From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 13 Jan 2022 22:53:08 +0100 Subject: [PATCH] Allow login_userdomain watch localization directories Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Conflict: NA The miscfiles_watch_localization_dirs() interface was added. Addresses the following AVC denial: type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc: denied { watch } for pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 Signed-off-by: lujie54 --- policy/modules/system/miscfiles.if | 24 ++++++++++++++++++++++++ policy/modules/system/userdomain.te | 1 + 2 files changed, 25 insertions(+) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index b63a391..e7f73d8 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',` ######################################## ## +## Allow process to watch localization directories. +## +## +##

+## Allow the specified domain to watch localization directories +## (e.g. /usr/share/zoneinfo/) for changes. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_watch_localization_dirs',` + gen_require(` + type locale_t; + ') + + watch_dirs_pattern($1, locale_t, locale_t) +') + +######################################## +## ## Allow process to watch localization files. ## ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 824af18..86617c3 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain) fs_create_cgroup_files(login_userdomain) fs_watch_cgroup_files(login_userdomain) +miscfiles_watch_localization_dirs(login_userdomain) miscfiles_watch_localization_symlinks(login_userdomain) mount_watch_pid_dirs(login_userdomain) -- 1.8.3.1