These patches make a sddm login with the $1_wm_t domain work. Most of this
is for X11 but there is a bit for Wayland too.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Index: refpolicy-2.20220322/policy/modules/apps/wm.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20220322/policy/modules/apps/wm.if
@@ -61,6 +61,8 @@ template(`wm_role_template',`
allow $3 $1_wm_t:process { ptrace signal_perms };
ps_process_pattern($3, $1_wm_t)
+ kernel_read_kernel_sysctls($1_wm_t)
+
allow $1_wm_t $3:process { signull sigkill };
domtrans_pattern($3, wm_exec_t, $1_wm_t)
@@ -81,6 +83,10 @@ template(`wm_role_template',`
wm_write_pipes($1, $3)
+ tunable_policy(`wm_write_xdg_data', `
+ xdg_manage_data($1_wm_t)
+ ')
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -115,6 +121,17 @@ template(`wm_role_template',`
optional_policy(`
xdg_watch_config_files($1_wm_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_wm_t)
+ ')
+
+ optional_policy(`
+ xdg_read_data_files($1_wm_t)
+ xdg_manage_cache($1_wm_t)
+ xdg_manage_config($1_wm_t)
+ xdg_watch_data_files($1_wm_t)
+ ')
')
########################################
Index: refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20220322/policy/modules/kernel/corecommands.fc
@@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
/usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/x86_64-linux-gnu/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`
/usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20220322/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20220322/policy/modules/system/unconfined.if
@@ -40,6 +40,7 @@ interface(`unconfined_domain_noaudit',`
allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:system status;
# Manage most namespace capabilities
allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
Index: refpolicy-2.20220322/policy/modules/apps/gnome.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/gnome.if
+++ refpolicy-2.20220322/policy/modules/apps/gnome.if
@@ -112,6 +112,10 @@ template(`gnome_role_template',`
')
optional_policy(`
+ systemd_dbus_chat_logind($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
@@ -814,3 +818,21 @@ interface(`gnome_mmap_gstreamer_orcexec'
allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
+
+########################################
+## <summary>
+## watch gnome_xdg_config_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_watch_xdg_config_dirs',`
+ gen_require(`
+ type gnome_xdg_config_t;
+ ')
+
+ allow $1 gnome_xdg_config_t:dir watch;
+')
Index: refpolicy-2.20220322/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20220322/policy/modules/services/xserver.if
@@ -213,7 +213,7 @@ template(`xserver_role',`
xserver_read_xkb_libs($2)
- allow $2 xdm_t:unix_stream_socket accept;
+ allow $2 xdm_t:unix_stream_socket { getattr accept };
optional_policy(`
systemd_user_app_status($1, xserver_t)
Index: refpolicy-2.20220322/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20220322/policy/modules/system/miscfiles.if
@@ -634,6 +634,7 @@ interface(`miscfiles_watch_localization'
type locale_t;
')
+ allow $1 locale_t:dir watch;
allow $1 locale_t:file watch;
')
Index: refpolicy-2.20220322/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20220322/policy/modules/system/userdomain.if
@@ -121,6 +121,8 @@ template(`userdom_base_user_template',`
miscfiles_read_generic_certs($1_t)
miscfiles_watch_fonts_dirs($1_t)
+ userdom_write_user_runtime_sockets($1_t)
+
sysnet_read_config($1_t)
# kdeinit wants systemd status
@@ -960,6 +962,7 @@ template(`userdom_login_user_template',
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
+ userdom_execmod_user_tmpfs_files($1_t)
userdom_map_user_tmpfs_files($1_t)
userdom_change_password_template($1)
@@ -1214,8 +1217,10 @@ template(`userdom_unpriv_user_template',
corenet_tcp_bind_xserver_port($1_t)
files_exec_usr_files($1_t)
+ files_watch_etc_symlinks($1_t)
miscfiles_manage_public_files($1_t)
+ miscfiles_watch_localization($1_t)
miscfiles_watch_public_dirs($1_t)
tunable_policy(`user_dmesg',`
@@ -1234,6 +1239,7 @@ template(`userdom_unpriv_user_template',
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')
# Allow users to run UDP servers (bind to ports and accept connection from
@@ -1241,6 +1247,7 @@ template(`userdom_unpriv_user_template',
tunable_policy(`user_udp_server',`
corenet_udp_bind_generic_node($1_t)
corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_all_unreserved_ports($1_t)
')
optional_policy(`
@@ -1582,6 +1589,8 @@ template(`userdom_xdg_user_template',`
xdg_manage_all_data($1_t)
xdg_relabel_all_data($1_t)
xdg_watch_all_data_dirs($1_t)
+ xdg_watch_all_data_files($1_t)
+ xdg_exec_data($1_t)
xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
@@ -3686,6 +3695,24 @@ interface(`userdom_delete_user_runtime_f
########################################
## <summary>
+## write user runtime sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_runtime_sockets',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:sock_file write;
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -4094,6 +4121,24 @@ interface(`userdom_manage_user_tmpfs_fil
')
########################################
+## <summary>
+## execute and execmod user tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_execmod_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file { execute execmod };
+')
+
+########################################
## <summary>
## Get the attributes of a user domain tty.
## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20220322/policy/modules/apps/pulseaudio.te
@@ -222,6 +222,7 @@ optional_policy(`
systemd_read_logind_sessions_files(pulseaudio_t)
# for /run/systemd/users/$PID
systemd_read_logind_runtime_files(pulseaudio_t)
+ systemd_watch_logind_sessions_dirs(pulseaudio_t)
')
optional_policy(`
Index: refpolicy-2.20220322/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20220322/policy/modules/system/xdg.if
@@ -691,6 +691,24 @@ interface(`xdg_watch_data_dirs',`
########################################
## <summary>
+## Watch the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_data_files',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:file watch;
+')
+
+########################################
+## <summary>
## Watch all the xdg data home directories
## </summary>
## <param name="domain">
@@ -709,6 +727,24 @@ interface(`xdg_watch_all_data_dirs',`
########################################
## <summary>
+## Watch all the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_data_files',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ allow $1 xdg_data_type:file watch;
+')
+
+########################################
+## <summary>
## Read the xdg data home files
## </summary>
## <param name="domain">
@@ -914,6 +950,24 @@ interface(`xdg_relabel_data',`
')
########################################
+## <summary>
+## Allow domain to execute xdg_data_t, for some application config in kde
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
## <summary>
## Allow relabeling the xdg data home files, regardless of their type
## </summary>
Index: refpolicy-2.20220322/policy/modules/apps/wm.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/wm.te
+++ refpolicy-2.20220322/policy/modules/apps/wm.te
@@ -7,6 +7,14 @@ policy_module(wm)
attribute wm_domain;
+
+## <desc>
+## <p>
+## Grant the window manager domains write access to xdg data
+## </p>
+## </desc>
+gen_tunable(`wm_write_xdg_data', false)
+
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
Index: refpolicy-2.20220322/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20220322/policy/modules/apps/chromium.te
@@ -275,6 +275,7 @@ optional_policy(`
optional_policy(`
gnome_dbus_chat_all_gkeyringd(chromium_t)
+ gnome_watch_xdg_config_dirs(chromium_t)
')
optional_policy(`
Index: refpolicy-2.20220322/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20220322.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20220322/policy/modules/services/xserver.fc
@@ -37,6 +37,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/wayland-session -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
