From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 9 Feb 2022 21:52:01 +0100 Subject: [PATCH] Allow login_userdomain watch system configuration dirs Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Conflict: NA The files_watch_system_conf_dirs() interface was added. Addresses the following AVC denial: type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc: denied { watch } for pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0 Signed-off-by: lujie54 --- policy/modules/kernel/files.if | 19 +++++++++++++++++++ policy/modules/system/userdomain.te | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 53e463c..b375a7e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',` read_lnk_files_pattern($1, etc_t, system_conf_t) ') +####################################### +## +## Watch manageable system configuration dirs in /etc +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_system_conf_dirs',` + gen_require(` + type etc_t, system_conf_t; + ') + + files_search_etc($1) + watch_dirs_pattern($1, system_conf_t, system_conf_t) +') + ###################################### ## ## Manage manageable system configuration files in /etc. diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index f1f68f7..a833ada 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain) files_watch_etc_dirs(login_userdomain) files_watch_etc_files(login_userdomain) +files_watch_system_conf_dirs(login_userdomain) files_watch_usr_dirs(login_userdomain) files_watch_usr_files(login_userdomain) files_watch_var_lib_dirs(login_userdomain) -- 1.8.3.1