packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-login_userdomain-check-status-of-mount-units.patch
lujie54 bed9e54ba5 backport upstream patches
2022-09-15 10:25:08 +08:00

40 lines
1.5 KiB
Diff
Raw Blame History

From 68f9e4a144df544adc7fa733a64ac505f8189373 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 10 Aug 2022 17:08:03 +0200
Subject: [PATCH] Allow login_userdomain check status of mount units
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/68f9e4a144df544adc7fa733a64ac505f8189373
Conflict: NA
Allow systemd user manager running in the context of the logged user
check status of mount units:
systemctl --user status/show run-user-ID.mount
Addresses the following AVC denial:
Jul 28 11:26:24 hostname systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0
Resolves: rhbz#2111834
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..5576a97 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -372,6 +372,8 @@ optional_policy(`
############################################################
# login_userdomain local policy
+allow login_userdomain self:service status;
+
corenet_tcp_bind_xmsg_port(login_userdomain)
create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink