Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp371576pxb; Wed, 13 Jan 2021 05:58:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOVSiZagg7DqGhKJwTY19BQiLtyF2Xs/HvlKa8thyo52SX9KmwBzrQAbxuAYm8dYkrg+KQ X-Received: by 2002:a05:6402:1646:: with SMTP id s6mr1850729edx.319.1610546303434; Wed, 13 Jan 2021 05:58:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610546303; cv=none; d=google.com; s=arc-20160816; b=upuFOwfaDzS8M2RhFUlQftn99S4FachOcnkls55aiBMfMcLJbVeXq0lpCDm44JWgqn vCCbSJdEKo58NttapV1m4yVnBERUFKJEjkuHSpsLymlag+tivGI5QOLmESTu+O1siBMk 4BJpiHf6x32Tnnfd7cQsn1BdinAzzUlQdb2nZua2iWjtjZVYnkSE5yMzklIdRVA7yE/y Ic4kiwnbM7JH+9L+kq0xIR8tVDG+5tk6NVOKq41mU/0szQU6nZZwUHTw2XT2Brqa50iW eo/+Kdm/1w10edMh19f/y+qxj2YWi3xawVyoC6Ww/CmVr0oboXibDleBBq9OxN5XduzQ Vz0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=Hn+AwQnatBBsP7E9W5ZXvbPghE4xcDI8OZyrlBsdZXs=; b=Yi6XSVp6FmMTjszXsWZcFIJaPXH+pNYGaL5e0h3TiRjDjG2aSYyskAXe7iUTJKt3cO BDV++bYyNVtjiDWl/y0s7+G/7msfZBT7kmuiOQ+hDcSw3aSbcRyVDd5yYAbyZrnrwqtQ FjBEMqj8MWfIHxlu5zeFpOcs7zTtMUWbx5xvDpYjwl515tlNPH7TKdWtfzF04X6HOQUK DEe93vOcjBlr/uTlIm7qC2qHES1q6HX4S7+bnACR4ThLuDQXUswXzTcVwfdKPGnX/Ol1 iCq5PvZTRniGPGX9QjpvTZvOzf9qAiEKGZklt0Jc6XG7KkACDdTi43EX20LqwrIamum8 A9og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=T8wQKV7p; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w6si1063298edv.249.2021.01.13.05.58.18; Wed, 13 Jan 2021 05:58:23 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=T8wQKV7p; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725773AbhAMN4A (ORCPT + 18 others); Wed, 13 Jan 2021 08:56:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725771AbhAMN4A (ORCPT ); Wed, 13 Jan 2021 08:56:00 -0500 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7AAFC061575 for ; Wed, 13 Jan 2021 05:54:24 -0800 (PST) Received: by mail-io1-xd2a.google.com with SMTP id o6so4140200iob.10 for ; Wed, 13 Jan 2021 05:54:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=Hn+AwQnatBBsP7E9W5ZXvbPghE4xcDI8OZyrlBsdZXs=; b=T8wQKV7p1LO/PO1tKAt8qSiFLb9Lnw5yTbNUKwU11aWjU+W+WsUKONe9phBvG+tv8u UPqb6lScmZYKAVaPr60Iq6MrFG22e2LdMW50ybQ3f6qwYAEo+gc1NVy3PDBt+ovdxhJ5 JjoIwEQqZR9eUqkW+6dFA6uWmXiYjjH4XPxbE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Hn+AwQnatBBsP7E9W5ZXvbPghE4xcDI8OZyrlBsdZXs=; b=nX1JpDViANS5NxiRWdQRCp32iWoaOAWnxGiG7v2G7CkVJp2/caTjZeDfbRdQHBehS+ NmiFJQxlGMaHoRcPzDvM6WL1138DnvbzCOa9FE6OavhjKXmUJ1fRZje4OSp5+hBRGQK+ RMvDIxEFcRAxZioY63xVFXp8lApI6m8mcElM2t4vFCblxtkL4NZP0TQfHFq8dEW5Vd5f IErDv9eTryBABdon+gs1iJjr05ZjwtDHceiROySeZdEo+C4DPYpgrhtIbAumSmX+B97e RTpXAMqARSSY32SgI4OT7fHmHm0mGpAz+v0TIDgiOZgOXCewj3OYaDruyRTwmM+aZJLF fUmA== X-Gm-Message-State: AOAM531gUIzqdp2vUzvlMPYqWvgOdY+oaPbNS8FA7J8TXCdjnQLE469v cZrsoHrgNeczkhhENWoDHQjMY54/Ik8QqQ== X-Received: by 2002:a6b:e805:: with SMTP id f5mr1795237ioh.199.1610546064104; Wed, 13 Jan 2021 05:54:24 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id a7sm1627930iln.0.2021.01.13.05.54.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Jan 2021 05:54:23 -0800 (PST) Subject: Re: [PATCH] yet more strict patches To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: Date: Wed, 13 Jan 2021 08:54:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/12/21 5:32 AM, Russell Coker wrote: > More little strict patches, much of which are needed for KDE. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20201210/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20201210/policy/modules/system/userdomain.if > @@ -115,12 +115,16 @@ template(`userdom_base_user_template',` > > libs_exec_ld_so($1_t) > > + logging_send_syslog_msg($1_t) > + > miscfiles_read_localization($1_t) > miscfiles_read_generic_certs($1_t) > miscfiles_watch_fonts_dirs($1_t) > > sysnet_read_config($1_t) > > + userdom_write_all_user_runtime_named_sockets($1_t) > + > # kdeinit wants systemd status > init_get_system_status($1_t) This template is supposed to be the bare minimum to have a user. I don't think these rules fit this design. -- Chris PeBenito