Bug#1109173: unblock: refpolicy/2:2.20250213-8
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)
[ Reason ]
The main reason is to add new access required by updates to packages in
Trixie.
The secondary reason is to fix some syntax issues and make the Debian policy
more compatible with upstream.
[ Impact ]
Not having this will break things for people using dovecot, some configurations
of mon, fwupd, and potentially cause some critical breakage in systemd-logind.
Also this will avoid some potential problems for users who write their own
custom policy.
[ Tests ]
I have tested this extensively.
[ Risks ]
This just adds extra access so there is minimal risk.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock refpolicy/2:2.20250213-8
diff -Nru refpolicy-2.20250213/debian/changelog refpolicy-2.20250213/debian/changelog
--- refpolicy-2.20250213/debian/changelog 2025-06-03 20:58:37.000000000 +1000
+++ refpolicy-2.20250213/debian/changelog 2025-07-06 19:29:50.000000000 +1000
@@ -1,3 +1,19 @@
+refpolicy (2:2.20250213-8) unstable; urgency=medium
+
+ * Fix syntax errors
+ * Allow dovecot_auth_t to mape dovecot_runtime_t files
+ * Allow mon_net_test_t to run netutils
+ * removed unused interfaces fs_mounton_memory_pressure and
+ userdom_watch_user_ttys
+ * Remove systemd_logind_use_fds and use systemd_use_logind_fds instead
+ * Allow dhcpc_t to list resolved runtime dir and stat generic units files
+ * Allow systemd-logind and systemd-user-runtime-dir stat /proc as logind
+ failing to do so can cause difficult to diagnose dbus issues with
+ pam_login
+ * Allow fwupd to signal itself
+
+ -- Russell Coker <russell@coker.com.au> Sun, 06 Jul 2025 19:29:50 +1000
+
refpolicy (2:2.20250213-7) unstable; urgency=medium
* Allow user systemd domains to list user tmp, watch root, read usr files,
diff -Nru refpolicy-2.20250213/debian/patches/0004-fwupd refpolicy-2.20250213/debian/patches/0004-fwupd
--- refpolicy-2.20250213/debian/patches/0004-fwupd 2025-04-10 17:34:01.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0004-fwupd 2025-06-14 14:51:49.000000000 +1000
@@ -53,9 +53,13 @@
===================================================================
--- /dev/null
+++ refpolicy-2.20250213/policy/modules/system/fwupd.te
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,261 @@
+policy_module(fwupd)
+
++gen_require(`
++ class dbus all_dbus_perms;
++')
++
+########################################
+#
+# Policy for firmwate update daemon and utility
@@ -101,7 +105,7 @@
+# sys_admin is for "FuPluginUefiCapsule skipping device that failed coldplug: failed to read fw_class"
+# linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
-+allow fwupd_t self:fifo_file rw_file_perms;
++allow fwupd_t self:fifo_file rw_fifo_file_perms;
+allow fwupd_t self:process getsched;
+allow fwupd_t self:udp_socket { create connect getattr };
+allow fwupd_t self:tcp_socket { create connect };
@@ -113,10 +117,10 @@
+allow fwupd_t fwupd_conf_t:file { map read_file_perms };
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
-+allow fwupd_t fwupd_var_lib_t:file { manage_file_perms map };
++allow fwupd_t fwupd_var_lib_t:file mmap_manage_file_perms;
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
-+allow fwupd_t fwupd_cache_t:file { map manage_file_perms };
++allow fwupd_t fwupd_cache_t:file mmap_manage_file_perms;
+
+auth_use_pam_motd_dynamic(fwupd_t)
+
@@ -245,7 +249,7 @@
+#
+
+allow fwupdmgr_t self:process signal;
-+allow fwupdmgr_t self:fifo_file rw_file_perms;
++allow fwupdmgr_t self:fifo_file rw_fifo_file_perms;
+
+fs_tmpfs_filetrans(fwupdmgr_t, fwupdmgr_tmpfs_t, { file })
+allow fwupdmgr_t fwupdmgr_tmpfs_t:file manage_file_perms;
@@ -465,7 +469,7 @@
+ ')
+
+ allow system_dbusd_t $1:fd use;
