1 |
commit: 82dbbae293b2fe9a7a5f85590ea17dc1916ee529 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Thu Jan 28 22:13:57 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82dbbae2 |
7 |
|
8 |
Work with xdg module disabled |
9 |
|
10 |
These two cases I see when building on a system without graphical interface. |
11 |
Move userdom_xdg_user_template into optional block |
12 |
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
16 |
|
17 |
policy/modules/apps/gpg.te | 6 ++++-- |
18 |
policy/modules/system/userdomain.if | 8 +++++--- |
19 |
2 files changed, 9 insertions(+), 5 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te |
22 |
index cfdb685a..376e1a9f 100644 |
23 |
--- a/policy/modules/apps/gpg.te |
24 |
+++ b/policy/modules/apps/gpg.te |
25 |
@@ -359,8 +359,6 @@ miscfiles_read_localization(gpg_pinentry_t) |
26 |
|
27 |
userdom_use_user_terminals(gpg_pinentry_t) |
28 |
|
29 |
-xdg_read_data_files(gpg_pinentry_t) |
30 |
- |
31 |
tunable_policy(`use_nfs_home_dirs',` |
32 |
fs_read_nfs_files(gpg_pinentry_t) |
33 |
') |
34 |
@@ -382,6 +380,10 @@ optional_policy(` |
35 |
pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) |
36 |
') |
37 |
|
38 |
+optional_policy(` |
39 |
+ xdg_read_data_files(gpg_pinentry_t) |
40 |
+') |
41 |
+ |
42 |
optional_policy(` |
43 |
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) |
44 |
') |
45 |
|
46 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
47 |
index 01135696..e14bdc01 100644 |
48 |
--- a/policy/modules/system/userdomain.if |
49 |
+++ b/policy/modules/system/userdomain.if |
50 |
@@ -1194,9 +1194,6 @@ template(`userdom_unpriv_user_template', ` |
51 |
fs_exec_noxattr($1_t) |
52 |
') |
53 |
|
54 |
- # Allow users to manage xdg content in their home directories |
55 |
- userdom_xdg_user_template($1) |
56 |
- |
57 |
# Allow users to run TCP servers (bind to ports and accept connection from |
58 |
# the same domain and outside users) disabling this forces FTP passive mode |
59 |
# and may change other protocols |
60 |
@@ -1239,6 +1236,11 @@ template(`userdom_unpriv_user_template', ` |
61 |
systemd_write_inherited_logind_inhibit_pipes($1_t) |
62 |
') |
63 |
|
64 |
+ # Allow users to manage xdg content in their home directories |
65 |
+ optional_policy(` |
66 |
+ userdom_xdg_user_template($1) |
67 |
+ ') |
68 |
+ |
69 |
# Allow controlling usbguard |
70 |
optional_policy(` |
71 |
tunable_policy(`usbguard_user_modify_rule_files',` |