2022-04-06 16:26:45

by Russell Coker

[permalink] [raw]
Subject: [PATCH] wm domains and sddm fixes

These patches make a sddm login with the $1_wm_t domain work. Most of this
is for X11 but there is a bit for Wayland too.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20220322/policy/modules/apps/wm.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20220322/policy/modules/apps/wm.if
@@ -61,6 +61,8 @@ template(`wm_role_template',`
allow $3 $1_wm_t:process { ptrace signal_perms };
ps_process_pattern($3, $1_wm_t)

+ kernel_read_kernel_sysctls($1_wm_t)
+
allow $1_wm_t $3:process { signull sigkill };

domtrans_pattern($3, wm_exec_t, $1_wm_t)
@@ -81,6 +83,10 @@ template(`wm_role_template',`

wm_write_pipes($1, $3)

+ tunable_policy(`wm_write_xdg_data', `
+ xdg_manage_data($1_wm_t)
+ ')
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -115,6 +121,17 @@ template(`wm_role_template',`
optional_policy(`
xdg_watch_config_files($1_wm_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_wm_t)
+ ')
+
+ optional_policy(`
+ xdg_read_data_files($1_wm_t)
+ xdg_manage_cache($1_wm_t)
+ xdg_manage_config($1_wm_t)
+ xdg_watch_data_files($1_wm_t)
+ ')
')

########################################
Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
@@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
/usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)

ifdef(`distro_debian',`
/usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20220322/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20220322/policy/modules/system/unconfined.if
@@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',`
allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:system status;

# Manage most namespace capabilities
allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
Index: refpolicy-2.20220322/policy/modules/apps/gnome.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if
+++ refpolicy-2.20220322/policy/modules/apps/gnome.if
@@ -112,6 +112,10 @@ template(`gnome_role_template',`
')

optional_policy(`
+ systemd_dbus_chat_logind($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
@@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec'

allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
+
+########################################
+## <summary>
+## watch gnome_xdg_config_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_watch_xdg_config_dirs',`
+ gen_require(`
+ type gnome_xdg_config_t;
+ ')
+
+ allow $1 gnome_xdg_config_t:dir watch;
+')
Index: refpolicy-2.20220322/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20220322/policy/modules/services/xserver.if
@@ -213,7 +213,7 @@ template(`xserver_role',`

xserver_read_xkb_libs($2)

- allow $2 xdm_t:unix_stream_socket accept;
+ allow $2 xdm_t:unix_stream_socket { getattr accept };

optional_policy(`
systemd_user_app_status($1, xserver_t)
Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20220322/policy/modules/system/miscfiles.if
@@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization'
type locale_t;
')

+ allow $1 locale_t:dir watch;
allow $1 locale_t:file watch;
')

Index: refpolicy-2.20220322/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20220322/policy/modules/system/userdomain.if
@@ -121,6 +121,8 @@ template(`userdom_base_user_template',`
miscfiles_read_generic_certs($1_t)
miscfiles_watch_fonts_dirs($1_t)

+ userdom_write_user_runtime_sockets($1_t)
+
sysnet_read_config($1_t)

# kdeinit wants systemd status
@@ -960,6 +962,7 @@ template(`userdom_login_user_template',
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)

+ userdom_execmod_user_tmpfs_files($1_t)
userdom_map_user_tmpfs_files($1_t)

userdom_change_password_template($1)
@@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template',
corenet_tcp_bind_xserver_port($1_t)

files_exec_usr_files($1_t)
+ files_watch_etc_symlinks($1_t)

miscfiles_manage_public_files($1_t)
+ miscfiles_watch_localization($1_t)
miscfiles_watch_public_dirs($1_t)

tunable_policy(`user_dmesg',`
@@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template',
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')

# Allow users to run UDP servers (bind to ports and accept connection from
@@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template',
tunable_policy(`user_udp_server',`
corenet_udp_bind_generic_node($1_t)
corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_all_unreserved_ports($1_t)
')

optional_policy(`
@@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',`
xdg_manage_all_data($1_t)
xdg_relabel_all_data($1_t)
xdg_watch_all_data_dirs($1_t)
+ xdg_watch_all_data_files($1_t)
+ xdg_exec_data($1_t)

xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
@@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f

########################################
## <summary>
+## write user runtime sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_runtime_sockets',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:sock_file write;
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil
')

########################################
+## <summary>
+## execute and execmod user tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_execmod_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file { execute execmod };
+')
+
+########################################
## <summary>
## Get the attributes of a user domain tty.
## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
@@ -222,6 +222,7 @@ optional_policy(`
systemd_read_logind_sessions_files(pulseaudio_t)
# for /run/systemd/users/$PID
systemd_read_logind_runtime_files(pulseaudio_t)
+ systemd_watch_logind_sessions_dirs(pulseaudio_t)
')

optional_policy(`
Index: refpolicy-2.20220322/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20220322/policy/modules/system/xdg.if
@@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',`

########################################
## <summary>
+## Watch the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_data_files',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:file watch;
+')
+
+########################################
+## <summary>
## Watch all the xdg data home directories
## </summary>
## <param name="domain">
@@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',`

########################################
## <summary>
+## Watch all the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_data_files',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ allow $1 xdg_data_type:file watch;
+')
+
+########################################
+## <summary>
## Read the xdg data home files
## </summary>
## <param name="domain">
@@ -914,6 +950,24 @@ interface(`xdg_relabel_data',`
')

########################################
+## <summary>
+## Allow domain to execute xdg_data_t, for some application config in kde
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
## <summary>
## Allow relabeling the xdg data home files, regardless of their type
## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/wm.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/wm.te
+++ refpolicy-2.20220322/policy/modules/apps/wm.te
@@ -7,6 +7,14 @@ policy_module(wm)

attribute wm_domain;

+
+## <desc>
+## <p>
+## Grant the window manager domains write access to xdg data
+## </p>
+## </desc>
+gen_tunable(`wm_write_xdg_data', false)
+
type wm_exec_t;
corecmd_executable_file(wm_exec_t)

Index: refpolicy-2.20220322/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20220322/policy/modules/apps/chromium.te
@@ -275,6 +275,7 @@ optional_policy(`

optional_policy(`
gnome_dbus_chat_all_gkeyringd(chromium_t)
+ gnome_watch_xdg_config_dirs(chromium_t)
')

optional_policy(`
Index: refpolicy-2.20220322/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20220322/policy/modules/services/xserver.fc
@@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)

/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/wayland-session -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)

/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)


2022-04-25 16:01:28

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] wm domains and sddm fixes

On 4/6/22 08:36, Russell Coker wrote:
> These patches make a sddm login with the $1_wm_t domain work. Most of this
> is for X11 but there is a bit for Wayland too.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220322/policy/modules/apps/wm.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/apps/wm.if
> +++ refpolicy-2.20220322/policy/modules/apps/wm.if
> @@ -61,6 +61,8 @@ template(`wm_role_template',`
> allow $3 $1_wm_t:process { ptrace signal_perms };
> ps_process_pattern($3, $1_wm_t)
>
> + kernel_read_kernel_sysctls($1_wm_t)
> +
> allow $1_wm_t $3:process { signull sigkill };
>
> domtrans_pattern($3, wm_exec_t, $1_wm_t)
> @@ -81,6 +83,10 @@ template(`wm_role_template',`
>
> wm_write_pipes($1, $3)
>
> + tunable_policy(`wm_write_xdg_data', `
> + xdg_manage_data($1_wm_t)
> + ')
> +
> optional_policy(`
> dbus_connect_spec_session_bus($1, $1_wm_t)
> dbus_spec_session_bus_client($1, $1_wm_t)
> @@ -115,6 +121,17 @@ template(`wm_role_template',`
> optional_policy(`
> xdg_watch_config_files($1_wm_t)
> ')
> +
> + optional_policy(`
> + systemd_dbus_chat_logind($1_wm_t)
> + ')
> +
> + optional_policy(`
> + xdg_read_data_files($1_wm_t)
> + xdg_manage_cache($1_wm_t)
> + xdg_manage_config($1_wm_t)
> + xdg_watch_data_files($1_wm_t)
> + ')
> ')


Please merge all the xdg calls into a single optional block. The added tunable
should be in this optional too.

