From 722bd1fc180b12193c2d551c82eda101f26c098f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 8 Aug 2022 17:35:10 +0200
Subject: [PATCH] Do not allow login_userdomain use sd_notify()

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/722bd1fc180b12193c2d551c82eda101f26c098f
Conflict: NA

This commit partially reverts the ea76c5e8b586 ("Allow some domains use
sd_notify()") commit. While any systemd service should be allowed to
use sd_notify, which includes unconfined_service_t, login userdomains
should only talk to user service manager which runs in the respective
userdomain.

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/system/userdomain.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0980247..3ac8c12 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -400,8 +400,6 @@ files_watch_generic_tmp_dirs(login_userdomain)
 fs_create_cgroup_files(login_userdomain)
 fs_watch_cgroup_files(login_userdomain)
 
-init_use_notify(login_userdomain)
-
 libs_watch_lib_dirs(login_userdomain)
 
 miscfiles_watch_fonts_dirs(login_userdomain)
-- 
1.8.3.1