More little strict patches, much of which are needed for KDE. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20201210/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20201210.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20201210/policy/modules/system/userdomain.if @@ -115,12 +115,16 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) + logging_send_syslog_msg($1_t) + miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) miscfiles_watch_fonts_dirs($1_t) sysnet_read_config($1_t) + userdom_write_all_user_runtime_named_sockets($1_t) + # kdeinit wants systemd status init_get_system_status($1_t) @@ -880,6 +884,10 @@ template(`userdom_common_user_template', ') optional_policy(` + udev_read_runtime_files($1_t) + ') + + optional_policy(` usernetctl_run($1_t, $1_r) ') @@ -1231,6 +1239,15 @@ template(`userdom_unpriv_user_template', optional_policy(` systemd_dbus_chat_logind($1_t) + systemd_use_logind_fds($1_t) + systemd_dbus_chat_hostnamed($1_t) + systemd_write_inherited_logind_inhibit_pipes($1_t) + + # kwalletd5 inherits a socket from init + init_rw_inherited_stream_socket($1_t) + init_use_fds($1_t) + # for polkit-kde-auth + init_read_state($1_t) ') # Allow controlling usbguard @@ -3617,6 +3634,25 @@ interface(`userdom_delete_all_user_runti ') ######################################## +## <summary> +## write user runtime socket files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_write_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:sock_file write; +') + +######################################## ## <summary> ## Create objects in the pid directory ## with an automatic type transition to