From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 6 Aug 2017 11:15:15 -0400
Subject: [refpolicy] [PATCH] userdomain: allow
 netlink_kobject_uvent_socket creation
In-Reply-To: <1498058915.4583.2.camel@trentalancia.com>
References: <1498058915.4583.2.camel@trentalancia.com>
Message-ID: <58a90e29-c848-86a2-3d1b-3554ccda8a8c@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/21/2017 11:28 AM, Guido Trentalancia via refpolicy wrote:
> Not auditing this turns out to be the wrong choice for
> several reasons.
>
> For normal application functioning the user domain
> should be able to create netlink_kobject_uvent_socket
> sockets.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/system/userdomain.if |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/system/userdomain.if	2017-04-26 17:47:14.081423048 +0200
> +++ b/policy/modules/system/userdomain.if	2017-06-21 17:12:39.854541009 +0200
> @@ -530,8 +530,8 @@ template(`userdom_common_user_template',
>  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
>  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
>
> -	# gnome-settings-daemon tries to create a netlink socket
> -	dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms;
> +	# gnome-settings-daemon and some applications create a netlink socket
> +	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
>
>  	allow $1_t unpriv_userdomain:fd use;

Merged.


-- 
Chris PeBenito