-+ allow system_dbusd_t $2:file { read write };
++ allow system_dbusd_t $2:file rw_inherited_file_perms;
+')
+
+########################################
@@ -494,7 +498,7 @@
+ type user_runtime_t;
+ ')
+
-+ allow $1 user_runtime_t:dir rw_file_perms;
++ allow $1 user_runtime_t:dir rw_dir_perms;
+ allow $1 user_runtime_t:file manage_file_perms;
+ userdom_search_user_runtime_root($1)
+')
diff -Nru refpolicy-2.20250213/debian/patches/0005-needrestart refpolicy-2.20250213/debian/patches/0005-needrestart
--- refpolicy-2.20250213/debian/patches/0005-needrestart 2025-05-25 15:33:29.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0005-needrestart 2025-06-13 20:01:15.000000000 +1000
@@ -108,7 +108,7 @@
+allow needrestart_t self:capability { dac_read_search kill sys_ptrace sys_resource };
+allow needrestart_t self:capability2 checkpoint_restore;
+allow needrestart_t self:process { getcap signal setrlimit };
-+allow needrestart_t self:fifo_file rw_file_perms;
++allow needrestart_t self:fifo_file rw_fifo_file_perms;
+
+# for /proc/*/cwd etc
+allow needrestart_t self:cap_userns sys_ptrace;
diff -Nru refpolicy-2.20250213/debian/patches/0005-opensnitch refpolicy-2.20250213/debian/patches/0005-opensnitch
--- refpolicy-2.20250213/debian/patches/0005-opensnitch 2025-05-24 16:39:23.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0005-opensnitch 2025-06-17 00:13:55.000000000 +1000
@@ -4,7 +4,7 @@
+++ refpolicy-2.20250213/policy/modules/system/opensnitch.fc
@@ -0,0 +1,3 @@
+/usr/bin/opensnitchd -- gen_context(system_u:object_r:opensnitchd_exec_t,s0)
-+/var/log/opensnitchd.log -- gen_context(system_u:object_r:opensnitchd_log_t,s0)
++/var/log/opensnitchd\.log -- gen_context(system_u:object_r:opensnitchd_log_t,s0)
+/etc/opensnitchd(/.*)? gen_context(system_u:object_r:opensnitchd_conf_t,s0)
Index: refpolicy-2.20250213/policy/modules/system/opensnitch.if
===================================================================
diff -Nru refpolicy-2.20250213/debian/patches/0009-misc-kernel-system refpolicy-2.20250213/debian/patches/0009-misc-kernel-system
--- refpolicy-2.20250213/debian/patches/0009-misc-kernel-system 2025-04-09 23:22:58.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0009-misc-kernel-system 2025-06-22 13:59:21.000000000 +1000
@@ -479,7 +479,7 @@
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20250213/policy/modules/system/sysnetwork.te
-@@ -135,6 +135,7 @@ corenet_sendrecv_icmp_packets(dhcpc_t)
+@@ -136,6 +136,7 @@ corenet_sendrecv_icmp_packets(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
@@ -487,7 +487,7 @@
dev_read_urand(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
-@@ -160,6 +161,7 @@ term_dontaudit_use_unallocated_ttys(dhcp
+@@ -161,6 +162,7 @@ term_dontaudit_use_unallocated_ttys(dhcp
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
@@ -495,9 +495,9 @@
logging_send_syslog_msg(dhcpc_t)
-@@ -188,6 +190,7 @@ ifdef(`init_systemd',`
- init_stream_connect(dhcpc_t)
+@@ -190,6 +192,7 @@ ifdef(`init_systemd',`
init_get_all_units_status(dhcpc_t)
+ init_getattr_generic_units_files(dhcpc_t)
init_search_units(dhcpc_t)
+ systemd_read_networkd_runtime(dhcpc_t)
@@ -532,7 +532,7 @@
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20250213/policy/modules/kernel/filesystem.if
-@@ -2245,6 +2245,25 @@ interface(`fs_cifs_domtrans',`
+@@ -2227,6 +2227,25 @@ interface(`fs_cifs_domtrans',`
## </summary>
## </param>
#
diff -Nru refpolicy-2.20250213/debian/patches/0025-systemd refpolicy-2.20250213/debian/patches/0025-systemd
--- refpolicy-2.20250213/debian/patches/0025-systemd 2025-06-01 16:08:15.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0025-systemd 2025-06-22 13:46:13.000000000 +1000
@@ -877,7 +877,7 @@
allow systemd_nspawn_t self:udp_socket create_socket_perms;
-
+allow systemd_nspawn_t self:tcp_socket create_stream_socket_perms;
-+allow systemd_nspawn_t self:fifo_file rw_file_perms;
++allow systemd_nspawn_t self:fifo_file rw_fifo_file_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
@@ -1550,7 +1550,7 @@
')
+optional_policy(`
-+ systemd_logind_use_fds(system_dbusd_t)
++ systemd_use_logind_fds(system_dbusd_t)
+')
+
########################################
@@ -1717,7 +1717,7 @@
init_pgm_spec_user_daemon_domain(unconfined_t)
allow unconfined_t self:system { reload start status stop };
-+ systemd_logind_use_fds(unconfined_t)
++ systemd_use_logind_fds(unconfined_t)
+ systemd_use_passwd_agent_fds(unconfined_t)
+
optional_policy(`
diff -Nru refpolicy-2.20250213/debian/patches/0027-services refpolicy-2.20250213/debian/patches/0027-services
--- refpolicy-2.20250213/debian/patches/0027-services 2025-06-01 16:08:23.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0027-services 2025-06-22 13:39:42.000000000 +1000
@@ -480,6 +480,15 @@
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20250213/policy/modules/services/dovecot.te
+@@ -262,7 +262,7 @@ manage_files_pattern(dovecot_auth_t, dov
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+ allow dovecot_auth_t dovecot_runtime_t:dir list_dir_perms;
+-allow dovecot_auth_t dovecot_runtime_t:file manage_file_perms;
++allow dovecot_auth_t dovecot_runtime_t:file mmap_manage_file_perms;
+ allow dovecot_auth_t dovecot_runtime_t:fifo_file write_fifo_file_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
+
@@ -272,6 +272,8 @@ kernel_dontaudit_getattr_proc(dovecot_au
kernel_getattr_proc(dovecot_auth_t)
@@ -584,7 +593,15 @@
########################################
#
# Local policy
-@@ -159,6 +165,10 @@ optional_policy(`
+@@ -143,6 +149,7 @@ auth_use_nsswitch(mon_net_test_t)
+ miscfiles_read_generic_certs(mon_net_test_t)
+ miscfiles_read_localization(mon_net_test_t)
+
++netutils_domtrans(mon_net_test_t)
+ netutils_domtrans_ping(mon_net_test_t)
+
+ sysnet_read_config(mon_net_test_t)
+@@ -159,6 +166,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(mon_net_test_t)
')
@@ -595,7 +612,7 @@
########################################
#
# Local policy
-@@ -169,7 +179,7 @@ optional_policy(`
+@@ -169,7 +180,7 @@ optional_policy(`
#
# sys_ptrace is for reading /proc/1/maps etc
@@ -604,7 +621,7 @@
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process { getsched sigkill signal sigstop };
allow mon_local_test_t self:cap_userns sys_ptrace;
-@@ -203,6 +213,7 @@ files_search_spool(mon_local_test_t)
+@@ -203,6 +214,7 @@ files_search_spool(mon_local_test_t)
files_list_boot(mon_local_test_t)
fs_search_auto_mountpoints(mon_local_test_t)
@@ -612,7 +629,7 @@
fs_getattr_nfs(mon_local_test_t)
fs_getattr_xattr_fs(mon_local_test_t)
fs_list_cgroup_dirs(mon_local_test_t)
-@@ -242,6 +253,11 @@ sysnet_read_config(mon_local_test_t)
+@@ -242,6 +254,11 @@ sysnet_read_config(mon_local_test_t)
userdom_dontaudit_read_user_tmpfs_files(mon_local_test_t)
optional_policy(`
@@ -1906,7 +1923,7 @@
allow eg25manager_t self:tcp_socket { connect create getattr getopt read setopt write };
allow eg25manager_t self:udp_socket { connect create getattr read setopt write };
allow eg25manager_t self:unix_dgram_socket { create write };
-+allow eg25manager_t self:fifo_file rw_file_perms;
++allow eg25manager_t self:fifo_file rw_fifo_file_perms;
files_tmp_filetrans(eg25manager_t, eg25manager_tmp_t, { file })
allow eg25manager_t eg25manager_tmp_t:file manage_file_perms;
diff -Nru refpolicy-2.20250213/debian/patches/0028-misc refpolicy-2.20250213/debian/patches/0028-misc
--- refpolicy-2.20250213/debian/patches/0028-misc 2025-06-01 16:08:28.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/0028-misc 2025-06-22 13:46:15.000000000 +1000
