Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2991056pxb;
        Tue, 19 Jan 2021 10:46:20 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw55EKdWFa4975rL8TpXKh8Uyf47ia5tiW7/TWie34n9hUisEntNqmckSLB8L6rqe5IFWe9
X-Received: by 2002:aa7:dac4:: with SMTP id x4mr2289034eds.192.1611081980633;
        Tue, 19 Jan 2021 10:46:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611081980; cv=none;
        d=google.com; s=arc-20160816;
        b=HRnXzpeNg+hKT4/uFJ5PEvoo4Y9sBg6woW+wF0qGiuB/+Y9t0c1THNyG7h8xIyoH/Q
         V4XumKXjkD9Fh7Stf8OG0KV18YvpX2UQuBgRlZ8dWXqWDHsFEtJ+BtkCZ6vZdhlgCl+x
         hWCe65Q9uCbZ5R4LpwOYjASyNGOwrdwJyzgtZcaaw8RHxQSRValrBwhCy/usMKo3X62h
         DvzdGtHSCwntm1a4hlgr+h7zKrRqojxfLYZo2pqFhnKoX/qFzLtEJX3wk0qshfiQlEOX
         2Wq/8dqKCAznjUPYa/bsVhFcFywMEyfpEeu5fH6OQNfItN8lfAwiXUfgyvUI391fuLhg
         5YiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :to:subject:dkim-signature;
        bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=;
        b=KAv/t2vG6l12CjswCPIoHZ8HXttsx3jUarl+jPfUKIV9Ti1iN/NmHqoERBmyT0lms8
         qR5CgQjcpYOAvVcMBFP9a9vOhu3SGoUB1j+ePok56WXS8PUyCtUWcmMWqGY6jt5PN6Kf
         1bw0N+igEUfEqntnjSo+imd/zQQv6mHV7WX73hsfwrnYdUGy+p5sYS7WCZxleMNjPnAO
         oOCooUjAbChwDculEMINrLgdBCVJffhiT36OcPVm7W57ZF92NDqQt9Ox5uRhQFFwR0JK
         RxzlndOF5DUBd8KR3D+ghHRS5pSNZCY70ZgRiMESIirYV+oEwaSPV1Xxekqr5STy23NF
         77ZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=Re7FxvZ+;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e10si2277220edv.269.2021.01.19.10.46.12;
        Tue, 19 Jan 2021 10:46:20 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=Re7FxvZ+;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728980AbhASRxU (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Tue, 19 Jan 2021 12:53:20 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57930 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2392134AbhASO4y (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 19 Jan 2021 09:56:54 -0500
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7FADC0617A1
        for <selinux-refpolicy@vger.kernel.org>; Tue, 19 Jan 2021 06:54:43 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id et9so9211196qvb.10
        for <selinux-refpolicy@vger.kernel.org>; Tue, 19 Jan 2021 06:54:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=;
        b=Re7FxvZ+YQKa51dTqaRfJJMiQVvLcGJuqcc3avsj1fVWypKcpHWXPyQaOS2A4xfjUA
         BV6qlOP8KdCOa0vg5lPyvIp7kEVrttC3c+p25043ysLN6AsXpHNuKASzFT/+0Gn3+ieC
         2+7sgoBLJkMGqegvGdMXU1RVEQniQfmf0QThM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=EsUKzCf99Xi7tuv6U3NT9gmDWw8vXzZnBN6u5Yq4kB8=;
        b=lZKo9EgM27Prkq1l1B2kmhJyw9PVq+lTiPDYKSpjjPWn9cDvHLzUTmzg+w4oCE6tJT
         SA4FNo3w940DQLUFJHY3M3D/BORpEa3oMrnrGbmM07XzRzloO9LJMooxXPFSXB61m+Ch
         i+Nh4w9aHsg+If+MxI5b3zmKi7KlXe5i5A42y3BNzwz7up56yH6S3AcutbWQFLkQMo3C
         byhtCg8gWIqPIXmVykmLXVqpmm2D/aXJqAMynYqNKSBqx8klMOTDpPJLbtxyntJ0xmCe
         f/oZTWgVaNNINcBI2J3Zi5VASRmu8P5OybDZ9YGvJCH7naHSwzu4xWF3p/DQM6/cwj+n
         SHGQ==
X-Gm-Message-State: AOAM533TlDySF6Tgjw178YFaGZmxpt3eDjRUoL0l/vt9TsKKbDAIoxrM
        DXfDNld3Dy26IikYLKz2+Be+q/LC8qXtwA==
X-Received: by 2002:a05:6214:1868:: with SMTP id eh8mr4517817qvb.50.1611068082935;
        Tue, 19 Jan 2021 06:54:42 -0800 (PST)
Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17])
        by smtp.gmail.com with ESMTPSA id p8sm2496729qkj.10.2021.01.19.06.54.42
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 19 Jan 2021 06:54:42 -0800 (PST)
Subject: Re: [PATCH] yet more strict patches fixed
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YADVsMPo/bgc3Xlo@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <08fc8ab3-86fa-55c4-f627-95cc649e86c7@ieee.org>
Date:   Tue, 19 Jan 2021 09:28:22 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <YADVsMPo/bgc3Xlo@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/14/21 6:37 PM, Russell Coker wrote:
> More little strict patches, much of which are needed for KDE.
> 
> With the lines that Chris didn't like removed.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210115/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20210115/policy/modules/system/userdomain.if
> @@ -880,6 +880,10 @@ template(`userdom_common_user_template',
>   	')
>   
>   	optional_policy(`
> +		udev_read_runtime_files($1_t)
> +	')
> +
> +	optional_policy(`
>   		usernetctl_run($1_t, $1_r)
>   	')
>   
> @@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template',
>   
>   	optional_policy(`
>   		systemd_dbus_chat_logind($1_t)
> +		systemd_use_logind_fds($1_t)
> +		systemd_dbus_chat_hostnamed($1_t)
> +		systemd_write_inherited_logind_inhibit_pipes($1_t)
> +
> +		# kwalletd5 inherits a socket from init
> +		init_rw_inherited_stream_socket($1_t)
> +		init_use_fds($1_t)
> +		# for polkit-kde-auth
> +		init_read_state($1_t)
>   	')
>   
>   	# Allow controlling usbguard
> @@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti
>   ')
>   
>   ########################################
> +## <summary>
> +##	write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> +	gen_require(`
> +		attribute user_runtime_content_type;
> +	')
> +
> +	allow $1 user_runtime_content_type:dir list_dir_perms;
> +	allow $1 user_runtime_content_type:sock_file write;
> +')
> +
> +########################################
>   ## <summary>
>   ##	Create objects in the pid directory
>   ##	with an automatic type transition to
> 

I merged this but dropped this last block because it I think it is incomplete 
and it is unused.


-- 
Chris PeBenito