From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1700396-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id CB0E41580FD
	for <garchives@archives.gentoo.org>; Sun, 15 Dec 2024 00:30:18 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BD205E0821;
	Sun, 15 Dec 2024 00:30:17 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id A1A5DE0821
	for <gentoo-commits@lists.gentoo.org>; Sun, 15 Dec 2024 00:30:17 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D17FA342F9C
	for <gentoo-commits@lists.gentoo.org>; Sun, 15 Dec 2024 00:30:16 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 323A01F0B
	for <gentoo-commits@lists.gentoo.org>; Sun, 15 Dec 2024 00:30:15 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1734221959.6c435b57b87b1fbae154d1a76963d6802415fe9b.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/systemd.if policy/modules/system/systemd.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 6c435b57b87b1fbae154d1a76963d6802415fe9b
X-VCS-Branch: master
Date: Sun, 15 Dec 2024 00:30:15 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: e7fba556-1b59-48de-aa66-60189e17e404
X-Archives-Hash: 2d1627ed0a1e670ff7a0a15597f8b869

commit:     6c435b57b87b1fbae154d1a76963d6802415fe9b
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Mon Nov 18 16:29:28 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c435b57

Communicate with locale via dbus

node=localhost type=USER_AVC msg=audit(1731946583.709:17143): pid=962 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:script_t:s0 tcontext=system_u:system_r:systemd_locale_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'␝UID="dbus" AUID="unset" SAUID="dbus"

Cleanup some denials seen for systemd_locale_t
node=localhost type=AVC msg=audit(1731946409.877:15089): avc:  denied  { read } for  pid=6038 comm="systemd-localed" name="language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15089): avc:  denied  { open } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15090): avc:  denied  { getattr } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.885:15092): avc:  denied  { ioctl } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { search } for  pid=6038 comm="systemd-localed" name="locale" dev="dm-0" ino=264167 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { read } for  pid=6038 comm="systemd-localed" name="locale-archive.real" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { open } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15087): avc:  denied  { getattr } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15088): avc:  denied  { map } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 38984fb65..0d97cf0cd 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1521,6 +1521,27 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd locale over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_locale',`
+	gen_require(`
+		type systemd_locale_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_locale_t:dbus send_msg;
+	allow systemd_locale_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##  List the contents of systemd userdb runtime directories.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fb8260715..309f99ae4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -888,12 +888,15 @@ miscfiles_read_localization(systemd_journal_init_t)
 kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
+files_read_usr_files(systemd_locale_t)
 
 fs_getattr_all_fs(systemd_locale_t)
 fs_search_cgroup_dirs(systemd_locale_t)
 
 init_stream_connect(systemd_locale_t)
 
+miscfiles_read_localization(systemd_locale_t)
+
 selinux_use_status_page(systemd_locale_t)
 
 seutil_read_file_contexts(systemd_locale_t)