[PATCH 1/8] userdomain: Add watch on home dirs

[PATCH 1/8] userdomain: Add watch on home dirs

[Jason Zaman]

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/xserver.if  |  11 +-
 policy/modules/system/miscfiles.if  |  18 +++
 policy/modules/system/userdomain.if |  15 ++-
 policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
 4 files changed, 240 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index baa39ef87..d5d6c7914 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
 	dev_rw_usbfs($2)
 
 	miscfiles_read_fonts($2)
+	miscfiles_watch_fonts_dirs($2)
 
 	xserver_common_x_domain_template(user, $2)  #selint-disable:S-004
 	xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
 	optional_policy(`
 		xdg_manage_all_cache($2)
 		xdg_relabel_all_cache($2)
+		xdg_watch_all_cache_dirs($2)
 		xdg_manage_all_config($2)
 		xdg_relabel_all_config($2)
+		xdg_watch_all_config_dirs($2)
 		xdg_manage_all_data($2)
 		xdg_relabel_all_data($2)
+		xdg_watch_all_data_dirs($2)
 
 		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
 
 		xdg_manage_documents($2)
 		xdg_relabel_documents($2)
+		xdg_watch_documents_dirs($2)
 		xdg_manage_downloads($2)
 		xdg_relabel_downloads($2)
+		xdg_watch_downloads_dirs($2)
 		xdg_manage_music($2)
 		xdg_relabel_music($2)
+		xdg_watch_music_dirs($2)
 		xdg_manage_pictures($2)
 		xdg_relabel_pictures($2)
+		xdg_watch_pictures_dirs($2)
 		xdg_manage_videos($2)
 		xdg_relabel_videos($2)
+		xdg_watch_videos_dirs($2)
 
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
 	')
 
 	# Read per user fonts
-	allow $1 user_fonts_t:dir list_dir_perms;
+	allow $1 user_fonts_t:dir { list_dir_perms watch };
 	allow $1 user_fonts_t:file { map read_file_perms };
 
 	# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index e633217fe..354fe6fb3 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -824,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
 	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
 ')
 
+########################################
+## <summary>
+##	Watch public files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+	gen_require(`
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_rw_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 02ead5b2a..482af588b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -289,6 +289,12 @@ interface(`userdom_ro_home_role',`
 	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
 	files_list_home($2)
 
+	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_list_nfs($2)
 		fs_read_nfs_files($2)
@@ -368,7 +374,11 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
-	allow $2 user_home_dir_t:dir watch;
+	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
 
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
@@ -623,6 +633,8 @@ template(`userdom_common_user_template',`
 	files_read_var_lib_files($1_t)
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
+	files_watch_etc_dirs($1_t)
+	files_watch_usr_dirs($1_t)
 
 	fs_rw_cgroup_files($1_t)
 
@@ -1171,6 +1183,7 @@ template(`userdom_unpriv_user_template', `
 	files_exec_usr_files($1_t)
 
 	miscfiles_manage_public_files($1_t)
+	miscfiles_watch_public_dirs($1_t)
 
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 11fc43069..823042414 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+	gen_require(`
+		type xdg_cache_t;
+	')
+
+	allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+	gen_require(`
+		attribute xdg_cache_type;
+	')
+
+	allow $1 xdg_cache_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+	gen_require(`
+		attribute xdg_config_type;
+	')
+
+	allow $1 xdg_config_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+	gen_require(`
+		attribute xdg_data_type;
+	')
+
+	allow $1 xdg_data_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+	gen_require(`
+		type xdg_documents_t;
+	')
+
+	allow $1 xdg_documents_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+	gen_require(`
+		type xdg_downloads_t;
+	')
+
+	allow $1 xdg_downloads_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+	gen_require(`
+		type xdg_pictures_t;
+	')
+
+	allow $1 xdg_pictures_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+	gen_require(`
+		type xdg_music_t;
+	')
+
+	allow $1 xdg_music_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg video content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+	gen_require(`
+		type xdg_videos_t;
+	')
+
+	allow $1 xdg_videos_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user video content
-- 
2.26.2

[PATCH 2/8] getty: allow watching file /run/agetty.reload

[Jason Zaman]

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/getty.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index ce9e4dedb..f9514c771 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -47,6 +47,7 @@ allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_fil
 logging_log_filetrans(getty_t, getty_log_t, file)
 
 allow getty_t getty_runtime_t:dir watch;
+allow getty_t getty_runtime_t:file watch;
 manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t)
 files_runtime_filetrans(getty_t, getty_runtime_t, file)
 
-- 
2.26.2

[PATCH 3/8] portage: Added /var/cache/distfiles path.

