[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109173: unblock: refpolicy/2:2.20250213-8



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package refpolicy

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]
The main reason is to add new access required by updates to packages in
Trixie.

The secondary reason is to fix some syntax issues and make the Debian policy
more compatible with upstream.

[ Impact ]
Not having this will break things for people using dovecot, some configurations
of mon, fwupd, and potentially cause some critical breakage in systemd-logind.

Also this will avoid some potential problems for users who write their own
custom policy.

[ Tests ]
I have tested this extensively.

[ Risks ]
This just adds extra access so there is minimal risk.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock refpolicy/2:2.20250213-8


diff -Nru refpolicy-2.20250213/debian/changelog refpolicy-2.20250213/debian/changelog
--- refpolicy-2.20250213/debian/changelog	2025-06-03 20:58:37.000000000 +1000
+++ refpolicy-2.20250213/debian/changelog	2025-07-06 19:29:50.000000000 +1000
@@ -1,3 +1,19 @@
+refpolicy (2:2.20250213-8) unstable; urgency=medium
+
+  * Fix syntax errors
+  * Allow dovecot_auth_t to mape dovecot_runtime_t files
+  * Allow mon_net_test_t to run netutils
+  * removed unused interfaces fs_mounton_memory_pressure and
+    userdom_watch_user_ttys
+  * Remove systemd_logind_use_fds and use systemd_use_logind_fds instead
+  * Allow dhcpc_t to list resolved runtime dir and stat generic units files
+  * Allow systemd-logind and systemd-user-runtime-dir stat /proc as logind
+    failing to do so can cause difficult to diagnose dbus issues with
+    pam_login
+  * Allow fwupd to signal itself
+
+ -- Russell Coker <russell@coker.com.au>  Sun, 06 Jul 2025 19:29:50 +1000
+
 refpolicy (2:2.20250213-7) unstable; urgency=medium
 
   * Allow user systemd domains to list user tmp, watch root, read usr files,
diff -Nru refpolicy-2.20250213/debian/patches/0004-fwupd refpolicy-2.20250213/debian/patches/0004-fwupd
--- refpolicy-2.20250213/debian/patches/0004-fwupd	2025-04-10 17:34:01.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0004-fwupd	2025-06-14 14:51:49.000000000 +1000
@@ -53,9 +53,13 @@
 ===================================================================
 --- /dev/null
 +++ refpolicy-2.20250213/policy/modules/system/fwupd.te
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,261 @@
 +policy_module(fwupd)
 +
++gen_require(`
++	class dbus all_dbus_perms;
++')
++
 +########################################
 +#
 +# Policy for firmwate update daemon and utility
@@ -101,7 +105,7 @@
 +# sys_admin is for "FuPluginUefiCapsule  skipping device that failed coldplug: failed to read fw_class"
 +# linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
 +allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
-+allow fwupd_t self:fifo_file rw_file_perms;
++allow fwupd_t self:fifo_file rw_fifo_file_perms;
 +allow fwupd_t self:process getsched;
 +allow fwupd_t self:udp_socket { create connect getattr };
 +allow fwupd_t self:tcp_socket { create connect };
@@ -113,10 +117,10 @@
 +allow fwupd_t fwupd_conf_t:file { map read_file_perms };
 +
 +allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
-+allow fwupd_t fwupd_var_lib_t:file { manage_file_perms map };
++allow fwupd_t fwupd_var_lib_t:file mmap_manage_file_perms;
 +
 +allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
-+allow fwupd_t fwupd_cache_t:file { map manage_file_perms };
++allow fwupd_t fwupd_cache_t:file mmap_manage_file_perms;
 +
 +auth_use_pam_motd_dynamic(fwupd_t)
 +
@@ -245,7 +249,7 @@
 +#
 +
 +allow fwupdmgr_t self:process signal;
-+allow fwupdmgr_t self:fifo_file rw_file_perms;
++allow fwupdmgr_t self:fifo_file rw_fifo_file_perms;
 +
 +fs_tmpfs_filetrans(fwupdmgr_t, fwupdmgr_tmpfs_t, { file })
 +allow fwupdmgr_t fwupdmgr_tmpfs_t:file manage_file_perms;
@@ -465,7 +469,7 @@
 +	')
 +
 +	allow system_dbusd_t $1:fd use;
-+	allow system_dbusd_t $2:file { read write };
++	allow system_dbusd_t $2:file rw_inherited_file_perms;
 +')
 +
 +########################################
@@ -494,7 +498,7 @@
 +		type user_runtime_t;
 +	')
 +
-+	allow $1 user_runtime_t:dir rw_file_perms;
++	allow $1 user_runtime_t:dir rw_dir_perms;
 +	allow $1 user_runtime_t:file manage_file_perms;
 +	userdom_search_user_runtime_root($1)
 +')
diff -Nru refpolicy-2.20250213/debian/patches/0005-needrestart refpolicy-2.20250213/debian/patches/0005-needrestart
--- refpolicy-2.20250213/debian/patches/0005-needrestart	2025-05-25 15:33:29.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0005-needrestart	2025-06-13 20:01:15.000000000 +1000
@@ -108,7 +108,7 @@
 +allow needrestart_t self:capability { dac_read_search kill sys_ptrace sys_resource };
 +allow needrestart_t self:capability2 checkpoint_restore;
 +allow needrestart_t self:process { getcap signal setrlimit };
-+allow needrestart_t self:fifo_file rw_file_perms;
++allow needrestart_t self:fifo_file rw_fifo_file_perms;
 +
 +# for /proc/*/cwd etc
 +allow needrestart_t self:cap_userns sys_ptrace;
diff -Nru refpolicy-2.20250213/debian/patches/0005-opensnitch refpolicy-2.20250213/debian/patches/0005-opensnitch
--- refpolicy-2.20250213/debian/patches/0005-opensnitch	2025-05-24 16:39:23.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0005-opensnitch	2025-06-17 00:13:55.000000000 +1000
@@ -4,7 +4,7 @@
 +++ refpolicy-2.20250213/policy/modules/system/opensnitch.fc
 @@ -0,0 +1,3 @@
 +/usr/bin/opensnitchd		--	gen_context(system_u:object_r:opensnitchd_exec_t,s0)
-+/var/log/opensnitchd.log	--	gen_context(system_u:object_r:opensnitchd_log_t,s0)
++/var/log/opensnitchd\.log	--	gen_context(system_u:object_r:opensnitchd_log_t,s0)
 +/etc/opensnitchd(/.*)?			gen_context(system_u:object_r:opensnitchd_conf_t,s0)
 Index: refpolicy-2.20250213/policy/modules/system/opensnitch.if
 ===================================================================
diff -Nru refpolicy-2.20250213/debian/patches/0009-misc-kernel-system refpolicy-2.20250213/debian/patches/0009-misc-kernel-system
--- refpolicy-2.20250213/debian/patches/0009-misc-kernel-system	2025-04-09 23:22:58.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0009-misc-kernel-system	2025-06-22 13:59:21.000000000 +1000
@@ -479,7 +479,7 @@
 ===================================================================
 --- refpolicy-2.20250213.orig/policy/modules/system/sysnetwork.te
 +++ refpolicy-2.20250213/policy/modules/system/sysnetwork.te
-@@ -135,6 +135,7 @@ corenet_sendrecv_icmp_packets(dhcpc_t)
+@@ -136,6 +136,7 @@ corenet_sendrecv_icmp_packets(dhcpc_t)
  
  dev_read_sysfs(dhcpc_t)
  # for SSP:
@@ -487,7 +487,7 @@
  dev_read_urand(dhcpc_t)
  
  domain_use_interactive_fds(dhcpc_t)
-@@ -160,6 +161,7 @@ term_dontaudit_use_unallocated_ttys(dhcp
+@@ -161,6 +162,7 @@ term_dontaudit_use_unallocated_ttys(dhcp
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
  init_rw_utmp(dhcpc_t)
@@ -495,9 +495,9 @@
  
  logging_send_syslog_msg(dhcpc_t)
  
-@@ -188,6 +190,7 @@ ifdef(`init_systemd',`
- 	init_stream_connect(dhcpc_t)
+@@ -190,6 +192,7 @@ ifdef(`init_systemd',`
  	init_get_all_units_status(dhcpc_t)
+ 	init_getattr_generic_units_files(dhcpc_t)
  	init_search_units(dhcpc_t)
 +	systemd_read_networkd_runtime(dhcpc_t)
  
