Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp144863rwb;
        Mon, 26 Sep 2022 16:14:27 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5ZAhAZCIqbgn353cCZS8hNV6LKRKsWlUEOQNCte3PD76ELw4c+0Pb9OCTEYLR5ubn8ylI+
X-Received: by 2002:a17:903:2290:b0:178:48b6:f57c with SMTP id b16-20020a170903229000b0017848b6f57cmr23864083plh.78.1664234067404;
        Mon, 26 Sep 2022 16:14:27 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1664234067; cv=pass;
        d=google.com; s=arc-20160816;
        b=oZdj8QuiYmUp2rVV3McWuzRBsNzozcX04sKWkg073hW+F+4EN0sStCvrdoAWp8czT0
         Ez9JgN6/Sms+aKgmVQZo0aZI09nHNnh2BkeI2UbGgRIXVHdWF568ehWVlgwURaa88AeX
         XF+YKXYSJgMV3LMwF/Fnoy3KbhFb7xbq8NSl+HTOWL6ixbQDEv9F3U7ikR7cGanzNK8g
         qCb/tpBnOq2KSLJXR+NLrDMLwIo8pwkRSU+Oi7G/XY6jw3FoTybG9zusY/tngqZajbFO
         rT0HUIkHm7rk+40fnHqh5LOT33RmiqrvuAeeORmFdBkIqEj+LyT0xhCYscWEsoXr+sks
         6Nxw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :msip_labels:content-language:accept-language:in-reply-to:references
         :message-id:date:thread-index:thread-topic:subject:cc:to:from
         :dkim-signature;
        bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=;
        b=ngUdv9zDijlyPVn00jhpcZj+q7FhrSD5mxWHGCYAZ5c7fc3+3lX7ktvQXhRFA9zIGu
         Fk2ci+qK4JmcDAZfbFt8EECk+gBzlErQbnfvwBORCsQZH8LnU8Z6rZiDb1iHGv+MGL+7
         b+tOrnuwKTMWFQPHZe1y+E5+zBMRhjKubJUjgqZz09XfGKDpbMb+ZXEGerRTzf8jRSt1
         ca5SFgMpM3a/Uq54BCwYJmqCJXT/sr+uvDYJFWLDkgYbPSpVol5KXtQ0GRFKQjOnMYlc
         JaURf3HeJ4L/1wT1cMuTql08K+jo09BMYCqKw0PwAtfkmoMR3PK6pssWNKgu2zLFgtZB
         9eKg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b="M/GQZaKc";
       arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com);
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=owlcyberdefense.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id pg3-20020a17090b1e0300b002006f9dc2e1si64686pjb.3.2022.09.26.16.14.21;
        Mon, 26 Sep 2022 16:14:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b="M/GQZaKc";
       arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com);
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=owlcyberdefense.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229706AbiIZWm2 (ORCPT <rfc822;axel6043@gmail.com> + 21 others);
        Mon, 26 Sep 2022 18:42:28 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33446 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229605AbiIZWm1 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 26 Sep 2022 18:42:27 -0400
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2092.outbound.protection.outlook.com [40.107.244.92])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 069DF3BC7F
        for <selinux-refpolicy@vger.kernel.org>; Mon, 26 Sep 2022 15:42:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=irg+viyy5LQg1vVApOpnrqbVgeL3g1WWVVgBmFruZ9JQL4xRHPGXgjL8CPqeANUgwbOVLXSVDNKsWpQz+C35tMX8pMEcOf0LXM9ADKcoOVek4c4/fJ65XEO9pXyR5X1LZOWMseHq1CIkEVT36YMBZrv3K1F9VD6rqTVYqtl8AMtkVTIy2b5K01e1M0o8Qi1DE7GBjpMlGBZqqMLhet+Uw+F+YaCrKOR0tePibSt2w6rkeGxrNLKGHwxcPEiyu7Pj/lEE5aIfQbSgACcSfjpJKv1j+HRHWCMWyrG9s3+FIgpZ0tVQdPBAWV3nEBZ1LxAWtPAXqHQxgtaIzGyGvYhXjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=;
