From 8c1bd3cb5dd403078858113dcc015f5d6f9e9cd9 Mon Sep 17 00:00:00 2001 From: Patrik Koncity Date: Thu, 15 Oct 2020 12:52:55 +0200 Subject: [PATCH] Allow for confined users login into graphic session Allow for dbus role as (user_dbusd_t, staff_dbusd_t and etc.) start systemd services, modify the systemd configuration of any file and reload the services. Allow the gkeyringd role as (user_gkeyringd_t, staff_gkeyringd_t and etc.) set the schedule on self process. allow $1_gkeyringd_t self:process setsched; Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1767874 --- dbus.if | 6 +++++- gnome.if | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/dbus.if b/dbus.if index cfff5bb4dc..4254595d16 100644 --- a/dbus.if +++ b/dbus.if @@ -97,7 +97,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh }; allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:dbus send_msg; - allow $1_dbusd_t $3:system start; + allow $1_dbusd_t $3:system { start reload }; allow $1_dbusd_t session_dbusd_tmp_t:service { start stop }; allow $3 session_dbusd_tmp_t:dir manage_dir_perms; allow $3 session_dbusd_tmp_t:file manage_file_perms; @@ -122,8 +122,12 @@ template(`dbus_role_template',` auth_use_nsswitch($1_dbusd_t) + files_config_all_files($1_dbusd_t) + logging_send_syslog_msg($1_dbusd_t) + systemd_start_systemd_services($1_dbusd_t) + dontaudit $1_dbusd_t self:capability net_admin; optional_policy(` diff --git a/gnome.if b/gnome.if index 75b1f38434..bd628e2852 100644 --- a/gnome.if +++ b/gnome.if @@ -110,6 +110,8 @@ template(`gnome_role_template',` allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms }; + allow $1_gkeyringd_t self:process setsched; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };