From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 14 Apr 2017 01:25:59 +0200 Subject: [refpolicy] [PATCH 9/10] userdomain: do not audit netlink socket creation attempts Message-ID: <1492125959.14193.47.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the userdomain base module so that an unneeded permission is not audited. Signed-off-by: Guido Trentalancia --- policy/modules/system/userdomain.if | 3 +++ 1 file changed, 3 insertions(+) --- refpolicy-2.20170204-orig/policy/modules/system/userdomain.if 2016-12-17 14:15:16.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/system/userdomain.if 2017-04-13 21:23:08.297212706 +0200 @@ -507,6 +510,9 @@ template(`userdom_common_user_template', dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + # gnome-settings-daemon tries to create a netlink socket + dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_t unpriv_userdomain:fd use; kernel_read_system_state($1_t)