Allow accountsd read gnome-initial-setup tmp files

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(09/18/2024 16:19:39.559:209) : proctitle=/usr/libexec/accounts-daemon type=SYSCALL msg=audit(09/18/2024 16:19:39.559:209) : arch=x86_64 syscall=statx success=yes exit=0 a0=0xffffff9c a1=0x55ee21e7b980 a2=0x900 a3=0xfff items=0 ppid=1 pid=828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) type=AVC msg=audit(09/18/2024 16:19:39.559:209) : avc: denied { getattr } for pid=828 comm=accounts-daemon path=/tmp/usericonSQPZT2 dev="tmpfs" ino=49 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:gnome_initial_setup_var_run_t:s0 tclass=file permissive=1 Resolves: rhbz#2278845
fedora-selinux · Sep 19, 2024 · 1b8e7de · 1b8e7de
1 parent 0067b65
commit 1b8e7de
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
@@ -86,6 +86,7 @@ optional_policy(`
 
 optional_policy(`
 	gnome_initial_setup_read_state(accountsd_t)
+	gnome_initial_setup_read_tmp_files(accountsd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
@@ -2226,6 +2226,25 @@ interface(`gnome_initial_setup_write_fifo_files',`
 	allow $1 gnome_initial_setup_t:fifo_file write_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read gnome-initial-setup tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_initial_setup_read_tmp_files',`
+	gen_require(`
+		type gnome_initial_setup_t;
+	')
+
+
+	allow $1 gnome_initial_setup_tmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Transition to gnome-initial-setup named content

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
@@ -83,6 +83,9 @@ files_type(gnome_initial_setup_var_lib_t);
 type gnome_initial_setup_var_run_t;
 files_pid_file(gnome_initial_setup_var_run_t);
 
+type gnome_initial_setup_tmp_t;
+files_tmp_file(gnome_initial_setup_tmp_t);
+
 type gnomesystemmm_t;
 type gnomesystemmm_exec_t;
 init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
@@ -364,6 +367,9 @@ manage_sock_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t,
 files_pid_filetrans(gnome_initial_setup_t, gnome_initial_setup_var_run_t, dir)
 allow gnome_initial_setup_t gnome_initial_setup_var_run_t:file map;
 
+manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_tmp_t, gnome_initial_setup_tmp_t)
+files_tmp_filetrans(gnome_initial_setup_t, gnome_initial_setup_tmp_t, file)
+
 rw_files_pattern(gnome_initial_setup_t, config_home_t, config_home_t)
 allow gnome_initial_setup_t config_home_t:file map;