@@ -1473,7 +1473,7 @@
optional_policy(`
systemd_dbus_chat_logind(local_login_t)
-+ systemd_logind_use_fds(local_login_t)
++ systemd_use_logind_fds(local_login_t)
systemd_write_inherited_logind_sessions_pipes(local_login_t)
')
diff -Nru refpolicy-2.20250213/debian/patches/kea refpolicy-2.20250213/debian/patches/kea
--- refpolicy-2.20250213/debian/patches/kea 2025-05-25 15:36:58.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/kea 2025-06-22 13:58:40.000000000 +1000
@@ -94,3 +94,16 @@
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -187,10 +188,12 @@ ifdef(`init_systemd',`
+ init_read_state(dhcpc_t)
+ init_stream_connect(dhcpc_t)
+ init_get_all_units_status(dhcpc_t)
++ init_getattr_generic_units_files(dhcpc_t)
+ init_search_units(dhcpc_t)
+
+ optional_policy(`
+ systemd_dbus_chat_resolved(dhcpc_t)
++ systemd_list_resolved_runtime_dir(dhcpc_t)
+ ')
+ ')
+
diff -Nru refpolicy-2.20250213/debian/patches/newsystemd refpolicy-2.20250213/debian/patches/newsystemd
--- refpolicy-2.20250213/debian/patches/newsystemd 2025-01-22 11:28:45.000000000 +1100
+++ refpolicy-2.20250213/debian/patches/newsystemd 2025-06-22 13:45:11.000000000 +1000
@@ -6,7 +6,7 @@
systemd_connect_machined($1)
systemd_dbus_chat_logind($1)
systemd_read_logind_state($1)
-+ systemd_logind_use_fds($1)
++ systemd_use_logind_fds($1)
# to read /etc/machine-id
files_read_etc_runtime_files($1)
@@ -23,64 +23,6 @@
systemd_read_logind_runtime_files(xdm_t)
')
')
-Index: refpolicy-2.20250122/policy/modules/system/systemd.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/system/systemd.if
-+++ refpolicy-2.20250122/policy/modules/system/systemd.if
-@@ -1405,6 +1405,24 @@ interface(`systemd_use_logind_fds',`
-
- ######################################
- ## <summary>
-+## Allow systemd-logind to use fds received from dbus
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_logind_use_fds',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow systemd_logind_t $1:fd use;
-+')
-+
-+######################################
-+## <summary>
- ## Watch logind sessions dirs.
- ## </summary>
- ## <param name="domain">
-Index: refpolicy-2.20250122/policy/modules/kernel/filesystem.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/kernel/filesystem.if
-+++ refpolicy-2.20250122/policy/modules/kernel/filesystem.if
-@@ -1364,6 +1364,24 @@ interface(`fs_watch_memory_pressure',`
-
- ########################################
- ## <summary>
-+## Allow mounting a file ovr a memory.pressure file
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Source domain
-+## </summary>
-+## </param>
-+#
-+interface(`fs_mounton_memory_pressure',`
-+ gen_require(`
-+ type memory_pressure_t;
-+ ')
-+
-+ allow $1 memory_pressure_t:file mounton;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to read
- ## dirs on a CIFS or SMB filesystem.
- ## </summary>
Index: refpolicy-2.20250122/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20250122.orig/policy/modules/system/locallogin.te
@@ -104,35 +46,6 @@
systemd_connect_machined(local_login_t)
systemd_dbus_chat_logind(local_login_t)
-Index: refpolicy-2.20250122/policy/modules/system/userdomain.if
-===================================================================
---- refpolicy-2.20250122.orig/policy/modules/system/userdomain.if
-+++ refpolicy-2.20250122/policy/modules/system/userdomain.if
-@@ -4276,6 +4276,24 @@ interface(`userdom_dontaudit_setattr_use
-
- ########################################
- ## <summary>
-+## watch a user domain tty.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_watch_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file watch;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write a user domain tty.
