From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 21 Jun 2017 17:28:35 +0200 Subject: [refpolicy] [PATCH] userdomain: allow netlink_kobject_uvent_socket creation Message-ID: <1498058915.4583.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Not auditing this turns out to be the wrong choice for several reasons. For normal application functioning the user domain should be able to create netlink_kobject_uvent_socket sockets. Signed-off-by: Guido Trentalancia --- policy/modules/system/userdomain.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200 +++ b/policy/modules/system/userdomain.if 2017-06-21 17:12:39.854541009 +0200 @@ -530,8 +530,8 @@ template(`userdom_common_user_template', dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - # gnome-settings-daemon tries to create a netlink socket - dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms; + # gnome-settings-daemon and some applications create a netlink socket + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; allow $1_t unpriv_userdomain:fd use;