fedora-selinux · zpytela · Jan 15, 2025 · Jan 14, 2025 · Jan 14, 2025 · Jan 15, 2025
diff --git a/policy/modules.conf b/policy/modules.conf
@@ -3127,3 +3127,10 @@ bootupd = module
 # Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
 #
 iiosensorproxy = module
+
+# Layer: system
+# Module: powerprofiles
+#
+# Policy for power-profiles-daemon - power profiles handling over D-Bus
+#
+powerprofiles = module
diff --git a/policy/modules/contrib/nbdkit.if b/policy/modules/contrib/nbdkit.if
@@ -0,0 +1,144 @@
+## <summary>nbdkit: accessing block devices over the network</summary>
+
+########################################
+## <summary>
+##    Execute nbdkit_exec_t in the nbdkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+ifndef(`nbdkit_domtrans',`
+	interface(`nbdkit_domtrans',`
+		gen_require(`
+			type nbdkit_t, nbdkit_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+	')
+')
+
+######################################
+## <summary>
+##    Execute nbdkit in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+ifndef(`nbdkit_exec',`
+	interface(`nbdkit_exec',`
+		gen_require(`
+			type nbdkit_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		can_exec($1, nbdkit_exec_t)
+	')
+')
+
+########################################
+## <summary>
+##    Execute nbdkit in the nbdkit domain, and
+##    allow the specified role the nbdkit domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed the nbdkit domain.
+##    </summary>
+## </param>
+#
+ifndef(`nbdkit_run',`
+	interface(`nbdkit_run',`
+		gen_require(`
+			type nbdkit_t;
+			attribute_role nbdkit_roles;
+		')
+
+		nbdkit_domtrans($1)
+		roleattribute $2 nbdkit_roles;
+	')
+')
+
+########################################
+## <summary>
+##    Role access for nbdkit
+## </summary>
+## <param name="role">
+##    <summary>
+##    Role allowed access
+##    </summary>
+## </param>
+## <param name="domain">
+##    <summary>
+##    User domain for the role
+##    </summary>
+## </param>
+#
+ifndef(`nbdkit_role',`
+	interface(`nbdkit_role',`
+		gen_require(`
+			type nbdkit_t;
+			attribute_role nbdkit_roles;
+		')
+
+		roleattribute $1 nbdkit_roles;
+
+		nbdkit_domtrans($2)
+
+		ps_process_pattern($2, nbdkit_t)
+		allow $2 nbdkit_t:process { signull signal sigkill };
+	')
+')
+
+########################################
+## <summary>
+##	Allow attempts to connect to nbdkit
+##	with a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+ifndef(`nbdkit_stream_connect',`
+	interface(`nbdkit_stream_connect',`
+		gen_require(`
+			type nbdkit_t;
+		')
+
+		allow $1 nbdkit_t:unix_stream_socket connectto;
+	')
+')
+
+########################################
+## <summary>
+##      Allow nbdkit_exec_t to be an entrypoint
+##      of the specified domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+ifndef(`nbdkit_entrypoint',`
+	interface(`nbdkit_entrypoint',`
+	        gen_require(`
+	                type nbdkit_exec_t;
+	        ')
+	        allow $1 nbdkit_exec_t:file entrypoint;
+	')
+')
diff --git a/policy/modules/contrib/powerprofiles.fc b/policy/modules/contrib/powerprofiles.fc
@@ -0,0 +1,3 @@
+/usr/libexec/power-profiles-daemon	--	gen_context(system_u:object_r:powerprofiles_exec_t,s0)
+
+/var/lib/power-profiles-daemon(/.*)?		gen_context(system_u:object_r:powerprofiles_var_lib_t,s0)
diff --git a/policy/modules/contrib/powerprofiles.if b/policy/modules/contrib/powerprofiles.if
@@ -0,0 +1 @@
+## <summary>Power profiles handling over D-Bus</summary>
diff --git a/policy/modules/contrib/powerprofiles.te b/policy/modules/contrib/powerprofiles.te
@@ -0,0 +1,41 @@
+policy_module(powerprofiles, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type powerprofiles_t;
+type powerprofiles_exec_t;
+init_daemon_domain(powerprofiles_t, powerprofiles_exec_t)
+init_nnp_daemon_domain(powerprofiles_t)
+
+type powerprofiles_var_lib_t;
+files_type(powerprofiles_var_lib_t);
+
+permissive powerprofiles_t;
+
+allow powerprofiles_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_files_pattern(powerprofiles_t, powerprofiles_var_lib_t, powerprofiles_var_lib_t)
+
+kernel_read_proc_files(powerprofiles_t)
+
+dev_read_sysfs(powerprofiles_t)
+
+optional_policy(`
+	dbus_connect_system_bus(powerprofiles_t)
+	dbus_system_bus_client(powerprofiles_t)
+
+	optional_policy(`
+		policykit_dbus_chat(powerprofiles_t)
+	')
+
+	optional_policy(`
+		xserver_dbus_chat_xdm(powerprofiles_t)
+	')
+')
+
+optional_policy(`
+	udev_read_pid_files(powerprofiles_t)
+')
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
@@ -341,6 +341,7 @@ optional_policy(`
 optional_policy(`
 	cups_read_config(samba_bgqd_t)
 	cups_read_pid_files(samba_bgqd_t)
+	cups_stream_connect(samba_bgqd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/switcheroo.fc b/policy/modules/contrib/switcheroo.fc
@@ -0,0 +1 @@
+/usr/libexec/switcheroo-control	--	gen_context(system_u:object_r:switcheroo_control_exec_t,s0)
diff --git a/policy/modules/contrib/switcheroo.if b/policy/modules/contrib/switcheroo.if
@@ -0,0 +1 @@
+## <summary>switcheroo: D-Bus service to check dual GPU availability</summary>
diff --git a/policy/modules/contrib/switcheroo.te b/policy/modules/contrib/switcheroo.te
@@ -0,0 +1,14 @@
+policy_module(switcheroo, 1.0)
+
+#################################
+#   
+# Declarations
+#    
+
+type switcheroo_control_t;
+type switcheroo_control_exec_t;
+init_daemon_domain(switcheroo_control_t, switcheroo_control_exec_t)
+permissive switcheroo_control_t;
+
+#type samba_bgqd_var_run_t;
+#files_pid_file(samba_bgqd_var_run_t)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -391,6 +391,7 @@ corenet_udp_bind_all_ports(svirt_t)
 corenet_tcp_bind_all_ports(svirt_t)
 corenet_tcp_connect_all_ports(svirt_t)
 