- ## </summary>
- ## <param name="domain">
Index: refpolicy-2.20250122/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20250122.orig/policy/modules/system/systemd.te
diff -Nru refpolicy-2.20250213/debian/patches/series refpolicy-2.20250213/debian/patches/series
--- refpolicy-2.20250213/debian/patches/series 2025-05-17 17:50:19.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/series 2025-06-30 22:33:20.000000000 +1000
@@ -21,3 +21,4 @@
3000-bookworm
4000-bubblewrap
5000-buildfail
+trixie
diff -Nru refpolicy-2.20250213/debian/patches/trixie refpolicy-2.20250213/debian/patches/trixie
--- refpolicy-2.20250213/debian/patches/trixie 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20250213/debian/patches/trixie 2025-07-06 19:29:50.000000000 +1000
@@ -0,0 +1,80 @@
+Index: refpolicy-2.20250213/policy/modules/services/dovecot.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/dovecot.te
++++ refpolicy-2.20250213/policy/modules/services/dovecot.te
+@@ -113,7 +113,7 @@ allow dovecot_t dovecot_cert_t:lnk_file
+ allow dovecot_t dovecot_keytab_t:file read_file_perms;
+
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+-manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
++mmap_manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+
+ manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+@@ -130,7 +130,7 @@ mmap_manage_files_pattern(dovecot_t, dov
+ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
+ manage_dirs_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+-manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
++mmap_manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+ manage_fifo_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t)
+Index: refpolicy-2.20250213/policy/modules/services/mailman.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/mailman.te
++++ refpolicy-2.20250213/policy/modules/services/mailman.te
+@@ -297,7 +297,7 @@ allow mailman_queue_t mailman_queue_tmpf
+
+ kernel_read_network_state(mailman_queue_t)
+ kernel_read_system_state(mailman_queue_t)
+-kernel_search_vm_sysctl(mailman_queue_t)
++kernel_read_vm_overcommit_sysctl(mailman_queue_t)
+
+ auth_domtrans_chk_passwd(mailman_queue_t)
+
+Index: refpolicy-2.20250213/policy/modules/services/jabber.fc
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/services/jabber.fc
++++ refpolicy-2.20250213/policy/modules/services/jabber.fc
+@@ -29,4 +29,4 @@
+
+ /run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_runtime_t,s0)
+ /run/jabber\.pid -- gen_context(system_u:object_r:jabberd_runtime_t,s0)
+-/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_runtime_t,s0)
++/run/prosody(/.*)? gen_context(system_u:object_r:jabberd_runtime_t,s0)
+Index: refpolicy-2.20250213/policy/modules/system/fwupd.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/fwupd.te
++++ refpolicy-2.20250213/policy/modules/system/fwupd.te
+@@ -50,7 +50,7 @@ dontaudit fwupd_t self:capability net_ad
+ # linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
+ allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
+ allow fwupd_t self:fifo_file rw_fifo_file_perms;
+-allow fwupd_t self:process getsched;
++allow fwupd_t self:process { getsched signal };
+ allow fwupd_t self:udp_socket { create connect getattr };
+ allow fwupd_t self:tcp_socket { create connect };
+ allow fwupd_t self:netlink_route_socket { create bind getattr nlmsg_read read write };
+Index: refpolicy-2.20250213/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20250213.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20250213/policy/modules/system/systemd.te
+@@ -1106,7 +1106,7 @@ allow systemd_logind_t systemd_sessions_
+
+ stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
+
+-kernel_dontaudit_getattr_proc(systemd_logind_t)
++kernel_getattr_proc(systemd_logind_t)
+ kernel_read_kernel_sysctls(systemd_logind_t)
+
+ dev_getattr_dma_dev(systemd_logind_t)
+@@ -2494,7 +2494,7 @@ fs_getattr_xattr_fs(systemd_user_runtime
+ fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
+
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+-kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
++kernel_getattr_proc(systemd_user_runtime_dir_t)
+
+ selinux_use_status_page(systemd_user_runtime_dir_t)
+
Reply to: