From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 21 Jun 2017 17:28:35 +0200
Subject: [refpolicy] [PATCH] userdomain: allow netlink_kobject_uvent_socket
	creation
Message-ID: <1498058915.4583.2.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Not auditing this turns out to be the wrong choice for
several reasons.

For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/userdomain.if |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/policy/modules/system/userdomain.if	2017-04-26 17:47:14.081423048 +0200
+++ b/policy/modules/system/userdomain.if	2017-06-21 17:12:39.854541009 +0200
@@ -530,8 +530,8 @@ template(`userdom_common_user_template',
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
-	# gnome-settings-daemon tries to create a netlink socket
-	dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+	# gnome-settings-daemon and some applications create a netlink socket
+	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 	allow $1_t unpriv_userdomain:fd use;