Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp661378pxb; Thu, 14 Jan 2021 15:40:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJzCvdkuT8if6wZ4aYg+gLYbPYDnBa9h2XEEp/uaVdthZ7Ya+ylDspk2BL8HfyYZjwDqbHNr X-Received: by 2002:aa7:c7d8:: with SMTP id o24mr7692243eds.328.1610667613157; Thu, 14 Jan 2021 15:40:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610667613; cv=none; d=google.com; s=arc-20160816; b=cEaxdB/hrL7ho+/LQcXB7vprTJCvsajxcBu+4a8D2ZYxqv0urIjLb2cQthYXvlWdWk +nZpl7/isQAu7k+uck1FQDL1QcJxOkXgatO+F9SCPg2x29rP7V6TS6iBqz2d02zG78/Y miOPC6HHaBQlic2wl6by+Gv12TOnuWtF9YRDkPtE2kz4LqIpqQ1DFXVpBxQRJ+FuUhlx xVuvnh+x5sUf+bNLyhe621rX10VBA59itF4Rwvoi0RPrL/jagmeRQcqDSFFLSFMAOq9P xt1banJI5fBlipCAdpiZ1MEV2guqWg+X+9Da7BIkp7e7df+o6wnB+JrD9Tk4jnV2gw3R AAfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=VkdI+nbIQiM7dgi2Df5pCKaKShohoJQcc8K+a5Gx4O8=; b=u8Czi3vI3DqsoK1Ddz96RjI/O5GVwkuWSJ3FsEWURCX/zqkSVbleOZLyd0y8FdMbTJ 4PU+iVxrSJYGri4Kq42/l32NWqAlTYAbZvMGdq7qSct/GDSGWUUxGgFRPD3+P8p4oDw4 +MpmN6nQe7AG4CyIUkoUpysPO9AXnlFr9cHqSYlQeoVq8O8WaahVY9qSsjcudrvL99TF ce9x9ddB/eRwuX3F8CX44l1ps2JTr6yU0P0pIEvP0GxZxU/b7D+/DhC/LAcqdcMmOStd OXbiRi7IPqHSLjB4sgvBzBxZbOjlJfozJbl9YA1QGcDtMItHgpRKVN8KKVZHQUiM+92K fb1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=P1AAq9Iw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si3252498edi.179.2021.01.14.15.40.08; Thu, 14 Jan 2021 15:40:13 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=P1AAq9Iw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731036AbhANXiI (ORCPT + 18 others); Thu, 14 Jan 2021 18:38:08 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:49342 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727838AbhANXiI (ORCPT ); Thu, 14 Jan 2021 18:38:08 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 1D71E160FD for ; Fri, 15 Jan 2021 10:37:26 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610667446; bh=VkdI+nbIQiM7dgi2Df5pCKaKShohoJQcc8K+a5Gx4O8=; l=1738; h=Date:From:To:Subject:From; b=P1AAq9IwATq8XQefBwcpv1BzyxlafOq1pumvmdusCVCe3HeDaXFo22f1gfGbZKC+D yLc2j+JLF816omOVU6WqhlvFCp6xddV7zQRK+28MEhOgvPnJ7TwjnuxhdFgOR0RjHs yyPZj2b1mkCEUvfUA6q0MDuH5szVjFEE6n/QHmy0= Received: by xev.coker.com.au (Postfix, from userid 1001) id A4DF012F979B; Fri, 15 Jan 2021 10:37:20 +1100 (AEDT) Date: Fri, 15 Jan 2021 10:37:20 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] yet more strict patches fixed Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org More little strict patches, much of which are needed for KDE. With the lines that Chris didn't like removed. Signed-off-by: Russell Coker Index: refpolicy-2.20210115/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20210115/policy/modules/system/userdomain.if @@ -880,6 +880,10 @@ template(`userdom_common_user_template', ') optional_policy(` + udev_read_runtime_files($1_t) + ') + + optional_policy(` usernetctl_run($1_t, $1_r) ') @@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template', optional_policy(` systemd_dbus_chat_logind($1_t) + systemd_use_logind_fds($1_t) + systemd_dbus_chat_hostnamed($1_t) + systemd_write_inherited_logind_inhibit_pipes($1_t) + + # kwalletd5 inherits a socket from init + init_rw_inherited_stream_socket($1_t) + init_use_fds($1_t) + # for polkit-kde-auth + init_read_state($1_t) ') # Allow controlling usbguard @@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti ') ######################################## +## +## write user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:sock_file write; +') + +######################################## ## ## Create objects in the pid directory ## with an automatic type transition to