Forum: >>> Magnum BBS <<<

Bug#1109927: unblock: refpolicy/2:2.20250213-10 (2/2)

From Russell Coker@21:1/5 to All on Sat Jul 26 14:00:01 2025

[continued from previous message]

+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+ ')
+Index: refpolicy-2.20250213/policy/modules/admin/apt.if +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/admin/apt.if
++++ refpolicy-2.20250213/policy/modules/admin/apt.if
+@@ -238,6 +238,25 @@ interface(`apt_manage_db',`
+
+ ########################################
+ ## <summary>
++## watch apt db dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apt_watch_db',`
++ gen_require(`
++ type apt_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 apt_var_lib_t:dir watch;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to create,
+ ## read, write, and delete apt
+ ## package database content.
+@@ -257,3 +276,23 @@ interface(`apt_dontaudit_manage_db',`
+ dontaudit $1 apt_var_lib_t:file manage_file_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
+ ')
++
++########################################
++## <summary>
++## Send and receive messages from apt over dbus
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apt_dbus_chat',`
++ gen_require(`
++ type apt_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 apt_t:dbus send_msg;
++ allow apt_t $1:dbus send_msg;
++')
+Index: refpolicy-2.20250213/policy/modules/services/dbus.if +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dbus.if
++++ refpolicy-2.20250213/policy/modules/services/dbus.if
+@@ -156,8 +156,17 @@ template(`dbus_role_template',`
+ ')
+
+ optional_policy(`
++ wm_receive_fd($1_dbusd_t)
++ wm_sock_rw($1_dbusd_t)
++ ')
++
++ optional_policy(`
+ xdg_read_data_files($1_dbusd_t)
+ ')
++
++ optional_policy(`
++ xserver_read_xdm_lib_files($1_dbusd_t)
++ ')
+ ')
+
+ #######################################
+Index: refpolicy-2.20250213/policy/modules/services/xserver.if +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/xserver.if
++++ refpolicy-2.20250213/policy/modules/services/xserver.if
+@@ -56,6 +56,9 @@ template(`xserver_restricted_role',`
+ stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ files_search_tmp($2)
+
++ # for /run/gdm3/dbus/
++ allow $2 xdm_var_run_t:sock_file write_sock_file_perms;
++
+ # Communicate via System V shared memory.
+ allow $2 xserver_t:fd use;
+ allow $2 xserver_t:shm r_shm_perms;
+@@ -224,7 +227,7 @@ template(`xserver_role',`
+
+ xserver_read_xkb_libs($2)
+
+- allow $2 xdm_t:unix_stream_socket { getattr accept };
++ allow $2 xdm_t:unix_stream_socket { accept rw_socket_perms };
+
+ optional_policy(`
+ systemd_user_app_status($1, xserver_t)
+@@ -1102,12 +1105,13 @@ interface(`xserver_read_xdm_lib_files',`
+ type xdm_var_lib_t;
+ ')
+
++ allow $1 xdm_var_lib_t:dir list_dir_perms;
+ allow $1 xdm_var_lib_t:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## map XDM var lib files.
++## read and map XDM var lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1115,12 +1119,31 @@ interface(`xserver_read_xdm_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_map_xdm_lib_files',` ++interface(`xserver_mmap_read_xdm_lib_files',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:dir list_dir_perms;
++ allow $1 xdm_var_lib_t:file mmap_read_file_perms;
++')
++
++########################################
++## <summary>
++## watch XDM var lib dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_watch_xdm_lib_dirs',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+- allow $1 xdm_var_lib_t:file map;
++ allow $1 xdm_var_lib_t:dir watch;
+ ')
+
+ ########################################
+Index: refpolicy-2.20250213/policy/modules/services/colord.te +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/colord.te
++++ refpolicy-2.20250213/policy/modules/services/colord.te
+@@ -164,8 +164,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_read_xdm_lib_files(colord_t)
+- xserver_map_xdm_lib_files(colord_t)
++ wm_receive_fd(colord_t)
++')
++
++optional_policy(`
++ xserver_mmap_read_xdm_lib_files(colord_t)
+ xserver_read_xdm_state(colord_t)
+ xserver_use_xdm_fds(colord_t)
+ ')
+Index: refpolicy-2.20250213/policy/modules/apps/gnome.te +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/gnome.te
++++ refpolicy-2.20250213/policy/modules/apps/gnome.te
+@@ -35,6 +35,7 @@ userdom_user_home_content(gnome_keyring_
+ type gnome_keyring_tmp_t;
+ userdom_user_tmp_file(gnome_keyring_tmp_t)
+ userdom_user_runtime_content(gnome_keyring_tmp_t) ++systemd_user_activated_sock_file(gnome_keyring_tmp_t)
+
+ type gnome_xdg_cache_t;
+ xdg_cache_content(gnome_xdg_cache_t)
+Index: refpolicy-2.20250213/policy/modules/services/dnsmasq.fc +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dnsmasq.fc
++++ refpolicy-2.20250213/policy/modules/services/dnsmasq.fc
+@@ -13,7 +13,7 @@
+
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+-/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
++/var/lib/misc/dnsmasq\.([a-z0-9]+\.)?leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+ /var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+Index: refpolicy-2.20250213/policy/modules/services/container.fc +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/container.fc
++++ refpolicy-2.20250213/policy/modules/services/container.fc
+@@ -78,6 +78,7 @@ HOME_DIR/\.docker(/.*)? gen_context(sys
+ /var/lib/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
+
+ /var/lib/crio(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
++/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+
+ /var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
+ /var/lib/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0)
+Index: refpolicy-2.20250213/policy/modules/apps/bubblewrap.if +===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/apps/bubblewrap.if
++++ refpolicy-2.20250213/policy/modules/apps/bubblewrap.if
+@@ -99,6 +99,7 @@ template(`bubblewrap_role',`
+ userdom_manage_user_home_content_files($1_bubblewrap_t)
+ userdom_use_user_ptys($1_bubblewrap_t)
+ userdom_use_user_ttys($1_bubblewrap_t)
++ userdom_user_home_domtrans($1_bubblewrap_t, $2)
+
+ ifndef(`enable_mls',`
+ fs_search_removable($1_bubblewrap_t)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	42:02:33
Calls:	12,109
Files:	15,006
Messages:	6,518,416

Bug#1109927: unblock: refpolicy/2:2.20250213-10 (2/2)

Who's Online

System Info