From a95ec6ae31dc99bb6d0655e73a8bca69f90b91c4 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 19 Sep 2024 08:57:14 +0200 Subject: [PATCH] Allow accountsd read gnome-initial-setup tmp files The commit addresses the following AVC denial: type=PROCTITLE msg=audit(09/18/2024 16:19:39.559:209) : proctitle=/usr/libexec/accounts-daemon type=SYSCALL msg=audit(09/18/2024 16:19:39.559:209) : arch=x86_64 syscall=statx success=yes exit=0 a0=0xffffff9c a1=0x55ee21e7b980 a2=0x900 a3=0xfff items=0 ppid=1 pid=828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) type=AVC msg=audit(09/18/2024 16:19:39.559:209) : avc: denied { getattr } for pid=828 comm=accounts-daemon path=/tmp/usericonSQPZT2 dev="tmpfs" ino=49 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:gnome_initial_setup_var_run_t:s0 tclass=file permissive=1 Resolves: rhbz#2278845 --- policy/modules/contrib/accountsd.te | 1 + policy/modules/contrib/gnome.if | 19 +++++++++++++++++++ policy/modules/contrib/gnome.te | 6 ++++++ 3 files changed, 26 insertions(+) diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te index 5c2ddce255..c3cfd87c81 100644 --- a/policy/modules/contrib/accountsd.te +++ b/policy/modules/contrib/accountsd.te @@ -86,6 +86,7 @@ optional_policy(` optional_policy(` gnome_initial_setup_read_state(accountsd_t) + gnome_initial_setup_read_tmp_files(accountsd_t) ') optional_policy(` diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if index d4b74dc31d..3ebf8231d2 100644 --- a/policy/modules/contrib/gnome.if +++ b/policy/modules/contrib/gnome.if @@ -2226,6 +2226,25 @@ interface(`gnome_initial_setup_write_fifo_files',` allow $1 gnome_initial_setup_t:fifo_file write_fifo_file_perms; ') +######################################## +## +## Read gnome-initial-setup tmp files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_initial_setup_read_tmp_files',` + gen_require(` + type gnome_initial_setup_tmp_t; + ') + + + allow $1 gnome_initial_setup_tmp_t:file read_file_perms; +') + ######################################## ## ## Transition to gnome-initial-setup named content diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te index 0902bfe7d3..7f7977f6b0 100644 --- a/policy/modules/contrib/gnome.te +++ b/policy/modules/contrib/gnome.te @@ -83,6 +83,9 @@ files_type(gnome_initial_setup_var_lib_t); type gnome_initial_setup_var_run_t; files_pid_file(gnome_initial_setup_var_run_t); +type gnome_initial_setup_tmp_t; +files_tmp_file(gnome_initial_setup_tmp_t); + type gnomesystemmm_t; type gnomesystemmm_exec_t; init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) @@ -364,6 +367,9 @@ manage_sock_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, files_pid_filetrans(gnome_initial_setup_t, gnome_initial_setup_var_run_t, dir) allow gnome_initial_setup_t gnome_initial_setup_var_run_t:file map; +manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_tmp_t, gnome_initial_setup_tmp_t) +files_tmp_filetrans(gnome_initial_setup_t, gnome_initial_setup_tmp_t, file) + rw_files_pattern(gnome_initial_setup_t, config_home_t, config_home_t) allow gnome_initial_setup_t config_home_t:file map;