 b=lcwgl99wikUXXfukUMmQ+E+cFsP9RTBZib5uP1ERvEACfXNSGLaI7CO1bPAGKcikPW+Y8Xd+zQXviRJ7dMxiYcnNQy15YBVMvqWRjA8Dr3+ujh2gHGTl8fwNmCxCxukLEVFSfDK0eKr7pPcAVKwttdLo2zyxPAxtu/IBQLQEgVSD6HGInOwAu9jTBeEUIgmVrMbRDopoaeDobktxbNaWZbrRez2lJ/UvEtVA1ueJcX0X5VyW5XRQplknWrX/aEvjF6MRBrFuLs7R4JFc5Ac6h+cDuoGZ8K2nPoN4G+urwf1819G4zehhqtXqUxmvHYXT7oMl7B92NSYfA6eKgD/P+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=owlcyberdefense.com; dmarc=pass action=none
 header.from=owlcyberdefense.com; dkim=pass header.d=owlcyberdefense.com;
 arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlcyberdefense.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=;
 b=M/GQZaKcDdPh0dyiDL4BUQJ6JOSgTYBah7CZjv7GgDFc+YWXKz8UqkR8VYhDf+D0aKZ/lWUQMpEUw48K/d+0UFK0rUrE3VZ1JMoGas6F3j2tIYLuRTVF+PoeGCRDYWBWNW/jjzjogPrHENHA006+w/J3wpP2xdc277GMMYSpiUw=
Received: from BLAPR15MB3764.namprd15.prod.outlook.com (2603:10b6:208:27e::13)
 by CH2PR15MB3733.namprd15.prod.outlook.com (2603:10b6:610:d::27) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.24; Mon, 26 Sep
 2022 22:42:22 +0000
Received: from BLAPR15MB3764.namprd15.prod.outlook.com
 ([fe80::1d19:a50e:bf36:19e0]) by BLAPR15MB3764.namprd15.prod.outlook.com
 ([fe80::1d19:a50e:bf36:19e0%4]) with mapi id 15.20.5654.026; Mon, 26 Sep 2022
 22:42:22 +0000
From:   "Sugar, David" <dsugar@owlcyberdefense.com>
To:     Russell Coker <russell@coker.com.au>
CC:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] misc strict patches
Thread-Topic: [PATCH] misc strict patches
Thread-Index: AQHY0OeV83Iqzz39AkGaX9b8YuIC+K3yT2LO
Date:   Mon, 26 Sep 2022 22:42:22 +0000
Message-ID: <BLAPR15MB3764EECF039D11EE562EE595C2529@BLAPR15MB3764.namprd15.prod.outlook.com>
References: <YzBeMFKezm6Zg6XE@xev.coker.com.au>
In-Reply-To: <YzBeMFKezm6Zg6XE@xev.coker.com.au>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=owlcyberdefense.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BLAPR15MB3764:EE_|CH2PR15MB3733:EE_
x-ms-office365-filtering-correlation-id: 025c1dbf-d651-4c07-d4a5-08daa0106067
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AkLNzXhOcr943kCUgdiuIm9nBBrUhwXPozWt2CyKJIp+ttfBJY+F9eDpbmSXB8FWsKzMIx/MZX0QnYxvGMYKaviPnpH28F8h/Legccb11Z9QIIHTO12BO0kkSYIaBv0hgJG8vb8Ez/iXh5NqzWlm9JfBEIsiYhEkW9Ub+LkvZ02ehW+fgtHoXknW1mXF4MUJSoBoDieo7LsuDX0PEX4v9oOIk7M6lmuoHfXtT7/2K1YQeXXerybV8xeQNdh/52v3UxyAuGzIS1H/USUT/A9N/NduuClVPEuCUDP4TVgpZB02fadghEqOXXFdKXDzLbpfEIdgL4TZHiW1FBFvqynys7zx4ANH5ghgIb8vYW2Vx3wsJZWfevS/yeoP1vKLTMSrAnzg8DroG+Du88386G7LWT5x6fy48+kEzD7hKiSOEQPq4wilnA58i0UNxwkZATK23oHG5wIxDPYc9npEVhImpu1KjAm1CyCF8E4JsCJJ5PV4uZoSm8yVCpj4iw8loEr2GKZFfplmkS9L2A9J/k8jRm+jABgUUr67J3XZq7Gzes2HD5BJNmMRTwlPK6VVQQMM6+CrBxsXjDoQdEB/ZxLYNFtzQ7+QR3vxa7QnCZ3VLR01PSlDAbwlwmoWa3Z0FIobNog5h1SSJyxEDaBEUcWjAi8hj1JBPwLa3pqCH6AXpuu4ZCBY8VYgoGvRChjEa59j1icrmpfjogN4ESf7C+8LeQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR15MB3764.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(346002)(136003)(39840400004)(366004)(396003)(376002)(451199015)(38100700002)(2906002)(52536014)(6506007)(66446008)(84970400001)(9686003)(55016003)(26005)(71200400001)(122000001)(6916009)(478600001)(53546011)(38070700005)(8936002)(5660300002)(7696005)(33656002)(41300700001)(186003)(76116006)(66556008)(316002)(66946007)(83380400001)(66476007)(64756008)(86362001)(4326008)(8676002);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?HnAa7KsVdCILuQNYnSY+CL+m2sXt6zcnv1AD/kRadZmhkVEM2v97r8E9qR?=
