36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From 722bd1fc180b12193c2d551c82eda101f26c098f Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Mon, 8 Aug 2022 17:35:10 +0200
|
|
Subject: [PATCH] Do not allow login_userdomain use sd_notify()
|
|
|
|
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/722bd1fc180b12193c2d551c82eda101f26c098f
|
|
Conflict: NA
|
|
|
|
This commit partially reverts the ea76c5e8b586 ("Allow some domains use
|
|
sd_notify()") commit. While any systemd service should be allowed to
|
|
use sd_notify, which includes unconfined_service_t, login userdomains
|
|
should only talk to user service manager which runs in the respective
|
|
userdomain.
|
|
|
|
Signed-off-by: lujie54 <lujie54@huawei.com>
|
|
---
|
|
policy/modules/system/userdomain.te | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
|
index 0980247..3ac8c12 100644
|
|
--- a/policy/modules/system/userdomain.te
|
|
+++ b/policy/modules/system/userdomain.te
|
|
@@ -400,8 +400,6 @@ files_watch_generic_tmp_dirs(login_userdomain)
|
|
fs_create_cgroup_files(login_userdomain)
|
|
fs_watch_cgroup_files(login_userdomain)
|
|
|
|
-init_use_notify(login_userdomain)
|
|
-
|
|
libs_watch_lib_dirs(login_userdomain)
|
|
|
|
miscfiles_watch_fonts_dirs(login_userdomain)
|
|
--
|
|
1.8.3.1
|
|
|