75 lines
3.1 KiB
Diff
75 lines
3.1 KiB
Diff
From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Thu, 13 Jan 2022 22:53:08 +0100
|
|
Subject: [PATCH] Allow login_userdomain watch localization directories
|
|
|
|
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a
|
|
Conflict: NA
|
|
|
|
The miscfiles_watch_localization_dirs() interface was added.
|
|
|
|
Addresses the following AVC denial:
|
|
|
|
type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad
|
|
type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
|
type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username
|
|
type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
|
|
type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc: denied { watch } for pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
|
|
|
|
Signed-off-by: lujie54 <lujie54@huawei.com>
|
|
---
|
|
policy/modules/system/miscfiles.if | 24 ++++++++++++++++++++++++
|
|
policy/modules/system/userdomain.te | 1 +
|
|
2 files changed, 25 insertions(+)
|
|
|
|
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
|
|
index b63a391..e7f73d8 100644
|
|
--- a/policy/modules/system/miscfiles.if
|
|
+++ b/policy/modules/system/miscfiles.if
|
|
@@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Allow process to watch localization directories.
|
|
+## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow the specified domain to watch localization directories
|
|
+## (e.g. /usr/share/zoneinfo/) for changes.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`miscfiles_watch_localization_dirs',`
|
|
+ gen_require(`
|
|
+ type locale_t;
|
|
+ ')
|
|
+
|
|
+ watch_dirs_pattern($1, locale_t, locale_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Allow process to watch localization files.
|
|
## </summary>
|
|
## <desc>
|
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
|
index 824af18..86617c3 100644
|
|
--- a/policy/modules/system/userdomain.te
|
|
+++ b/policy/modules/system/userdomain.te
|
|
@@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain)
|
|
fs_create_cgroup_files(login_userdomain)
|
|
fs_watch_cgroup_files(login_userdomain)
|
|
|
|
+miscfiles_watch_localization_dirs(login_userdomain)
|
|
miscfiles_watch_localization_symlinks(login_userdomain)
|
|
|
|
mount_watch_pid_dirs(login_userdomain)
|
|
--
|
|
1.8.3.1
|
|
|