 =?iso-8859-1?Q?o9/ja/tK4+YzxGuVd9nr+VE0wrqHlJkIIrHUy6zeraAXKxdfGcVtfygvTG?=
 =?iso-8859-1?Q?7w+nSE3Il0ehR2my2TZOv+Nu+Bt8KCCmHRD1eHlpofV6OCu2TX2zvZZlec?=
 =?iso-8859-1?Q?0Vt/P2Hzr8K9hfgyQCgCCdSbA3HEQn+VCr5O+Sb/0usV18rsdQG5ppbb/e?=
 =?iso-8859-1?Q?vyTeq8RDAueBaooj9jaot+fquCBBUb+g5mRu3JjyAnGGpOKBkFrG16Xq+C?=
 =?iso-8859-1?Q?6xp/T5JBEyTgWxyFmHMX6UfPud4kY1D4jBzvizUZ9RSbAdPD1W4/VIEHdi?=
 =?iso-8859-1?Q?PA1mIrxeP7TEtJVXummWlK6J45FexZStuZkEIJ9asRsLPAUEwes2+NFzX6?=
 =?iso-8859-1?Q?IqIyi3j/gOorfsmXBb2xZfBw4MNdy7+hK8massSVO/V8Ahcu7zNOkQlxEP?=
 =?iso-8859-1?Q?iKY2CD/VeqLwkbTwXs+JqMTc/oskfUF08xpL69/qfaAxr30JzoWe2/jW8V?=
 =?iso-8859-1?Q?2JKHOnXdtnuMNTAxrt7sQF4oeCGBAN/4FzaXgrbgtmZ4RkQqBQ66A3aJKR?=
 =?iso-8859-1?Q?8uUV3E2lcwnCkeKmLKvOqeH2jjkJ2ced2nflRXd8aw9UOy4RPEOsbz9cdT?=
 =?iso-8859-1?Q?1krfQoHTHroPbkGvQyn8bX7dUHMLVW124xnD+zxlS3azC5tb1ffvNUw77q?=
 =?iso-8859-1?Q?c6ETReJMMNkqgyRgECJBMx49Ouz/R2SOinHoNG+0L5EE3vdaeexp3JA6GC?=
 =?iso-8859-1?Q?aX4CL939i4sNATqvaU3DwTzWyd3my2g5FuQ+RB///KM2q/VMPPcL8v64GO?=
 =?iso-8859-1?Q?1Ir4hJTDkbTGZf1SSrxPhe6Ph47lg7+ijtTU8tGwcAmZt1lUWLhoZ0lr7v?=
 =?iso-8859-1?Q?a+MsXh21iqnuNzoCB84qm3w2VhEI3n94DMiSA9T6TWxx41kVEQKDPdIH1r?=
 =?iso-8859-1?Q?0TV3JrQe1pcsLOsSqRqzT0B2I4GaHJUS78qHMMNN7A9kW6hhUEKzxjQLRS?=
 =?iso-8859-1?Q?NuGaK7H+Y2i7z6LkIHwsxNhl+7HMM5rFBrTY0dz8TfSaJyC29KeNUyTseG?=
 =?iso-8859-1?Q?77yKBs+2By/errTOMhvWHRZXcGY9/Tp9qnIqdEh+BlfGf2T14pudYzQVkv?=
 =?iso-8859-1?Q?22DBs4GWMcUcuLp4dI53tdgkLw+Kk0e/jSVkJebZHZF6jxkMsW4P5LoUXG?=
 =?iso-8859-1?Q?13qzr+bWTBkLmurclebnCCj0cpfxLtZnVwXgqlT+OE7Sr8bOSUSkax0GK9?=
 =?iso-8859-1?Q?AwhjIq3Uf2HFdU/VBgW6IH9jywY4B8yIiX/1zUsvsd7+MjNwYdrmYjPNrH?=
 =?iso-8859-1?Q?13LD7X98XWff12hFp4oQrcX2cyqiApbvvcKYC3rfOVf9cMSCtnk/Y2rQMG?=
 =?iso-8859-1?Q?ZUTwoI9ji+lgCuDg8IPnymyNN3vRD6Rj+MgqX4dMJLXO82zRZ5QJTlLd1X?=
 =?iso-8859-1?Q?w6TUza3hfrhn1sBiwsSPwlks3Mdmp9KdAGvva0my93KSVss+2diGOZB+3c?=
 =?iso-8859-1?Q?TfmJfA1fw8ziW7ajz4sMftk/LQRvoFbmIQMdvaSdMEyO6qt50yYKn+zvxC?=
 =?iso-8859-1?Q?+3htSY7XW05JSxKF1eLz+3D+zVCCw9kov9osCIqE5XT6NEY2nsYVCJo55X?=
 =?iso-8859-1?Q?HX2SDlMrATyCV5/NIz7Z180R4FbK4qoHx3UOQO4FgO4N8FEOE7ZuwepA?=
 =?iso-8859-1?Q?=3D=3D?=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: owlcyberdefense.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR15MB3764.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 025c1dbf-d651-4c07-d4a5-08daa0106067
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2022 22:42:22.3528
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4EGiTL4YQAHEGnbsTn+aFoqpvO8EKwRPiVjSeX+VGQsVAPR5mSZbGDtGWyIiXYQHejWaL1eLH5X4jm7xQPCQJ2VQ2FOTKlLOIL+PM07BMgc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR15MB3733
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russel,=0A=
=0A=
kernel_read_crypto_sysctls was added to domain.te a week or so ago (6ff1259=
688e8dad630e815ec2e384be1c2fedbf1), it shouldn't be needed in=A0userdom_bas=
e_user_template at this point.=0A=
=0A=
Dave =0A=
=0A=
=0A=
=0A=
=0A=
From: Russell Coker <russell@coker.com.au>=0A=
Sent: Sunday, September 25, 2022 9:57 AM=0A=
