 12 Jan 2021 04:57:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610456277; cv=none;
        d=google.com; s=arc-20160816;
        b=k6Y9ihGPwEitjf8b/6NzywZm6qOxse7qSVE3DofW2JH64hcF83LwnvJeNncOcFJH8S
         oz/nnbH7C88x/fuie7oVIbXvFe8GVsR6+6nBiNVbQ1ody/B1JKTegcjS5ftAIV+m+I1c
         lpZEGR50CDKqnWVseUG006cCTNB6VaHMiwsRxIwD3FAdt7JxRGzOJ6xNeunPx1pImTBS
         S7rPoM7gm3UEtIp7/1zzmTsYKz5zkL5RbwNQEV3FVYtg54H1tJtfk5x+nppIidue1JQh
         LYGEWkOMEDzlT6alE9fqICRRcB8AGcquYO02gfhv8XhnCbmDy1EhvMUCc/k5iSf4O5dA
         v65A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=tWdX7TX3tFc6giaLIen3kXGTEHzfQnS3x684jOrERRM=;
        b=KBSM/MDx8tEhsMAvBHaeJwS/SU2Cg2A65dJxahtg7f5Zmjs7ldrNmzT1vjgJAGqvfC
         Dz/BqMFltFAt4JmtJPLPSYbInB0ZZ5wj2AqwsS7pt4z+9E5SAdA+gjUX/s5/mPOwkTjP
         F1WvsjKS3xBCLbqA4m8ErerwxqBXR/8RKwtGtSpCtj3Q9suuNQTypA/Zx9nUUT5LKpA0
         WIscJnu1zwqk6jfwlt91tlDrDNnPcoGlRcACFjB+34Pwfe6wB7ZVMwC4x3ZF/Kbys8Qg
         z8WB8N7r791UubNcVJyx+2/wIJcUnq/G2uPVqqDkrkUNepO7jjcIwJa3X40hAjl3o8pV
         wN7Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=J7g6hNtS;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i19si1264865edr.468.2021.01.12.04.57.52;
        Tue, 12 Jan 2021 04:57:57 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=J7g6hNtS;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390879AbhALKdn (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Tue, 12 Jan 2021 05:33:43 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:44014 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2390497AbhALKdn (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 12 Jan 2021 05:33:43 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id C47CE13AF3
        for <selinux-refpolicy@vger.kernel.org>; Tue, 12 Jan 2021 21:33:00 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1610447581;
        bh=tWdX7TX3tFc6giaLIen3kXGTEHzfQnS3x684jOrERRM=; l=2077;
        h=Date:From:To:Subject:From;
        b=J7g6hNtSNJdWUkSERqn2lEG7jyXk27uwaWZIahBk0Q40KmyDYGPyzS7gMwYo+Vwyf
         RIMOvtnjqjsPKlKJhTiaYWBjJyNOkyjaseKPFQn/4OjqPxNnlTdIbG/90GN6b/QS8Y
         /+pG+zeKFC6OJnqit+xEAmoanGWHb0ttTjq5cjH4=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id A866412ECFE7; Tue, 12 Jan 2021 21:32:56 +1100 (AEDT)
Date:   Tue, 12 Jan 2021 21:32:56 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] yet more strict patches
Message-ID: <X/162MdTzKABQVZ2@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

More little strict patches, much of which are needed for KDE.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20201210/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20201210/policy/modules/system/userdomain.if
@@ -115,12 +115,16 @@ template(`userdom_base_user_template',`
 
 	libs_exec_ld_so($1_t)
 
+	logging_send_syslog_msg($1_t)
+
 	miscfiles_read_localization($1_t)
 	miscfiles_read_generic_certs($1_t)
 	miscfiles_watch_fonts_dirs($1_t)
 
 	sysnet_read_config($1_t)
 
+	userdom_write_all_user_runtime_named_sockets($1_t)
+
 	# kdeinit wants systemd status
 	init_get_system_status($1_t)
 
@@ -880,6 +884,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		udev_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
 
@@ -1231,6 +1239,15 @@ template(`userdom_unpriv_user_template',
 
 	optional_policy(`
 		systemd_dbus_chat_logind($1_t)
+		systemd_use_logind_fds($1_t)
+		systemd_dbus_chat_hostnamed($1_t)
+		systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+		# kwalletd5 inherits a socket from init
+		init_rw_inherited_stream_socket($1_t)
+		init_use_fds($1_t)
+		# for polkit-kde-auth
+		init_read_state($1_t)
 	')
 
 	# Allow controlling usbguard
@@ -3617,6 +3634,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##	write user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to