[Jason Zaman]

From: Jonathan Davies <jpds@protonmail.com>

Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/admin/portage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 3b6b9bf89..0567dfdc5 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -27,6 +27,7 @@
 /var/db/pkg(/.*)?	gen_context(system_u:object_r:portage_db_t,s0)
 /var/db/repos(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/cache/binpkgs(/.*)?  gen_context(system_u:object_r:portage_ebuild_t,s0)
+/var/cache/distfiles(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/cache/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
-- 
2.26.2

[PATCH 4/8] init: Added fcontext for openrc-init.

[Jason Zaman]

From: Jonathan Davies <jpds@protonmail.com>

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fee6ff3b6..df0d5a920 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -46,6 +46,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
 
 ifdef(`distro_redhat',`
-- 
2.26.2

[PATCH 5/8] init: Added fcontext for openrc-shutdown.

[Jason Zaman]

From: Jonathan Davies <jpds@protonmail.com>

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index df0d5a920..f1e6a61d0 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
 
 ifdef(`distro_redhat',`
-- 
2.26.2

[PATCH 6/8] Add transition on gentoo init_t to openrc

[Jason Zaman]

From: Jason Zaman <perfinion@gentoo.org>

Commit "init: replace call to init_domtrans_script"
(be231899f5c7f0882843942624dd268f99bab141 in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b2a9069b3..b284fc26b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -120,6 +120,7 @@ init_unit_file(systemd_unit_t)
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
+	domtrans_pattern(init_t, rc_exec_t, initrc_t)
 ')
 
 ifdef(`enable_mls',`
-- 
2.26.2

[PATCH 7/8] init: upstream fcontexts from gentoo policy

[Jason Zaman]

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/init.fc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index f1e6a61d0..63cf195e6 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -44,8 +44,11 @@ ifdef(`distro_gentoo',`
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
+/usr/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/usr/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/rc			--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
@@ -79,6 +82,9 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/var/lib/ip6?tables(/.*)?	gen_context(system_u:object_r:initrc_tmp_t,s0)
+
+/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /run/svscan\.pid	--	gen_context(system_u:object_r:initrc_runtime_t,s0)
 ')
 
-- 
2.26.2

[PATCH 8/8] systemd: make remaining dbus_* optional

[Jason Zaman]

From: Jason Zaman <perfinion@gentoo.org>

Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/systemd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74f3fc55d..a08b83d51 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1450,4 +1450,6 @@ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
 
-dbus_system_bus_client(systemd_user_runtime_dir_t)
+optional_policy(`
+    dbus_system_bus_client(systemd_user_runtime_dir_t)
+')
-- 
2.26.2