To: selinux-refpolicy@vger.kernel.org <selinux-refpolicy@vger.kernel.org>=
=0A=
Subject: [PATCH] misc strict patches =0A=
=A0=0A=
Some misc patches to make things work in a "strict" configuration.=0A=
=0A=
Allow base user domains to read crypto and vm overcommit status.=0A=
=0A=
Allow pulseaudio to write all user_runtime_content_type named sockets.=0A=
=0A=
Allow sysadm_t to read/write netlink_generic_socket, read=0A=
netlink_tcpdiag_socket, have audit_write capability, get schedulint data,=
=0A=
get systemd unit status, talk to logind via dbus, and have direct USB acces=
s.=0A=
=0A=
Allow the xserver_role domains to accept a unix_stream_socket from xdm_t an=
d=0A=
map xkb_var_lib_t.=0A=
=0A=
Add extra access to the $1_dbusd_t domains.=0A=
=0A=
Allow the ssh agent to write to an inherited xsession log.=0A=
=0A=
Removed the domain systemd_analyze_t, all it's doing is talking to systemd=
=0A=
and formatting the output it gets.=0A=
=0A=
Allow system_cronjob_t to read fs sysctls, and allow ntpd_t to get generic=
=0A=
units status.=0A=
=0A=
I think this is ready to merge.=0A=
=0A=
Signed-off-by: Russell Coker <russell@coker.com.au>=0A=
=0A=
Index: refpolicy-2.20220925/policy/modules/system/userdomain.if=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/system/userdomain.if=0A=
+++ refpolicy-2.20220925/policy/modules/system/userdomain.if=0A=
@@ -69,6 +69,8 @@ template(`userdom_base_user_template',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 dontaudit $1_t user_tty_device_t:chr_file ioctl;=
=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 kernel_read_kernel_sysctls($1_t)=0A=
+=A0=A0=A0=A0=A0=A0 kernel_read_crypto_sysctls($1_t)=0A=
+=A0=A0=A0=A0=A0=A0 kernel_read_vm_overcommit_sysctl($1_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_list_unlabeled($1_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_getattr_unlabeled_files($1_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_getattr_unlabeled_symlinks($1_t)=
=0A=
@@ -3664,6 +3666,25 @@ interface(`userdom_relabelfrom_user_runt=0A=
=A0')=0A=
=A0=0A=
=A0########################################=0A=
+## <summary>=0A=
+##=A0=A0=A0=A0 write user runtime socket files=0A=
+## </summary>=0A=
+## <param name=3D"domain">=0A=
+##=A0=A0=A0=A0 <summary>=0A=
+##=A0=A0=A0=A0 Domain allowed access.=0A=
+##=A0=A0=A0=A0 </summary>=0A=
+## </param>=0A=
+#=0A=
+interface(`userdom_write_all_user_runtime_named_sockets',`=0A=
+=A0=A0=A0=A0=A0=A0 gen_require(`=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 attribute user_runtime_content_=
type;=0A=
+=A0=A0=A0=A0=A0=A0 ')=0A=
+=0A=
+=A0=A0=A0=A0=A0=A0 allow $1 user_runtime_content_type:dir list_dir_perms;=
=0A=
+=A0=A0=A0=A0=A0=A0 allow $1 user_runtime_content_type:sock_file write;=0A=
+')=0A=
+=0A=
+########################################=0A=
=A0## <summary>=0A=
=A0##=A0=A0=A0=A0=A0 delete user runtime files=0A=
=A0## </summary>=0A=
Index: refpolicy-2.20220925/policy/modules/roles/sysadm.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/roles/sysadm.te=0A=
+++ refpolicy-2.20220925/policy/modules/roles/sysadm.te=0A=
@@ -33,11 +33,22 @@ ifndef(`enable_mls',`=0A=
=A0# Local policy=0A=
=A0#=0A=
=A0=0A=
