selinux-policy/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch

From 0675ab63c83c96dd65d9793c5ff2835253329bba Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 22:43:33 +0100
Subject: [PATCH] Allow login_userdomain watch various files and dirs

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0675ab63c83c96dd65d9793c5ff2835253329bba
Conflict: NA

Addresses the following AVC denials:

type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:986) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.064:986) : item=0 name=/etc/fstab inode=100663543 dev=fd:00 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.064:986) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x18 a1=0x56518e638958 a2=0xcc6 a3=0x56518e6392d0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.064:986) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/etc/fstab dev="dm-0" ino=100663543 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:987) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.064:987) : item=0 name=/var/run inode=1 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.064:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x1a a1=0x7f74ecdfae35 a2=0x100 a3=0x0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.064:987) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/run dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

type=PROCTITLE msg=audit(3.1.2022 14:44:22.213:989) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.213:989) : item=0 name=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop inode=1684078 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.213:989) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0xf a1=0x7f74d8001438 a2=0x2000fc6 a3=0x7f74f2f73329 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.213:989) : avc:  denied  { watch } for  pid=45075 comm=kscreenlocker_g path=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop dev="dm-0" ino=1684078 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/system/userdomain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cc2d309..824af18 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -387,8 +387,11 @@ tunable_policy(`deny_bluetooth',`',`
 dev_watch_generic_dirs(login_userdomain)
 
 files_watch_etc_dirs(login_userdomain)
+files_watch_etc_files(login_userdomain)
 files_watch_usr_dirs(login_userdomain)
+files_watch_usr_files(login_userdomain)
 files_watch_var_lib_dirs(login_userdomain)
+files_watch_var_run_dirs(login_userdomain)
 files_watch_generic_tmp_dirs(login_userdomain)
 
 fs_create_cgroup_files(login_userdomain)
-- 
1.8.3.1