> ########################################
> Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
> @@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
>
> ifdef(`distro_debian',`
> /usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20220322/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20220322/policy/modules/system/unconfined.if
> @@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',`
> allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
> allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
> allow $1 self:fifo_file manage_fifo_file_perms;
> + allow $1 self:system status;
>
> # Manage most namespace capabilities
> allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
> Index: refpolicy-2.20220322/policy/modules/apps/gnome.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if
> +++ refpolicy-2.20220322/policy/modules/apps/gnome.if
> @@ -112,6 +112,10 @@ template(`gnome_role_template',`
> ')
>
> optional_policy(`
> + systemd_dbus_chat_logind($1_gkeyringd_t)
> + ')
> +
> + optional_policy(`
> wm_dbus_chat($1, $1_gkeyringd_t)
> ')
> ')
> @@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec'
>
> allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## watch gnome_xdg_config_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_watch_xdg_config_dirs',`
> + gen_require(`
> + type gnome_xdg_config_t;
> + ')
> +
> + allow $1 gnome_xdg_config_t:dir watch;
> +')
> Index: refpolicy-2.20220322/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20220322/policy/modules/services/xserver.if
> @@ -213,7 +213,7 @@ template(`xserver_role',`
>
> xserver_read_xkb_libs($2)
>
> - allow $2 xdm_t:unix_stream_socket accept;
> + allow $2 xdm_t:unix_stream_socket { getattr accept };
>
> optional_policy(`
> systemd_user_app_status($1, xserver_t)
> Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20220322/policy/modules/system/miscfiles.if
> @@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization'
> type locale_t;
> ')
>
> + allow $1 locale_t:dir watch;
> allow $1 locale_t:file watch;
> ')
>
> Index: refpolicy-2.20220322/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20220322/policy/modules/system/userdomain.if
> @@ -121,6 +121,8 @@ template(`userdom_base_user_template',`
> miscfiles_read_generic_certs($1_t)
> miscfiles_watch_fonts_dirs($1_t)
>
> + userdom_write_user_runtime_sockets($1_t)
> +
> sysnet_read_config($1_t)
>
> # kdeinit wants systemd status
> @@ -960,6 +962,7 @@ template(`userdom_login_user_template',
> userdom_exec_user_tmp_files($1_t)
> userdom_exec_user_home_content_files($1_t)
>
> + userdom_execmod_user_tmpfs_files($1_t)
> userdom_map_user_tmpfs_files($1_t)
>
> userdom_change_password_template($1)
> @@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template',
> corenet_tcp_bind_xserver_port($1_t)
>
> files_exec_usr_files($1_t)
> + files_watch_etc_symlinks($1_t)
>
> miscfiles_manage_public_files($1_t)
> + miscfiles_watch_localization($1_t)
> miscfiles_watch_public_dirs($1_t)
>
> tunable_policy(`user_dmesg',`
> @@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template',
> tunable_policy(`user_tcp_server',`
> corenet_tcp_bind_generic_node($1_t)
> corenet_tcp_bind_generic_port($1_t)
> + corenet_tcp_bind_all_unreserved_ports($1_t)
> ')
>
> # Allow users to run UDP servers (bind to ports and accept connection from
> @@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template',
> tunable_policy(`user_udp_server',`
> corenet_udp_bind_generic_node($1_t)
> corenet_udp_bind_generic_port($1_t)
> + corenet_udp_bind_all_unreserved_ports($1_t)
> ')
>
> optional_policy(`
> @@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',`
> xdg_manage_all_data($1_t)
> xdg_relabel_all_data($1_t)
> xdg_watch_all_data_dirs($1_t)
> + xdg_watch_all_data_files($1_t)
> + xdg_exec_data($1_t)
>
> xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
> xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
> @@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f
>
> ########################################
> ## <summary>
> +## write user runtime sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_user_runtime_sockets',`
> + gen_require(`
> + type user_runtime_t;
> + ')
> +
> + allow $1 user_runtime_t:sock_file write;

No associated unix socket access?


> +')
> +
> +########################################
> +## <summary>
> ## Search users runtime directories.
> ## </summary>
> ## <param name="domain">
> @@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil
> ')
>
> ########################################
> +## <summary>
> +## execute and execmod user tmpfs files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_execmod_user_tmpfs_files',`
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + allow $1 user_tmpfs_t:file { execute execmod };
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of a user domain tty.
> ## </summary>
> Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te
> +++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
> @@ -222,6 +222,7 @@ optional_policy(`
> systemd_read_logind_sessions_files(pulseaudio_t)
> # for /run/systemd/users/$PID
> systemd_read_logind_runtime_files(pulseaudio_t)
> + systemd_watch_logind_sessions_dirs(pulseaudio_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20220322/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20220322/policy/modules/system/xdg.if
> @@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',`
>
> ########################################
> ## <summary>
> +## Watch the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_files',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + allow $1 xdg_data_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> ## Watch all the xdg data home directories
> ## </summary>
> ## <param name="domain">
> @@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',`
>
> ########################################
> ## <summary>
> +## Watch all the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_files',`
> + gen_require(`
> + attribute xdg_data_type;
> + ')
> +
> + allow $1 xdg_data_type:file watch;
> +')
> +
> +########################################
> +## <summary>
> ## Read the xdg data home files
> ## </summary>
> ## <param name="domain">
> @@ -914,6 +950,24 @@ interface(`xdg_relabel_data',`
> ')
>
> ########################################
> +## <summary>
> +## Allow domain to execute xdg_data_t, for some application config in kde
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + can_exec($1, xdg_data_t)
> +')
> +
> +########################################
> ## <summary>
> ## Allow relabeling the xdg data home files, regardless of their type
> ## </summary>
> Index: refpolicy-2.20220322/policy/modules/apps/wm.te
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/apps/wm.te
> +++ refpolicy-2.20220322/policy/modules/apps/wm.te
> @@ -7,6 +7,14 @@ policy_module(wm)
>
> attribute wm_domain;
>
> +
> +## <desc>
> +## <p>
> +## Grant the window manager domains write access to xdg data
> +## </p>
> +## </desc>
> +gen_tunable(`wm_write_xdg_data', false)
> +
> type wm_exec_t;
> corecmd_executable_file(wm_exec_t)
>
> Index: refpolicy-2.20220322/policy/modules/apps/chromium.te
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te
> +++ refpolicy-2.20220322/policy/modules/apps/chromium.te
> @@ -275,6 +275,7 @@ optional_policy(`
>
> optional_policy(`
> gnome_dbus_chat_all_gkeyringd(chromium_t)
> + gnome_watch_xdg_config_dirs(chromium_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20220322/policy/modules/services/xserver.fc
> ===================================================================
> --- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20220322/policy/modules/services/xserver.fc
> @@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/etc/sddm/wayland-session -- gen_context(system_u:object_r:xsession_exec_t,s0)
> /etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
>
> /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)


--
Chris PeBenito