+allow sysadm_t self:netlink_generic_socket { create setopt bind write read=
 };=0A=
+=0A=
+# for ptrace=0A=
+allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read =
};=0A=
+=0A=
+allow sysadm_t self:capability audit_write;=0A=
+allow sysadm_t self:system status;=0A=
+=0A=
=A0corecmd_exec_shell(sysadm_t)=0A=
=A0=0A=
=A0corenet_ib_access_unlabeled_pkeys(sysadm_t)=0A=
=A0corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)=0A=
=A0=0A=
+domain_getsched_all_domains(sysadm_t)=0A=
+=0A=
+dev_read_cpuid(sysadm_t)=0A=
=A0dev_read_kmsg(sysadm_t)=0A=
=A0dev_rw_ipmi_dev(sysadm_t)=0A=
=A0=0A=
@@ -59,6 +70,9 @@ init_admin(sysadm_t)=0A=
=A0userdom_manage_user_home_dirs(sysadm_t)=0A=
=A0userdom_home_filetrans_user_home_dir(sysadm_t)=0A=
=A0=0A=
+# for systemd-analyze=0A=
+files_get_etc_unit_status(sysadm_t)=0A=
+=0A=
=A0ifdef(`direct_sysadm_daemon',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 init_run_daemon(sysadm_t, =
sysadm_r)=0A=
@@ -1049,6 +1063,10 @@ optional_policy(`=0A=
=A0')=0A=
=A0=0A=
=A0optional_policy(`=0A=
+=A0=A0=A0=A0=A0=A0 systemd_dbus_chat_logind(sysadm_t)=0A=
+')=0A=
+=0A=
+optional_policy(`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 tboot_run_txtstat(sysadm_t, sysadm_r)=0A=
=A0')=0A=
=A0=0A=
@@ -1116,6 +1134,7 @@ optional_policy(`=0A=
=A0')=0A=
=A0=0A=
=A0optional_policy(`=0A=
+=A0=A0=A0=A0=A0=A0 dev_rw_generic_usb_dev(sysadm_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 usbmodules_run(sysadm_t, sysadm_r)=0A=
=A0')=0A=
=A0=0A=
Index: refpolicy-2.20220925/policy/modules/services/xserver.if=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/services/xserver.if=0A=
+++ refpolicy-2.20220925/policy/modules/services/xserver.if=0A=
@@ -111,6 +111,7 @@ template(`xserver_restricted_role',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_xsession_entry_type($2)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_dontaudit_write_log($2)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_stream_connect_xdm($2)=0A=
+=A0=A0=A0=A0=A0=A0 xserver_use_user_fonts($2)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 # certain apps want to read xdm.pid file=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_read_xdm_runtime_files($2)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 # gnome-session creates socket under /tmp/.ICE-uni=
x/=0A=
@@ -169,7 +170,7 @@ template(`xserver_role',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 gen_require(`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type iceauth_home_t, xserv=
er_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type user_fonts_t, user_fo=
nts_cache_t, user_fonts_config_t;=0A=
-=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type mesa_shader_cache_t;=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type mesa_shader_cache_t, xdm_t=
;=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 ')=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_restricted_role($1, $2, $3, $4)=0A=
@@ -212,6 +213,8 @@ template(`xserver_role',`=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 xserver_read_xkb_libs($2)=0A=
=A0=0A=
+=A0=A0=A0=A0=A0=A0 allow $2 xdm_t:unix_stream_socket accept;=0A=
+=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_app_status($1=
, xserver_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 ')=0A=
@@ -1256,6 +1259,7 @@ interface(`xserver_read_xkb_libs',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow $1 xkb_var_lib_t:dir list_dir_perms;=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_=
t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_=
lib_t)=0A=
+=A0=A0=A0=A0=A0=A0 allow $1 xkb_var_lib_t:file map;=0A=
=A0')=0A=
=A0=0A=
=A0########################################=0A=
Index: refpolicy-2.20220925/policy/modules/services/dbus.if=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/services/dbus.if=0A=
+++ refpolicy-2.20220925/policy/modules/services/dbus.if=0A=
@@ -85,6 +85,7 @@ template(`dbus_role_template',`=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:unix_stream_socket connectto;=
=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };=
=0A=
+=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t $3:dbus send_msg;=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:fd use;=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 dontaudit $1_dbusd_t self:process getcap;=0A=
@@ -105,9 +106,13 @@ template(`dbus_role_template',`=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t $3:process sigkill;=0A=
=A0=0A=
+=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t self:process getcap;=0A=
+=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 corecmd_bin_domtrans($1_dbusd_t, $3)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 corecmd_shell_domtrans($1_dbusd_t, $3)=0A=
=A0=0A=
+=A0=A0=A0=A0=A0=A0 dev_read_sysfs($1_dbusd_t)=0A=
+=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 auth_use_nsswitch($1_dbusd_t)=0A=
=A0=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A=
@@ -115,6 +120,15 @@ template(`dbus_role_template',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_daemon_domain=
($1, dbusd_exec_t, $1_dbusd_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_unix_stream_a=
ctivated_socket($1_dbusd_t, session_dbusd_runtime_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 ')=0A=
+=0A=
+=A0=A0=A0=A0=A0=A0 optional_policy(`=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 init_dbus_chat($1_dbusd_t)=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 dbus_system_bus_client($1_dbusd=
_t)=0A=
+=A0=A0=A0=A0=A0=A0 ')=0A=
+=0A=
+=A0=A0=A0=A0=A0=A0 optional_policy(`=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xdg_read_data_files($1_dbusd_t)=
=0A=
+=A0=A0=A0=A0=A0=A0 ')=0A=
=A0')=0A=
=A0=0A=
=A0#######################################=0A=
Index: refpolicy-2.20220925/policy/modules/services/ssh.if=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/services/ssh.if=0A=
+++ refpolicy-2.20220925/policy/modules/services/ssh.if=0A=
@@ -470,6 +470,7 @@ template(`ssh_role_template',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_use_xdm_fds($1_ssh=
_agent_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_rw_xdm_pipes($1_ss=
h_agent_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_sigchld_xdm($1_ssh=
_agent_t)=0A=
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_write_inherited_xsessio=
n_log($1_ssh_agent_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 ')=0A=
=A0')=0A=
=A0=0A=