Re: [PATCH 1/8] userdomain: Add watch on home dirs

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/xserver.if  |  11 +-
>   policy/modules/system/miscfiles.if  |  18 +++
>   policy/modules/system/userdomain.if |  15 ++-
>   policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
>   4 files changed, 240 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index baa39ef87..d5d6c7914 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
>   	dev_rw_usbfs($2)
>   
>   	miscfiles_read_fonts($2)
> +	miscfiles_watch_fonts_dirs($2)
>   
>   	xserver_common_x_domain_template(user, $2)  #selint-disable:S-004
>   	xserver_domtrans($2)
> @@ -186,10 +187,13 @@ interface(`xserver_role',`
>   	optional_policy(`
>   		xdg_manage_all_cache($2)
>   		xdg_relabel_all_cache($2)
> +		xdg_watch_all_cache_dirs($2)
>   		xdg_manage_all_config($2)
>   		xdg_relabel_all_config($2)
> +		xdg_watch_all_config_dirs($2)
>   		xdg_manage_all_data($2)
>   		xdg_relabel_all_data($2)
> +		xdg_watch_all_data_dirs($2)
>   
>   		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
>   		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> @@ -203,14 +207,19 @@ interface(`xserver_role',`
>   
>   		xdg_manage_documents($2)
>   		xdg_relabel_documents($2)
> +		xdg_watch_documents_dirs($2)
>   		xdg_manage_downloads($2)
>   		xdg_relabel_downloads($2)
> +		xdg_watch_downloads_dirs($2)
>   		xdg_manage_music($2)
>   		xdg_relabel_music($2)
> +		xdg_watch_music_dirs($2)
>   		xdg_manage_pictures($2)
>   		xdg_relabel_pictures($2)
> +		xdg_watch_pictures_dirs($2)
>   		xdg_manage_videos($2)
>   		xdg_relabel_videos($2)
> +		xdg_watch_videos_dirs($2)
>   
>   		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
>   	')
> @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
>   	')
>   
>   	# Read per user fonts
> -	allow $1 user_fonts_t:dir list_dir_perms;
> +	allow $1 user_fonts_t:dir { list_dir_perms watch };
>   	allow $1 user_fonts_t:file { map read_file_perms };
>   
>   	# Manipulate the global font cache
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index e633217fe..354fe6fb3 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -824,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
>   	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch public files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`miscfiles_watch_public_dirs',`
> +	gen_require(`
> +		type public_content_rw_t;
> +	')
> +
> +	allow $1 public_content_rw_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read TeX data
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 02ead5b2a..482af588b 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -289,6 +289,12 @@ interface(`userdom_ro_home_role',`
>   	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
>   	files_list_home($2)
>   
> +	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +
>   	tunable_policy(`use_nfs_home_dirs',`
>   		fs_list_nfs($2)
>   		fs_read_nfs_files($2)
> @@ -368,7 +374,11 @@ interface(`userdom_manage_home_role',`
>   	# cjp: this should probably be removed:
>   	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>   
> -	allow $2 user_home_dir_t:dir watch;
> +	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
>   
>   	userdom_manage_user_certs($2)
>   	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
> @@ -623,6 +633,8 @@ template(`userdom_common_user_template',`
>   	files_read_var_lib_files($1_t)
>   	# Stat lost+found.
>   	files_getattr_lost_found_dirs($1_t)
> +	files_watch_etc_dirs($1_t)
> +	files_watch_usr_dirs($1_t)
>   
>   	fs_rw_cgroup_files($1_t)
>   
> @@ -1171,6 +1183,7 @@ template(`userdom_unpriv_user_template', `
>   	files_exec_usr_files($1_t)
>   
>   	miscfiles_manage_public_files($1_t)
> +	miscfiles_watch_public_dirs($1_t)
>   
>   	tunable_policy(`user_dmesg',`
>   		kernel_read_ring_buffer($1_t)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 11fc43069..823042414 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_cache_dirs',`
> +	gen_require(`
> +		type xdg_cache_t;
> +	')
> +
> +	allow $1 xdg_cache_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_cache_dirs',`
> +	gen_require(`
> +		attribute xdg_cache_type;
> +	')
> +
> +	allow $1 xdg_cache_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg cache home files
> @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_config_dirs',`
> +	gen_require(`
> +		type xdg_config_t;
> +	')
> +
> +	allow $1 xdg_config_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_config_dirs',`
> +	gen_require(`
> +		attribute xdg_config_type;
> +	')
> +
> +	allow $1 xdg_config_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg config home files
> @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_dirs',`
> +	gen_require(`
> +		type xdg_data_t;
> +	')
> +
> +	allow $1 xdg_data_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_dirs',`
> +	gen_require(`
> +		attribute xdg_data_type;
> +	')
> +
> +	allow $1 xdg_data_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg data home files
> @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg documents home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_documents_dirs',`
> +	gen_require(`
> +		type xdg_documents_t;
> +	')
> +
> +	allow $1 xdg_documents_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Create objects in the user home dir with an automatic type transition to
> @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg downloads home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_downloads_dirs',`
> +	gen_require(`
> +		type xdg_downloads_t;
> +	')
> +
> +	allow $1 xdg_downloads_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read downloaded content
> @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg pictures home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_pictures_dirs',`
> +	gen_require(`
> +		type xdg_pictures_t;
> +	')
> +
> +	allow $1 xdg_pictures_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user pictures content
> @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg music home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_music_dirs',`
> +	gen_require(`
> +		type xdg_music_t;
> +	')
> +
> +	allow $1 xdg_music_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user music content
> @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg video content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_videos_dirs',`
> +	gen_require(`
> +		type xdg_videos_t;
> +	')
> +
> +	allow $1 xdg_videos_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user video content

Merged.

-- 
Chris PeBenito

Re: [PATCH 2/8] getty: allow watching file /run/agetty.reload

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> avc:  denied  { watch } for  pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0
> 
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/getty.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index ce9e4dedb..f9514c771 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -47,6 +47,7 @@ allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_fil
>   logging_log_filetrans(getty_t, getty_log_t, file)
>   
>   allow getty_t getty_runtime_t:dir watch;
> +allow getty_t getty_runtime_t:file watch;
>   manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t)
>   files_runtime_filetrans(getty_t, getty_runtime_t, file)

Merged.

