Add noatsecure for $1_systemd_t executing $1_dbusd_t because systemd sets important environment variables and dbus-broker aborts with "no media" error otherwise. Tiny patch because this was a pain to track down and is necessary to make Mobian usable. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index ee497809b..741115a51 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -113,6 +113,8 @@ template(`dbus_role_template',` optional_policy(` systemd_read_logind_runtime_files($1_dbusd_t) systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t) + # dbus-broker-launch fails with no media on sd_bus_open_user() without this + systemd_user_daemon_domain_noatsecure($1, $1_dbusd_t) systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t) ') ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 77a59c662..0046f1722 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -229,6 +229,30 @@ template(`systemd_user_daemon_domain',` systemd_user_app_status($1, $3) ') +###################################### +## <summary> +## Allow the specified domain to not have th atsecure setting when started +## as a daemon by the specified systemd user instance +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain that is entered with noatsecure +## </summary> +## </param> +# +template(`systemd_user_daemon_domain_noatsecure',` + gen_require(` + type $1_systemd_t; + ') + + allow $1_systemd_t $2:process noatsecure; +') + ###################################### ## <summary> ## Associate the specified file type to be a type whose sock files
