[DSE-Dev] new policy package soon

Russell Coker russell at coker.com.au
Sat Dec 31 16:57:56 UTC 2016

I've attached the temporary policy file I'm working with in addition to what's 
in git.  This allows full desktop operation with xdm and kdm but on my main 
test system gdm3 and sddm don't work for unknown reasons (which may not be due 
to SE Linux).

Hopefully I'll have it all sorted out in 24 hours or so.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------

require {
	type systemd_tmpfiles_t;
	type null_device_t;
	type systemd_unit_t;
	type ntpd_t;
	type initrc_lock_t;
	class service { reload status };
	type system_dbusd_var_lib_t;
type unconfined_t, systemd_passwd_agent_t, sshd_t;
type tty_device_t;
type policykit_t, systemd_machined_var_run_t, initrc_t;
type system_dbusd_t, systemd_logind_t, user_runtime_t;
type systemd_machined_t, user_runtime_root_t, systemd_sessions_var_run_t;
class dbus send_msg;
type local_login_t, xserver_t, dri_device_t, event_device_t, wireless_device_t, systemd_passwd_agent_t;
type console_device_t, devpts_t;

allow console_device_t devpts_t:filesystem associate;
auditallow console_device_t devpts_t:filesystem associate;

allow systemd_logind_t wireless_device_t:chr_file { setattr getattr };

# why do we need this acces to /dev/dri/card0?
allow systemd_logind_t dri_device_t:chr_file { ioctl open read write };
allow system_dbusd_t dri_device_t:chr_file { ioctl open read write };

# why do we need this?
allow system_dbusd_t event_device_t:chr_file { ioctl open read write };

allow local_login_t user_runtime_root_t:dir search;
allow local_login_t user_runtime_t:dir search;

allow policykit_t systemd_machined_var_run_t:dir list_dir_perms;

# for ntpdate to access /run/lock/ntpdate
allow ntpd_t initrc_lock_t:file { read write };

allow systemd_tmpfiles_t system_dbusd_var_lib_t:dir search;

allow systemd_passwd_agent_t sshd_t:fd use;

# for auth_login_pgm_domain
allow sshd_t user_runtime_root_t:dir search;
allow sshd_t user_runtime_t:dir search;

# maybe allow switching vt
allow systemd_passwd_agent_t tty_device_t:chr_file { read write };

allow systemd_logind_t tty_device_t:chr_file setattr;

allow systemd_logind_t user_runtime_t:dir relabelto;
allow systemd_logind_t user_runtime_t:file unlink;
allow systemd_logind_t user_runtime_t:sock_file unlink;

# for cgroup file
allow systemd_logind_t unconfined_t:dir search;
allow systemd_logind_t unconfined_t:file read_file_perms;

allow policykit_t unconfined_t:dbus send_msg;
allow systemd_logind_t policykit_t:dbus send_msg;
allow policykit_t systemd_logind_t:dbus send_msg;
allow systemd_logind_t xserver_t:dbus send_msg;
allow systemd_logind_t initrc_t:dbus send_msg;

More information about the SELinux-devel mailing list