@@ -532,7 +532,7 @@
 ===================================================================
 --- refpolicy-2.20250213.orig/policy/modules/kernel/filesystem.if
 +++ refpolicy-2.20250213/policy/modules/kernel/filesystem.if
-@@ -2245,6 +2245,25 @@ interface(`fs_cifs_domtrans',`
+@@ -2227,6 +2227,25 @@ interface(`fs_cifs_domtrans',`
  ##	</summary>
  ## </param>
  #
diff -Nru refpolicy-2.20250213/debian/patches/0025-systemd refpolicy-2.20250213/debian/patches/0025-systemd
--- refpolicy-2.20250213/debian/patches/0025-systemd	2025-06-01 16:08:15.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0025-systemd	2025-06-22 13:46:13.000000000 +1000
@@ -877,7 +877,7 @@
  allow systemd_nspawn_t self:udp_socket create_socket_perms;
 -
 +allow systemd_nspawn_t self:tcp_socket create_stream_socket_perms;
-+allow systemd_nspawn_t self:fifo_file rw_file_perms;
++allow systemd_nspawn_t self:fifo_file rw_fifo_file_perms;
  allow systemd_nspawn_t systemd_journal_t:dir search;
  
  allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
@@ -1550,7 +1550,7 @@
  ')
  
 +optional_policy(`
-+	systemd_logind_use_fds(system_dbusd_t)
++	systemd_use_logind_fds(system_dbusd_t)
 +')
 +
  ########################################
@@ -1717,7 +1717,7 @@
  	init_pgm_spec_user_daemon_domain(unconfined_t)
  	allow unconfined_t self:system { reload start status stop };
  
-+	systemd_logind_use_fds(unconfined_t)
++	systemd_use_logind_fds(unconfined_t)
 +	systemd_use_passwd_agent_fds(unconfined_t)
 +
  	optional_policy(`
diff -Nru refpolicy-2.20250213/debian/patches/0027-services refpolicy-2.20250213/debian/patches/0027-services
--- refpolicy-2.20250213/debian/patches/0027-services	2025-06-01 16:08:23.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0027-services	2025-06-22 13:39:42.000000000 +1000
@@ -480,6 +480,15 @@
 ===================================================================
 --- refpolicy-2.20250213.orig/policy/modules/services/dovecot.te
 +++ refpolicy-2.20250213/policy/modules/services/dovecot.te
+@@ -262,7 +262,7 @@ manage_files_pattern(dovecot_auth_t, dov
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+ 
+ allow dovecot_auth_t dovecot_runtime_t:dir list_dir_perms;
+-allow dovecot_auth_t dovecot_runtime_t:file manage_file_perms;
++allow dovecot_auth_t dovecot_runtime_t:file mmap_manage_file_perms;
+ allow dovecot_auth_t dovecot_runtime_t:fifo_file write_fifo_file_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
+ 
 @@ -272,6 +272,8 @@ kernel_dontaudit_getattr_proc(dovecot_au
  
  kernel_getattr_proc(dovecot_auth_t)
@@ -584,7 +593,15 @@
  ########################################
  #
  # Local policy
-@@ -159,6 +165,10 @@ optional_policy(`
+@@ -143,6 +149,7 @@ auth_use_nsswitch(mon_net_test_t)
+ miscfiles_read_generic_certs(mon_net_test_t)
+ miscfiles_read_localization(mon_net_test_t)
+ 
++netutils_domtrans(mon_net_test_t)
+ netutils_domtrans_ping(mon_net_test_t)
+ 
+ sysnet_read_config(mon_net_test_t)
+@@ -159,6 +166,10 @@ optional_policy(`
  	snmp_read_snmp_var_lib_files(mon_net_test_t)
  ')
  
@@ -595,7 +612,7 @@
  ########################################
  #
  # Local policy
-@@ -169,7 +179,7 @@ optional_policy(`
+@@ -169,7 +180,7 @@ optional_policy(`
  #
  
  # sys_ptrace is for reading /proc/1/maps etc
@@ -604,7 +621,7 @@
  allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
  allow mon_local_test_t self:process { getsched sigkill signal sigstop };
  allow mon_local_test_t self:cap_userns sys_ptrace;
-@@ -203,6 +213,7 @@ files_search_spool(mon_local_test_t)
+@@ -203,6 +214,7 @@ files_search_spool(mon_local_test_t)
  files_list_boot(mon_local_test_t)
  
  fs_search_auto_mountpoints(mon_local_test_t)
@@ -612,7 +629,7 @@
  fs_getattr_nfs(mon_local_test_t)
  fs_getattr_xattr_fs(mon_local_test_t)
  fs_list_cgroup_dirs(mon_local_test_t)
-@@ -242,6 +253,11 @@ sysnet_read_config(mon_local_test_t)
+@@ -242,6 +254,11 @@ sysnet_read_config(mon_local_test_t)
  userdom_dontaudit_read_user_tmpfs_files(mon_local_test_t)
  
  optional_policy(`
@@ -1906,7 +1923,7 @@
  allow eg25manager_t self:tcp_socket { connect create getattr getopt read setopt write };
  allow eg25manager_t self:udp_socket { connect create getattr read setopt write };
  allow eg25manager_t self:unix_dgram_socket { create write };
-+allow eg25manager_t self:fifo_file rw_file_perms;
++allow eg25manager_t self:fifo_file rw_fifo_file_perms;
  
  files_tmp_filetrans(eg25manager_t, eg25manager_tmp_t, { file })
  allow eg25manager_t eg25manager_tmp_t:file manage_file_perms;
diff -Nru refpolicy-2.20250213/debian/patches/0028-misc refpolicy-2.20250213/debian/patches/0028-misc
--- refpolicy-2.20250213/debian/patches/0028-misc	2025-06-01 16:08:28.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0028-misc	2025-06-22 13:46:15.000000000 +1000
@@ -1473,7 +1473,7 @@
  
  optional_policy(`
  	systemd_dbus_chat_logind(local_login_t)
-+	systemd_logind_use_fds(local_login_t)
++	systemd_use_logind_fds(local_login_t)
  	systemd_write_inherited_logind_sessions_pipes(local_login_t)
  ')
  
diff -Nru refpolicy-2.20250213/debian/patches/kea refpolicy-2.20250213/debian/patches/kea
--- refpolicy-2.20250213/debian/patches/kea	2025-05-25 15:36:58.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/kea	2025-06-22 13:58:40.000000000 +1000
@@ -94,3 +94,16 @@
  
  allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
  read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -187,10 +188,12 @@ ifdef(`init_systemd',`
+ 	init_read_state(dhcpc_t)
+ 	init_stream_connect(dhcpc_t)
+ 	init_get_all_units_status(dhcpc_t)
++	init_getattr_generic_units_files(dhcpc_t)
+ 	init_search_units(dhcpc_t)
+ 
+ 	optional_policy(`
+ 		systemd_dbus_chat_resolved(dhcpc_t)
++		systemd_list_resolved_runtime_dir(dhcpc_t)
+ 	')
+ ')
+ 
diff -Nru refpolicy-2.20250213/debian/patches/newsystemd refpolicy-2.20250213/debian/patches/newsystemd
--- refpolicy-2.20250213/debian/patches/newsystemd	2025-01-22 11:28:45.000000000 +1100
+++ refpolicy-2.20250213/debian/patches/newsystemd	2025-06-22 13:45:11.000000000 +1000
@@ -6,7 +6,7 @@
  	systemd_connect_machined($1)
  	systemd_dbus_chat_logind($1)
  	systemd_read_logind_state($1)
-+	systemd_logind_use_fds($1)
++	systemd_use_logind_fds($1)
  
  	# to read /etc/machine-id
  	files_read_etc_runtime_files($1)
@@ -23,64 +23,6 @@
  		systemd_read_logind_runtime_files(xdm_t)
  	')
  ')
-Index: refpolicy-2.20250122/policy/modules/system/systemd.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/system/systemd.if
-+++ refpolicy-2.20250122/policy/modules/system/systemd.if
-@@ -1405,6 +1405,24 @@ interface(`systemd_use_logind_fds',`
- 
- ######################################
- ## <summary>
-+##   Allow systemd-logind to use fds received from dbus
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`systemd_logind_use_fds',`
-+	gen_require(`
-+		type systemd_logind_t;
-+	')
-+
-+	allow systemd_logind_t $1:fd use;
-+')
-+
-+######################################
-+## <summary>
- ##      Watch logind sessions dirs.
- ## </summary>
- ## <param name="domain">
-Index: refpolicy-2.20250122/policy/modules/kernel/filesystem.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/kernel/filesystem.if
-+++ refpolicy-2.20250122/policy/modules/kernel/filesystem.if
-@@ -1364,6 +1364,24 @@ interface(`fs_watch_memory_pressure',`
- 
- ########################################
- ## <summary>
-+##      Allow mounting a file ovr a memory.pressure file
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Source domain
-+##      </summary>
-+## </param>
-+#
-+interface(`fs_mounton_memory_pressure',`
-+	gen_require(`
-+		type memory_pressure_t;
-+	')
-+
-+	allow $1 memory_pressure_t:file mounton;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to read
- ##	dirs on a CIFS or SMB filesystem.
- ## </summary>
 Index: refpolicy-2.20250122/policy/modules/system/locallogin.te
 ===================================================================
 --- refpolicy-2.20250122.orig/policy/modules/system/locallogin.te
@@ -104,35 +46,6 @@
  
