1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Bug#1109927: marked as done (unblock: refpolicy/2:2.20250213-10) (2/2)

    From Debian Bug Tracking System@21:1/5 to All on Sat Jul 26 14:50:05 2025
    [continued from previous message]

    ++userdom_rw_user_tmp_files(evolution_alarm_t) ++userdom_map_user_tmp_files(evolution_alarm_t) ++userdom_watch_user_home_dirs(evolution_alarm_t)
    ++
    ++wm_rw_tmpfs_files(evolution_alarm_t)
    ++
    ++xdg_search_config_dirs(evolution_alarm_t) ++xdg_search_data_dirs(evolution_alarm_t) ++xdg_read_config_files(evolution_alarm_t) ++xdg_read_data_files(evolution_alarm_t)
    +
    + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
    ++xserver_read_xkb_libs(evolution_alarm_t)
    +
    + tunable_policy(`use_nfs_home_dirs',`
    + fs_manage_nfs_dirs(evolution_alarm_t)
    +@@ -335,6 +357,7 @@ tunable_policy(`use_samba_home_dirs',`
    + optional_policy(`
    + dbus_all_session_bus_client(evolution_alarm_t)
    + dbus_connect_all_session_bus(evolution_alarm_t)
    ++ dbus_write_session_runtime_socket(evolution_alarm_t)
    +
    + optional_policy(`
    + evolution_dbus_chat(evolution_alarm_t)
    +@@ -345,6 +368,10 @@ optional_policy(`
    + gnome_stream_connect_gconf(evolution_alarm_t)
    + ')
    +
    ++optional_policy(`
    ++ wm_send_fd(evolution_alarm_t)
    ++')
    ++
    + ########################################
    + #
    + # Exchange local policy
    +Index: refpolicy-2.20250213/policy/modules/services/dbus.te +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/dbus.te
    ++++ refpolicy-2.20250213/policy/modules/services/dbus.te
    +@@ -314,6 +314,14 @@ optional_policy(`
    + ')
    +
    + optional_policy(`
    ++ wm_receive_fd(system_dbusd_t)
    ++')
    ++
    ++optional_policy(`
    ++ xdg_read_data_files(system_dbusd_t)
    ++')
    ++
    ++optional_policy(`
    + xserver_read_xdm_lib_files(system_dbusd_t)
    + xserver_use_xdm_fds(system_dbusd_t)
    + ')
    +Index: refpolicy-2.20250213/policy/modules/system/userdomain.if +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/system/userdomain.if
    ++++ refpolicy-2.20250213/policy/modules/system/userdomain.if
    +@@ -130,8 +130,10 @@ template(`userdom_base_user_template',`
    + init_get_system_status($1_t)
    +
    + optional_policy(`
    ++ apt_dbus_chat($1_t)
    + apt_read_cache($1_t)
    + apt_read_db($1_t)
    ++ apt_watch_db($1_t)
    + ')
    +
    + tunable_policy(`allow_execmem',`
    +@@ -159,8 +161,16 @@ template(`userdom_base_user_template',`
    + ')
    +
    + optional_policy(`
    ++ geoclue_dbus_chat($1_t)
    ++ ')
    ++
    ++ optional_policy(`
    + kerneloops_dbus_chat($1_t)
    + ')
    ++
    ++ optional_policy(`
    ++ ntp_dbus_chat($1_t)
    ++ ')
    + ')
    +
    + #######################################
    +@@ -2048,10 +2058,10 @@ interface(`userdom_home_filetrans_user_h
    + #
    + interface(`userdom_user_home_domtrans',`
    + gen_require(`
    +- type user_home_dir_t, user_home_t;
    ++ type user_home_dir_t, user_home_t, user_bin_t;
    + ')
    +
    +- domain_auto_transition_pattern($1, user_home_t, $2)
    ++ domain_auto_transition_pattern($1, { user_home_t user_bin_t }, $2)
    + allow $1 user_home_dir_t:dir search_dir_perms;
    + files_search_home($1)
    + ')
    +Index: refpolicy-2.20250213/policy/modules/admin/apt.if +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/admin/apt.if
    ++++ refpolicy-2.20250213/policy/modules/admin/apt.if
    +@@ -238,6 +238,25 @@ interface(`apt_manage_db',`
    +
    + ########################################
    + ## <summary>
    ++## watch apt db dirs
    ++## </summary>
    ++## <param name="domain">
    ++## <summary>
    ++## Domain allowed access.
    ++## </summary>
    ++## </param>
    ++#
    ++interface(`apt_watch_db',`
    ++ gen_require(`
    ++ type apt_var_lib_t;
    ++ ')
    ++
    ++ files_search_var_lib($1)
    ++ allow $1 apt_var_lib_t:dir watch;
    ++')
    ++
    ++########################################
    ++## <summary>
    + ## Do not audit attempts to create,
    + ## read, write, and delete apt
    + ## package database content.
    +@@ -257,3 +276,23 @@ interface(`apt_dontaudit_manage_db',`
    + dontaudit $1 apt_var_lib_t:file manage_file_perms;
    + dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
    + ')
    ++
    ++########################################
    ++## <summary>
    ++## Send and receive messages from apt over dbus
    ++## </summary>
    ++## <param name="domain">
    ++## <summary>
    ++## Domain allowed access.
    ++## </summary>
    ++## </param>
    ++#
    ++interface(`apt_dbus_chat',`
    ++ gen_require(`
    ++ type apt_t;
    ++ class dbus send_msg;
    ++ ')
    ++
    ++ allow $1 apt_t:dbus send_msg;
    ++ allow apt_t $1:dbus send_msg;
    ++')
    +Index: refpolicy-2.20250213/policy/modules/services/dbus.if +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/dbus.if
    ++++ refpolicy-2.20250213/policy/modules/services/dbus.if
    +@@ -156,8 +156,17 @@ template(`dbus_role_template',`
    + ')
    +
    + optional_policy(`
    ++ wm_receive_fd($1_dbusd_t)
    ++ wm_sock_rw($1_dbusd_t)
    ++ ')
    ++
    ++ optional_policy(`
    + xdg_read_data_files($1_dbusd_t)
    + ')
    ++
    ++ optional_policy(`
    ++ xserver_read_xdm_lib_files($1_dbusd_t)
    ++ ')
    + ')
    +
    + #######################################
    +Index: refpolicy-2.20250213/policy/modules/services/xserver.if +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/xserver.if
    ++++ refpolicy-2.20250213/policy/modules/services/xserver.if
    +@@ -56,6 +56,9 @@ template(`xserver_restricted_role',`
    + stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
    + files_search_tmp($2)
    +
    ++ # for /run/gdm3/dbus/
    ++ allow $2 xdm_var_run_t:sock_file write_sock_file_perms;
    ++
    + # Communicate via System V shared memory.
    + allow $2 xserver_t:fd use;
    + allow $2 xserver_t:shm r_shm_perms;
    +@@ -224,7 +227,7 @@ template(`xserver_role',`
    +
    + xserver_read_xkb_libs($2)
    +
    +- allow $2 xdm_t:unix_stream_socket { getattr accept };
    ++ allow $2 xdm_t:unix_stream_socket { accept rw_socket_perms };
    +
    + optional_policy(`
    + systemd_user_app_status($1, xserver_t)
    +@@ -1102,12 +1105,13 @@ interface(`xserver_read_xdm_lib_files',`
    + type xdm_var_lib_t;
    + ')
    +
    ++ allow $1 xdm_var_lib_t:dir list_dir_perms;
    + allow $1 xdm_var_lib_t:file read_file_perms;
    + ')
    +
    + ########################################
    + ## <summary>
    +-## map XDM var lib files.
    ++## read and map XDM var lib files.
    + ## </summary>
    + ## <param name="domain">
    + ## <summary>
    +@@ -1115,12 +1119,31 @@ interface(`xserver_read_xdm_lib_files',`
    + ## </summary>
    + ## </param>
    + #
    +-interface(`xserver_map_xdm_lib_files',` ++interface(`xserver_mmap_read_xdm_lib_files',`
    ++ gen_require(`
    ++ type xdm_var_lib_t;
    ++ ')
    ++
    ++ allow $1 xdm_var_lib_t:dir list_dir_perms;
    ++ allow $1 xdm_var_lib_t:file mmap_read_file_perms;
    ++')
    ++
    ++########################################
    ++## <summary>
    ++## watch XDM var lib dirs.
    ++## </summary>
    ++## <param name="domain">
    ++## <summary>
    ++## Domain allowed access.
    ++## </summary>
    ++## </param>
    ++#
    ++interface(`xserver_watch_xdm_lib_dirs',`
    + gen_require(`
    + type xdm_var_lib_t;
    + ')
    +
    +- allow $1 xdm_var_lib_t:file map;
    ++ allow $1 xdm_var_lib_t:dir watch;
    + ')
    +
    + ########################################
    +Index: refpolicy-2.20250213/policy/modules/services/colord.te +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/colord.te
    ++++ refpolicy-2.20250213/policy/modules/services/colord.te
    +@@ -164,8 +164,11 @@ optional_policy(`
    + ')
    +
    + optional_policy(`
    +- xserver_read_xdm_lib_files(colord_t)
    +- xserver_map_xdm_lib_files(colord_t)
    ++ wm_receive_fd(colord_t)
    ++')
    ++
    ++optional_policy(`
    ++ xserver_mmap_read_xdm_lib_files(colord_t)
    + xserver_read_xdm_state(colord_t)
    + xserver_use_xdm_fds(colord_t)
    + ')
    +Index: refpolicy-2.20250213/policy/modules/apps/gnome.te +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/apps/gnome.te
    ++++ refpolicy-2.20250213/policy/modules/apps/gnome.te
    +@@ -35,6 +35,7 @@ userdom_user_home_content(gnome_keyring_
    + type gnome_keyring_tmp_t;
    + userdom_user_tmp_file(gnome_keyring_tmp_t)
    + userdom_user_runtime_content(gnome_keyring_tmp_t) ++systemd_user_activated_sock_file(gnome_keyring_tmp_t)
    +
    + type gnome_xdg_cache_t;
    + xdg_cache_content(gnome_xdg_cache_t)
    +Index: refpolicy-2.20250213/policy/modules/services/dnsmasq.fc +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/dnsmasq.fc
    ++++ refpolicy-2.20250213/policy/modules/services/dnsmasq.fc
    +@@ -13,7 +13,7 @@
    +
    + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
    +
    +-/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
    ++/var/lib/misc/dnsmasq\.([a-z0-9]+\.)?leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
    + /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
    +
    + /var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
    +Index: refpolicy-2.20250213/policy/modules/services/container.fc +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/services/container.fc
    ++++ refpolicy-2.20250213/policy/modules/services/container.fc
    +@@ -78,6 +78,7 @@ HOME_DIR/\.docker(/.*)? gen_context(sys
    + /var/lib/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
    +
    + /var/lib/crio(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
    ++/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
    +
    + /var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
    + /var/lib/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0)
    +Index: refpolicy-2.20250213/policy/modules/apps/bubblewrap.if +===================================================================
    +--- refpolicy-2.20250213.orig/policy/modules/apps/bubblewrap.if
    ++++ refpolicy-2.20250213/policy/modules/apps/bubblewrap.if
    +@@ -99,6 +99,7 @@ template(`bubblewrap_role',`
    + userdom_manage_user_home_content_files($1_bubblewrap_t)
    + userdom_use_user_ptys($1_bubblewrap_t)
    + userdom_use_user_ttys($1_bubblewrap_t)
    ++ userdom_user_home_domtrans($1_bubblewrap_t, $2)
    +
    + ifndef(`enable_mls',`
    + fs_search_removable($1_bubblewrap_t)

    Received: (at 1109927-done) by bugs.debian.org; 26 Jul 2025 12:38:21 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-109.2 required=4.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,
    SPF_NONE,TVD_SPACE_RATIO,USER_IN_DKIM_WELCOMELIST autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 12; hammy, 87; neutral, 12; spammy, 0.
    spammytokens: hammytokens:0.000-+--refpolicy, 0.000-+--H*r:16a8,
    0.000-+--H*RU:16a8, 0.000-+--Hx-spam-relays-external:16a8,
    0.000-+--H*r:sk:respigh
    Return-path: <[email protected]>
    Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:51136)
    from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=mailly.debian.org,EMAIL=[email protected] (verified)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim 4.96)
    (envelope-from <[email protected]>)
    id 1ufeAP-00FpOD-1r
    for [email protected];
    Sat, 26 Jul 2025 12:38:21 +0000
    Received: from respighi.debian.org ([2a02:16a8:dc41:100::131]:34498)
    from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=respighi.debian.org,EMAIL=[email protected] (verified)
    by mailly.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id 1ufeAN-005vNy-Tk
    for [email protected]; Sat, 26 Jul 2025 12:38:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=respighi.debian.org; s=smtpauto.respighi; h=Date:From:Message-Id:
    Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:To:Reply-To:Cc:
    Content-ID:Content-Description:In-Reply-To:References;
    bh=qC9ZcnS37nt3v7PG38vMSgy+C4I1P7iz0kzrOPZ5wt4=; b=Xu1fuFJJVFepMfEEYTzW02J4sn
    WQlT0TVrBVoORaxnP3RukmsFLcVMhEfpIadHweJU0nxHQeilbKtTqE8uQGC3EfQhtWlJ1h1csl0v9
    +GM+Bo2qzAcCKBltKrENxLxMEpRmfue6go2pfNhIvd8xL8SJHAuCPwWCxIyCsxC8OYQ58XVW8bcSr
    jo/Vyb++S7chND9yRjG1UWCL1xgxMBusjKL80Hpi+JUutwMv1WZsmk1f5owe86083DE17pi24P6vz
    /XBuHoB9YAspI50OGePEIryop/bu52EXE7WzfG0xZ8DdchOfqLWqpq+H8JeWcbeHlCXbb5ooSEzPQ
    TyZFQksA==;
    Received: from ivodd by respighi.debian.org with local (Exim 4.96)
    (envelope-from <[email protected]>)
    id 1ufeAN-00FymB-26;
    Sat, 26 Jul 2025 12:38:19 +0000
    To: [email protected]
    Subject: unblock refpolicy
    MIME-Version: 1.0
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: 8bit
    Message-Id: <[email protected]>
    From: Ivo De Decker <[email protected]>
    Date: Sat, 26 Jul 2025 12:38:19 +0000

    Unblocked refpolicy.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)