From 5adbc14b634b60c5bd779fb22c5bf4a674a83020 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 9 Sep 2022 17:21:10 +0200 Subject: [PATCH] Allow staff_u and user_u users write to bolt pipe Addresses the following AVC denial: - type=PROCTITLE msg=audit(6.9.2022 07:26:55.355:15479) : proctitle=boltctl power type=SYSCALL msg=audit(6.9.2022 07:26:55.355:15479) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f341adfd940 a2=MSG_CMSG_CLOEXEC a3=0x7fff30353080 items=0 ppid=1832290 pid=1905598 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts18 ses=3 comm=gdbus exe=/usr/bin/boltctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(6.9.2022 07:26:55.355:15479) : avc: denied { write } for pid=1905598 comm=gdbus path=/run/boltd/power/1.guard.fifo dev="tmpfs" ino=95970 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=1 Signed-off-by: lujie42 --- policy/modules/roles/staff.te | 4 ++++ policy/modules/roles/unprivuser.te | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index a573eba03..907710baf 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -103,6 +103,10 @@ optional_policy(` blueman_dbus_chat(staff_t) ') +optional_policy(` + boltd_write_var_run_pipes(staff_t) +') + optional_policy(` kdumpgui_dbus_chat(staff_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 56a8be217..a4781914e 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -66,6 +66,10 @@ optional_policy(` bluetooth_role(user_r, user_t) ') +optional_policy(` + boltd_write_var_run_pipes(user_t) +') + optional_policy(` colord_dbus_chat(user_t) ') -- 2.27.0