| 1 |
commit: 82dbbae293b2fe9a7a5f85590ea17dc1916ee529 |
| 2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Thu Jan 28 22:13:57 2021 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82dbbae2 |
| 7 |
|
| 8 |
Work with xdg module disabled |
| 9 |
|
| 10 |
These two cases I see when building on a system without graphical interface. |
| 11 |
Move userdom_xdg_user_template into optional block |
| 12 |
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block |
| 13 |
|
| 14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
| 15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 16 |
|
| 17 |
policy/modules/apps/gpg.te | 6 ++++-- |
| 18 |
policy/modules/system/userdomain.if | 8 +++++--- |
| 19 |
2 files changed, 9 insertions(+), 5 deletions(-) |
| 20 |
|
| 21 |
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te |
| 22 |
index cfdb685a..376e1a9f 100644 |
| 23 |
--- a/policy/modules/apps/gpg.te |
| 24 |
+++ b/policy/modules/apps/gpg.te |
| 25 |
@@ -359,8 +359,6 @@ miscfiles_read_localization(gpg_pinentry_t) |
| 26 |
|
| 27 |
userdom_use_user_terminals(gpg_pinentry_t) |
| 28 |
|
| 29 |
-xdg_read_data_files(gpg_pinentry_t) |
| 30 |
- |
| 31 |
tunable_policy(`use_nfs_home_dirs',` |
| 32 |
fs_read_nfs_files(gpg_pinentry_t) |
| 33 |
') |
| 34 |
@@ -382,6 +380,10 @@ optional_policy(` |
| 35 |
pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) |
| 36 |
') |
| 37 |
|
| 38 |
+optional_policy(` |
| 39 |
+ xdg_read_data_files(gpg_pinentry_t) |
| 40 |
+') |
| 41 |
+ |
| 42 |
optional_policy(` |
| 43 |
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) |
| 44 |
') |
| 45 |
|
| 46 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 47 |
index 01135696..e14bdc01 100644 |
| 48 |
--- a/policy/modules/system/userdomain.if |
| 49 |
+++ b/policy/modules/system/userdomain.if |
| 50 |
@@ -1194,9 +1194,6 @@ template(`userdom_unpriv_user_template', ` |
| 51 |
fs_exec_noxattr($1_t) |
| 52 |
') |
| 53 |
|
| 54 |
- # Allow users to manage xdg content in their home directories |
| 55 |
- userdom_xdg_user_template($1) |
| 56 |
- |
| 57 |
# Allow users to run TCP servers (bind to ports and accept connection from |
| 58 |
# the same domain and outside users) disabling this forces FTP passive mode |
| 59 |
# and may change other protocols |
| 60 |
@@ -1239,6 +1236,11 @@ template(`userdom_unpriv_user_template', ` |
| 61 |
systemd_write_inherited_logind_inhibit_pipes($1_t) |
| 62 |
') |
| 63 |
|
| 64 |
+ # Allow users to manage xdg content in their home directories |
| 65 |
+ optional_policy(` |
| 66 |
+ userdom_xdg_user_template($1) |
| 67 |
+ ') |
| 68 |
+ |
| 69 |
# Allow controlling usbguard |
| 70 |
optional_policy(` |
| 71 |
tunable_policy(`usbguard_user_modify_rule_files',` |
Archives