More little strict patches, much of which are needed for KDE.
With the lines that Chris didn't like removed.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20210115/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210115/policy/modules/system/userdomain.if
@@ -880,6 +880,10 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ udev_read_runtime_files($1_t)
+ ')
+
+ optional_policy(`
usernetctl_run($1_t, $1_r)
')
@@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template',
optional_policy(`
systemd_dbus_chat_logind($1_t)
+ systemd_use_logind_fds($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
+ systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+ # kwalletd5 inherits a socket from init
+ init_rw_inherited_stream_socket($1_t)
+ init_use_fds($1_t)
+ # for polkit-kde-auth
+ init_read_state($1_t)
')
# Allow controlling usbguard
@@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti
')
########################################
+## <summary>
+## write user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
## <summary>
## Create objects in the pid directory
## with an automatic type transition to
On 1/14/21 6:37 PM, Russell Coker wrote:
> More little strict patches, much of which are needed for KDE.
>
> With the lines that Chris didn't like removed.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210115/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20210115/policy/modules/system/userdomain.if
> @@ -880,6 +880,10 @@ template(`userdom_common_user_template',
> ')
>
> optional_policy(`
> + udev_read_runtime_files($1_t)
> + ')
> +
> + optional_policy(`
> usernetctl_run($1_t, $1_r)
> ')
>
> @@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template',
>
> optional_policy(`
> systemd_dbus_chat_logind($1_t)
> + systemd_use_logind_fds($1_t)
> + systemd_dbus_chat_hostnamed($1_t)
> + systemd_write_inherited_logind_inhibit_pipes($1_t)
> +
> + # kwalletd5 inherits a socket from init
> + init_rw_inherited_stream_socket($1_t)
> + init_use_fds($1_t)
> + # for polkit-kde-auth
> + init_read_state($1_t)
> ')
>
> # Allow controlling usbguard
> @@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti
> ')
>
> ########################################
> +## <summary>
> +## write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:sock_file write;
> +')
> +
> +########################################
> ## <summary>
> ## Create objects in the pid directory
> ## with an automatic type transition to
>
I merged this but dropped this last block because it I think it is incomplete
and it is unused.
--
Chris PeBenito