SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] yet more strict patches
@ 2021-01-12 10:32 Russell Coker
  2021-01-13 13:54 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2021-01-12 10:32 UTC (permalink / raw)
  To: selinux-refpolicy

More little strict patches, much of which are needed for KDE.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20201210/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20201210/policy/modules/system/userdomain.if
@@ -115,12 +115,16 @@ template(`userdom_base_user_template',`
 
 	libs_exec_ld_so($1_t)
 
+	logging_send_syslog_msg($1_t)
+
 	miscfiles_read_localization($1_t)
 	miscfiles_read_generic_certs($1_t)
 	miscfiles_watch_fonts_dirs($1_t)
 
 	sysnet_read_config($1_t)
 
+	userdom_write_all_user_runtime_named_sockets($1_t)
+
 	# kdeinit wants systemd status
 	init_get_system_status($1_t)
 
@@ -880,6 +884,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		udev_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
 
@@ -1231,6 +1239,15 @@ template(`userdom_unpriv_user_template',
 
 	optional_policy(`
 		systemd_dbus_chat_logind($1_t)
+		systemd_use_logind_fds($1_t)
+		systemd_dbus_chat_hostnamed($1_t)
+		systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+		# kwalletd5 inherits a socket from init
+		init_rw_inherited_stream_socket($1_t)
+		init_use_fds($1_t)
+		# for polkit-kde-auth
+		init_read_state($1_t)
 	')
 
 	# Allow controlling usbguard
@@ -3617,6 +3634,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##	write user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] yet more strict patches
  2021-01-12 10:32 [PATCH] yet more strict patches Russell Coker
@ 2021-01-13 13:54 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2021-01-13 13:54 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/12/21 5:32 AM, Russell Coker wrote:
> More little strict patches, much of which are needed for KDE.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20201210/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20201210/policy/modules/system/userdomain.if
> @@ -115,12 +115,16 @@ template(`userdom_base_user_template',`
>   
>   	libs_exec_ld_so($1_t)
>   
> +	logging_send_syslog_msg($1_t)
> +
>   	miscfiles_read_localization($1_t)
>   	miscfiles_read_generic_certs($1_t)
>   	miscfiles_watch_fonts_dirs($1_t)
>   
>   	sysnet_read_config($1_t)
>   
> +	userdom_write_all_user_runtime_named_sockets($1_t)
> +
>   	# kdeinit wants systemd status
>   	init_get_system_status($1_t)

This template is supposed to be the bare minimum to have a user.  I don't think 
these rules fit this design.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 10:32 [PATCH] yet more strict patches Russell Coker
2021-01-13 13:54 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git