  	systemd_connect_machined(local_login_t)
  	systemd_dbus_chat_logind(local_login_t)
-Index: refpolicy-2.20250122/policy/modules/system/userdomain.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/system/userdomain.if
-+++ refpolicy-2.20250122/policy/modules/system/userdomain.if
-@@ -4276,6 +4276,24 @@ interface(`userdom_dontaudit_setattr_use
- 
- ########################################
- ## <summary>
-+##	watch a user domain tty.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_watch_user_ttys',`
-+	gen_require(`
-+		type user_tty_device_t;
-+	')
-+
-+	allow $1 user_tty_device_t:chr_file watch;
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write a user domain tty.
- ## </summary>
- ## <param name="domain">
 Index: refpolicy-2.20250122/policy/modules/system/systemd.te
 ===================================================================
 --- refpolicy-2.20250122.orig/policy/modules/system/systemd.te
diff -Nru refpolicy-2.20250213/debian/patches/series refpolicy-2.20250213/debian/patches/series
--- refpolicy-2.20250213/debian/patches/series	2025-05-17 17:50:19.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/series	2025-06-30 22:33:20.000000000 +1000
@@ -21,3 +21,4 @@
 3000-bookworm
 4000-bubblewrap
 5000-buildfail
+trixie
diff -Nru refpolicy-2.20250213/debian/patches/trixie refpolicy-2.20250213/debian/patches/trixie
--- refpolicy-2.20250213/debian/patches/trixie	1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/trixie	2025-07-06 19:29:50.000000000 +1000
@@ -0,0 +1,80 @@
+Index: refpolicy-2.20250213/policy/modules/services/dovecot.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dovecot.te
++++ refpolicy-2.20250213/policy/modules/services/dovecot.te
+@@ -113,7 +113,7 @@ allow dovecot_t dovecot_cert_t:lnk_file
+ allow dovecot_t dovecot_keytab_t:file read_file_perms;
+ 
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+-manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
++mmap_manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+ 
+ manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+@@ -130,7 +130,7 @@ mmap_manage_files_pattern(dovecot_t, dov
+ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ 
+ manage_dirs_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+-manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
++mmap_manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_fifo_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+Index: refpolicy-2.20250213/policy/modules/services/mailman.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/mailman.te
++++ refpolicy-2.20250213/policy/modules/services/mailman.te
+@@ -297,7 +297,7 @@ allow mailman_queue_t mailman_queue_tmpf
+ 
+ kernel_read_network_state(mailman_queue_t)
+ kernel_read_system_state(mailman_queue_t)
+-kernel_search_vm_sysctl(mailman_queue_t)
++kernel_read_vm_overcommit_sysctl(mailman_queue_t)
+ 
+ auth_domtrans_chk_passwd(mailman_queue_t)
+ 
+Index: refpolicy-2.20250213/policy/modules/services/jabber.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/jabber.fc
++++ refpolicy-2.20250213/policy/modules/services/jabber.fc
+@@ -29,4 +29,4 @@
+ 
+ /run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_runtime_t,s0)
+ /run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_runtime_t,s0)
+-/run/prosody(/.*)?	--	gen_context(system_u:object_r:jabberd_runtime_t,s0)
++/run/prosody(/.*)?		gen_context(system_u:object_r:jabberd_runtime_t,s0)
+Index: refpolicy-2.20250213/policy/modules/system/fwupd.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/fwupd.te
++++ refpolicy-2.20250213/policy/modules/system/fwupd.te
+@@ -50,7 +50,7 @@ dontaudit fwupd_t self:capability net_ad
+ # linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
+ allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
+ allow fwupd_t self:fifo_file rw_fifo_file_perms;
+-allow fwupd_t self:process getsched;
++allow fwupd_t self:process { getsched signal };
+ allow fwupd_t self:udp_socket { create connect getattr };
+ allow fwupd_t self:tcp_socket { create connect };
+ allow fwupd_t self:netlink_route_socket { create bind getattr nlmsg_read read write };
+Index: refpolicy-2.20250213/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20250213/policy/modules/system/systemd.te
+@@ -1106,7 +1106,7 @@ allow systemd_logind_t systemd_sessions_
+ 
+ stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
+ 
+-kernel_dontaudit_getattr_proc(systemd_logind_t)
++kernel_getattr_proc(systemd_logind_t)
+ kernel_read_kernel_sysctls(systemd_logind_t)
+ 
+ dev_getattr_dma_dev(systemd_logind_t)
+@@ -2494,7 +2494,7 @@ fs_getattr_xattr_fs(systemd_user_runtime
+ fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
+ 
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+-kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
++kernel_getattr_proc(systemd_user_runtime_dir_t)
+ 
+ selinux_use_status_page(systemd_user_runtime_dir_t)
+ 


Reply to: