From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 6 Aug 2017 11:15:15 -0400 Subject: [refpolicy] [PATCH] userdomain: allow netlink_kobject_uvent_socket creation In-Reply-To: <1498058915.4583.2.camel@trentalancia.com> References: <1498058915.4583.2.camel@trentalancia.com> Message-ID: <58a90e29-c848-86a2-3d1b-3554ccda8a8c@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/21/2017 11:28 AM, Guido Trentalancia via refpolicy wrote: > Not auditing this turns out to be the wrong choice for > several reasons. > > For normal application functioning the user domain > should be able to create netlink_kobject_uvent_socket > sockets. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/userdomain.if | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > --- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200 > +++ b/policy/modules/system/userdomain.if 2017-06-21 17:12:39.854541009 +0200 > @@ -530,8 +530,8 @@ template(`userdom_common_user_template', > dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; > dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; > > - # gnome-settings-daemon tries to create a netlink socket > - dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms; > + # gnome-settings-daemon and some applications create a netlink socket > + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; > > allow $1_t unpriv_userdomain:fd use; Merged. -- Chris PeBenito