Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2991056pxb; Tue, 19 Jan 2021 10:46:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJw55EKdWFa4975rL8TpXKh8Uyf47ia5tiW7/TWie34n9hUisEntNqmckSLB8L6rqe5IFWe9 X-Received: by 2002:aa7:dac4:: with SMTP id x4mr2289034eds.192.1611081980633; Tue, 19 Jan 2021 10:46:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611081980; cv=none; d=google.com; s=arc-20160816; b=HRnXzpeNg+hKT4/uFJ5PEvoo4Y9sBg6woW+wF0qGiuB/+Y9t0c1THNyG7h8xIyoH/Q V4XumKXjkD9Fh7Stf8OG0KV18YvpX2UQuBgRlZ8dWXqWDHsFEtJ+BtkCZ6vZdhlgCl+x hWCe65Q9uCbZ5R4LpwOYjASyNGOwrdwJyzgtZcaaw8RHxQSRValrBwhCy/usMKo3X62h DvzdGtHSCwntm1a4hlgr+h7zKrRqojxfLYZo2pqFhnKoX/qFzLtEJX3wk0qshfiQlEOX 2Wq/8dqKCAznjUPYa/bsVhFcFywMEyfpEeu5fH6OQNfItN8lfAwiXUfgyvUI391fuLhg 5YiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=; b=KAv/t2vG6l12CjswCPIoHZ8HXttsx3jUarl+jPfUKIV9Ti1iN/NmHqoERBmyT0lms8 qR5CgQjcpYOAvVcMBFP9a9vOhu3SGoUB1j+ePok56WXS8PUyCtUWcmMWqGY6jt5PN6Kf 1bw0N+igEUfEqntnjSo+imd/zQQv6mHV7WX73hsfwrnYdUGy+p5sYS7WCZxleMNjPnAO oOCooUjAbChwDculEMINrLgdBCVJffhiT36OcPVm7W57ZF92NDqQt9Ox5uRhQFFwR0JK RxzlndOF5DUBd8KR3D+ghHRS5pSNZCY70ZgRiMESIirYV+oEwaSPV1Xxekqr5STy23NF 77ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Re7FxvZ+; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e10si2277220edv.269.2021.01.19.10.46.12; Tue, 19 Jan 2021 10:46:20 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Re7FxvZ+; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728980AbhASRxU (ORCPT + 18 others); Tue, 19 Jan 2021 12:53:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392134AbhASO4y (ORCPT ); Tue, 19 Jan 2021 09:56:54 -0500 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7FADC0617A1 for ; Tue, 19 Jan 2021 06:54:43 -0800 (PST) Received: by mail-qv1-xf34.google.com with SMTP id et9so9211196qvb.10 for ; Tue, 19 Jan 2021 06:54:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=; b=Re7FxvZ+YQKa51dTqaRfJJMiQVvLcGJuqcc3avsj1fVWypKcpHWXPyQaOS2A4xfjUA BV6qlOP8KdCOa0vg5lPyvIp7kEVrttC3c+p25043ysLN6AsXpHNuKASzFT/+0Gn3+ieC 2+7sgoBLJkMGqegvGdMXU1RVEQniQfmf0QThM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=; b=lZKo9EgM27Prkq1l1B2kmhJyw9PVq+lTiPDYKSpjjPWn9cDvHLzUTmzg+w4oCE6tJT SA4FNo3w940DQLUFJHY3M3D/BORpEa3oMrnrGbmM07XzRzloO9LJMooxXPFSXB61m+Ch i+Nh4w9aHsg+If+MxI5b3zmKi7KlXe5i5A42y3BNzwz7up56yH6S3AcutbWQFLkQMo3C byhtCg8gWIqPIXmVykmLXVqpmm2D/aXJqAMynYqNKSBqx8klMOTDpPJLbtxyntJ0xmCe f/oZTWgVaNNINcBI2J3Zi5VASRmu8P5OybDZ9YGvJCH7naHSwzu4xWF3p/DQM6/cwj+n SHGQ== X-Gm-Message-State: AOAM533TlDySF6Tgjw178YFaGZmxpt3eDjRUoL0l/vt9TsKKbDAIoxrM DXfDNld3Dy26IikYLKz2+Be+q/LC8qXtwA== X-Received: by 2002:a05:6214:1868:: with SMTP id eh8mr4517817qvb.50.1611068082935; Tue, 19 Jan 2021 06:54:42 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id p8sm2496729qkj.10.2021.01.19.06.54.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Jan 2021 06:54:42 -0800 (PST) Subject: Re: [PATCH] yet more strict patches fixed To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <08fc8ab3-86fa-55c4-f627-95cc649e86c7@ieee.org> Date: Tue, 19 Jan 2021 09:28:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/14/21 6:37 PM, Russell Coker wrote: > More little strict patches, much of which are needed for KDE. > > With the lines that Chris didn't like removed. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210115/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20210115/policy/modules/system/userdomain.if > @@ -880,6 +880,10 @@ template(`userdom_common_user_template', > ') > > optional_policy(` > + udev_read_runtime_files($1_t) > + ') > + > + optional_policy(` > usernetctl_run($1_t, $1_r) > ') > > @@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template', > > optional_policy(` > systemd_dbus_chat_logind($1_t) > + systemd_use_logind_fds($1_t) > + systemd_dbus_chat_hostnamed($1_t) > + systemd_write_inherited_logind_inhibit_pipes($1_t) > + > + # kwalletd5 inherits a socket from init > + init_rw_inherited_stream_socket($1_t) > + init_use_fds($1_t) > + # for polkit-kde-auth > + init_read_state($1_t) > ') > > # Allow controlling usbguard > @@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti > ') > > ######################################## > +## > +## write user runtime socket files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_all_user_runtime_named_sockets',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:sock_file write; > +') > + > +######################################## > ## > ## Create objects in the pid directory > ## with an automatic type transition to > I merged this but dropped this last block because it I think it is incomplete and it is unused. -- Chris PeBenito