+dev_read_sysfs(svirt_t)
 dev_rw_dma_dev(svirt_t)
 
 init_dontaudit_read_state(svirt_t)
@@ -753,6 +754,10 @@ optional_policy(`
 	mount_signal(virtd_t)
 ')
 
+optional_policy(`
+	nbdkit_domtrans(virtd_t)
+')
+
 optional_policy(`
     numad_domtrans(virtd_t)
     numad_dbus_chat(virtd_t)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -775,6 +775,7 @@ optional_policy(`
 optional_policy(`
 	systemd_rw_bootchart_tmpfs_files(syslogd_t)
 	systemd_map_bootchart_tmpfs_files(syslogd_t)
+	systemd_read_logind_sessions_files(syslogd_t)
 ')
 
 optional_policy(`
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		/usr/libexec/power-profiles-daemon -- gen_context(system_u:object_r:powerprofiles_exec_t,s0)

		/var/lib/power-profiles-daemon(/.*)? gen_context(system_u:object_r:powerprofiles_var_lib_t,s0)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		## <summary>Power profiles handling over D-Bus</summary>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		/usr/libexec/switcheroo-control -- gen_context(system_u:object_r:switcheroo_control_exec_t,s0)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		## <summary>switcheroo: D-Bus service to check dual GPU availability</summary>