selinux-policy/backport-Allow-login_userdomain-watch-system-configuration-di.patch

From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:52:01 +0100
Subject: [PATCH] Allow login_userdomain watch system configuration dirs

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1
Conflict: NA

The files_watch_system_conf_dirs() interface was added.

Addresses the following AVC denial:

type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service
type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff
type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc:  denied  { watch } for  pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/kernel/files.if      | 19 +++++++++++++++++++
 policy/modules/system/userdomain.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 53e463c..b375a7e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',`
     read_lnk_files_pattern($1, etc_t, system_conf_t)
 ')
 
+#######################################
+## <summary>
+##	Watch manageable system configuration dirs in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_system_conf_dirs',`
+	gen_require(`
+		type etc_t, system_conf_t;
+	')
+
+	files_search_etc($1)
+	watch_dirs_pattern($1, system_conf_t, system_conf_t)
+')
+
 ######################################
 ## <summary>
 ##  Manage manageable system configuration files in /etc.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f1f68f7..a833ada 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain)
 
 files_watch_etc_dirs(login_userdomain)
 files_watch_etc_files(login_userdomain)
+files_watch_system_conf_dirs(login_userdomain)
 files_watch_usr_dirs(login_userdomain)
 files_watch_usr_files(login_userdomain)
 files_watch_var_lib_dirs(login_userdomain)
-- 
1.8.3.1