[PATCH] yet more strict patches fixed

[PATCH] yet more strict patches fixed

[Russell Coker]

More little strict patches, much of which are needed for KDE.

With the lines that Chris didn't like removed.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210115/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210115/policy/modules/system/userdomain.if
@@ -880,6 +880,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		udev_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
 
@@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template',
 
 	optional_policy(`
 		systemd_dbus_chat_logind($1_t)
+		systemd_use_logind_fds($1_t)
+		systemd_dbus_chat_hostnamed($1_t)
+		systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+		# kwalletd5 inherits a socket from init
+		init_rw_inherited_stream_socket($1_t)
+		init_use_fds($1_t)
+		# for polkit-kde-auth
+		init_read_state($1_t)
 	')
 
 	# Allow controlling usbguard
@@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##	write user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to

Re: [PATCH] yet more strict patches fixed

[Chris PeBenito]

On 1/14/21 6:37 PM, Russell Coker wrote:
> More little strict patches, much of which are needed for KDE.
> 
> With the lines that Chris didn't like removed.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210115/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20210115/policy/modules/system/userdomain.if
> @@ -880,6 +880,10 @@ template(`userdom_common_user_template',
>   	')
>   
>   	optional_policy(`
> +		udev_read_runtime_files($1_t)
> +	')
> +
> +	optional_policy(`
>   		usernetctl_run($1_t, $1_r)
>   	')
>   
> @@ -1231,6 +1235,15 @@ template(`userdom_unpriv_user_template',
>   
>   	optional_policy(`
>   		systemd_dbus_chat_logind($1_t)
> +		systemd_use_logind_fds($1_t)
> +		systemd_dbus_chat_hostnamed($1_t)
> +		systemd_write_inherited_logind_inhibit_pipes($1_t)
> +
> +		# kwalletd5 inherits a socket from init
> +		init_rw_inherited_stream_socket($1_t)
> +		init_use_fds($1_t)
> +		# for polkit-kde-auth
> +		init_read_state($1_t)
>   	')
>   
>   	# Allow controlling usbguard
> @@ -3617,6 +3630,25 @@ interface(`userdom_delete_all_user_runti
>   ')
>   
>   ########################################
> +## <summary>
> +##	write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> +	gen_require(`
> +		attribute user_runtime_content_type;
> +	')
> +
> +	allow $1 user_runtime_content_type:dir list_dir_perms;
> +	allow $1 user_runtime_content_type:sock_file write;
> +')
> +
> +########################################
>   ## <summary>
>   ##	Create objects in the pid directory
>   ##	with an automatic type transition to
> 

I merged this but dropped this last block because it I think it is incomplete 
and it is unused.


-- 
Chris PeBenito