-- 
Chris PeBenito

Re: [PATCH 3/8] portage: Added /var/cache/distfiles path.

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jonathan Davies <jpds@protonmail.com>
> 
> Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/admin/portage.fc | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
> index 3b6b9bf89..0567dfdc5 100644
> --- a/policy/modules/admin/portage.fc
> +++ b/policy/modules/admin/portage.fc
> @@ -27,6 +27,7 @@
>   /var/db/pkg(/.*)?	gen_context(system_u:object_r:portage_db_t,s0)
>   /var/db/repos(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
>   /var/cache/binpkgs(/.*)?  gen_context(system_u:object_r:portage_ebuild_t,s0)
> +/var/cache/distfiles(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
>   /var/cache/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
>   /var/cache/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
>   /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)

Merged.

-- 
Chris PeBenito

Re: [PATCH 4/8] init: Added fcontext for openrc-init.

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jonathan Davies <jpds@protonmail.com>
> 
> Signed-off-by: Jonathan Davies <jpds@protonmail.com>
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/init.fc | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index fee6ff3b6..df0d5a920 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -46,6 +46,7 @@ ifdef(`distro_gentoo',`
>   ifdef(`distro_gentoo', `
>   /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
>   /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
> +/usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
>   ')
>   
>   ifdef(`distro_redhat',`

Merged.

-- 
Chris PeBenito

Re: [PATCH 5/8] init: Added fcontext for openrc-shutdown.

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jonathan Davies <jpds@protonmail.com>
> 
> Signed-off-by: Jonathan Davies <jpds@protonmail.com>
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/init.fc | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index df0d5a920..f1e6a61d0 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
>   /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
>   /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
>   /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
>   ')
>   
>   ifdef(`distro_redhat',`

Merged.

-- 
Chris PeBenito

Re: [PATCH 6/8] Add transition on gentoo init_t to openrc

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> Commit "init: replace call to init_domtrans_script"
> (be231899f5c7f0882843942624dd268f99bab141 in upstream repo)
> removed the call to init_domtrans_script which removed the openrc
> domtrans. This adds it back directly in the distro_gentoo block.
> 
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/init.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b2a9069b3..b284fc26b 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -120,6 +120,7 @@ init_unit_file(systemd_unit_t)
>   ifdef(`distro_gentoo',`
>   	type rc_exec_t;
>   	domain_entry_file(initrc_t, rc_exec_t)
> +	domtrans_pattern(init_t, rc_exec_t, initrc_t)
>   ')
>   
>   ifdef(`enable_mls',`

Merged.

-- 
Chris PeBenito

Re: [PATCH 7/8] init: upstream fcontexts from gentoo policy

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/init.fc | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index f1e6a61d0..63cf195e6 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -44,8 +44,11 @@ ifdef(`distro_gentoo',`
>   /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
>   
>   ifdef(`distro_gentoo', `
> +/usr/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
> +/usr/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
>   /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
> -/usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
> +/usr/sbin/rc			--	gen_context(system_u:object_r:rc_exec_t,s0)
> +/usr/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
>   /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
>   /usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
>   ')
> @@ -79,6 +82,9 @@ ifdef(`distro_debian',`
>   
>   ifdef(`distro_gentoo', `
>   /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
> +/var/lib/ip6?tables(/.*)?	gen_context(system_u:object_r:initrc_tmp_t,s0)
> +
> +/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
>   /run/svscan\.pid	--	gen_context(system_u:object_r:initrc_runtime_t,s0)
>   ')

Merged.

-- 
Chris PeBenito

Re: [PATCH 8/8] systemd: make remaining dbus_* optional

[Chris PeBenito]

On 11/16/20 10:46 PM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> Almost all calls to dbus_ interfaces were already optional, this makes
> the remaining one optional_policy so that the modules can be installed /
> upgraded easier.
> 
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/systemd.te | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 74f3fc55d..a08b83d51 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -1450,4 +1450,6 @@ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
>   userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
>   userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
>   
> -dbus_system_bus_client(systemd_user_runtime_dir_t)
> +optional_policy(`
> +    dbus_system_bus_client(systemd_user_runtime_dir_t)
> +')

Merged.

-- 
Chris PeBenito