Index: refpolicy-2.20220925/policy/modules/kernel/corecommands.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/kernel/corecommands.te=0A=
+++ refpolicy-2.20220925/policy/modules/kernel/corecommands.te=0A=
@@ -13,7 +13,7 @@ attribute exec_type;=0A=
=A0#=0A=
=A0# bin_t is the type of files in the system bin/sbin directories.=0A=
=A0#=0A=
-type bin_t alias { ls_exec_t sbin_t };=0A=
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };=0A=
=A0typealias bin_t alias { systemd_detect_virt_t systemd_run_exec_t };=0A=
=A0corecmd_executable_file(bin_t)=0A=
=A0dev_associate(bin_t)=A0=A0=A0 #For /dev/MAKEDEV=0A=
Index: refpolicy-2.20220925/policy/modules/system/systemd.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/system/systemd.te=0A=
+++ refpolicy-2.20220925/policy/modules/system/systemd.te=0A=
@@ -64,10 +64,6 @@ type systemd_activate_t;=0A=
=A0type systemd_activate_exec_t;=0A=
=A0init_system_domain(systemd_activate_t, systemd_activate_exec_t)=0A=
=A0=0A=
-type systemd_analyze_t;=0A=
-type systemd_analyze_exec_t;=0A=
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)=0A=
-=0A=
=A0type systemd_backlight_t;=0A=
=A0type systemd_backlight_exec_t;=0A=
=A0init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)=0A=
@@ -1695,6 +1691,7 @@ tunable_policy(`systemd_tmpfiles_manage_=0A=
=A0')=0A=
=A0=0A=
=A0optional_policy(`=0A=
+=A0=A0=A0=A0=A0=A0 dbus_manage_lib_files(systemd_tmpfiles_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 dbus_read_lib_files(systemd_tmpfiles_t)=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 dbus_relabel_lib_dirs(systemd_tmpfiles_t)=0A=
=A0')=0A=
Index: refpolicy-2.20220925/policy/modules/services/cron.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/services/cron.te=0A=
+++ refpolicy-2.20220925/policy/modules/services/cron.te=0A=
@@ -483,6 +483,7 @@ allow system_cronjob_t crond_tmp_t:file=0A=
=A0kernel_getattr_core_if(system_cronjob_t)=0A=
=A0kernel_getattr_message_if(system_cronjob_t)=0A=
=A0=0A=
+kernel_read_fs_sysctls(system_cronjob_t)=0A=
=A0kernel_read_irq_sysctls(system_cronjob_t)=0A=
=A0kernel_read_kernel_sysctls(system_cronjob_t)=0A=
=A0kernel_read_network_state(system_cronjob_t)=0A=
Index: refpolicy-2.20220925/policy/modules/apps/pulseaudio.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/apps/pulseaudio.te=0A=
+++ refpolicy-2.20220925/policy/modules/apps/pulseaudio.te=0A=
@@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau=0A=
=A0userdom_manage_user_tmp_dirs(pulseaudio_t)=0A=
=A0userdom_manage_user_tmp_files(pulseaudio_t)=0A=
=A0userdom_manage_user_tmp_sockets(pulseaudio_t)=0A=
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)=0A=
=A0=0A=
=A0tunable_policy(`pulseaudio_execmem',`=0A=
=A0=A0=A0=A0=A0=A0=A0=A0 allow pulseaudio_t self:process execmem;=0A=
Index: refpolicy-2.20220925/policy/modules/services/ntp.te=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- refpolicy-2.20220925.orig/policy/modules/services/ntp.te=0A=
+++ refpolicy-2.20220925/policy/modules/services/ntp.te=0A=
@@ -131,6 +131,7 @@ term_use_ptmx(ntpd_t)=0A=
=A0auth_use_nsswitch(ntpd_t)=0A=
=A0=0A=
=A0init_exec_script_files(ntpd_t)=0A=
+init_get_generic_units_status(ntpd_t)=0A=
=A0=0A=
=A0logging_send_syslog_msg(ntpd_t)=0A=
=A0=