[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     10c63ed8138317cf7a362ca1102290d37ad6def7
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri May 22 12:38:53 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10c63ed8

Module version bump for updated netlink sockets from Stephen Smalley

 policy/modules/admin/netutils.te    | 2 +-
 policy/modules/system/iptables.te   | 2 +-
 policy/modules/system/netlabel.te   | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/udev.te       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 1c64781..b8169a8 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.14.0)
+policy_module(netutils, 1.14.1)
 
 ########################################
 #

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 1ad1046..fc97f63 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.15.0)
+policy_module(iptables, 1.15.1)
 
 ########################################
 #

diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index f6d14b1..b396893 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -1,4 +1,4 @@
-policy_module(netlabel, 1.3.0)
+policy_module(netlabel, 1.3.1)
 
 ########################################
 #

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b922597..7a7b479 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.17.1)
+policy_module(sysnetwork, 1.17.2)
 
 ########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e7c7f9f..a9a2296 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.18.0)
+policy_module(udev, 1.18.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     0895cfaab9cc3c372810ab7d3b47c12066c74e74
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 11:10:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa

su: some adjustments

* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt

 policy/modules/admin/su.if    | 20 +++++---------------
 policy/modules/admin/su.te    |  2 --
 policy/modules/system/init.if | 20 ++++++++++++++++++++
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4a434b84..cd137d59 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -1,4 +1,4 @@
-## <summary>Run shells with substitute user and group</summary>
+## <summary>Run shells with substitute user and group.</summary>
 
 #######################################
 ## <summary>
@@ -100,11 +100,6 @@ template(`su_restricted_domain_template', `
 		')
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# dontaudit leaked sockets from parent
-		dontaudit $1_su_t $2:socket_class_set { read write };
-	')
-
 	optional_policy(`
 		cron_read_pipes($1_su_t)
 	')
@@ -148,12 +143,10 @@ template(`su_restricted_domain_template', `
 #
 template(`su_role_template',`
 	gen_require(`
-		attribute su_domain_type;
 		type su_exec_t;
-		bool secure_mode;
 	')
 
-	type $1_su_t, su_domain_type;
+	type $1_su_t;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $2 types $1_su_t;
@@ -161,7 +154,7 @@ template(`su_role_template',`
 	allow $3 $1_su_t:process signal;
 
 	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
-	dontaudit $1_su_t self:capability sys_tty_config;
+	dontaudit $1_su_t self:capability { net_admin sys_tty_config };
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
@@ -197,6 +190,7 @@ template(`su_role_template',`
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 	auth_rw_faillog($1_su_t)
+	auth_use_pam_systemd($1_su_t)
 
 	corecmd_search_bin($1_su_t)
 
@@ -208,6 +202,7 @@ template(`su_role_template',`
 	files_dontaudit_getattr_tmp_dirs($1_su_t)
 
 	init_dontaudit_use_fds($1_su_t)
+	init_dontaudit_read_state($1_su_t)
 	# Write to utmp.
 	init_rw_utmp($1_su_t)
 
@@ -232,11 +227,6 @@ template(`su_role_template',`
 		')
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# dontaudit leaked sockets from parent
-		dontaudit $1_su_t $3:socket_class_set { read write };
-	')
-
 	tunable_policy(`allow_polyinstantiation',`
 		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)

diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index e5537697..1264d7a6 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -5,7 +5,5 @@ policy_module(su, 1.14.1)
 # Declarations
 #
 
-attribute su_domain_type;
-
 type su_exec_t;
 corecmd_executable_file(su_exec_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6de0a2d7..6a067ab2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1695,6 +1695,26 @@ interface(`init_read_state',`
 
 ########################################
 ## <summary>
+##	Dontaudit read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_state',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:dir search_dir_perms;
+	dontaudit $1 init_t:file read_file_perms;
+	dontaudit $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Ptrace init
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     f45e0db0dcd22534c2ab32160e56e10795010ebf
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 26 17:08:02 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f45e0db0

auth: Move optional out of auth_use_pam_systemd() to callers.

 policy/modules/admin/su.if           | 5 ++++-
 policy/modules/system/authlogin.if   | 6 ++----
 policy/modules/system/selinuxutil.te | 5 ++++-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index cd137d59..8e21b217 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -190,7 +190,6 @@ template(`su_role_template',`
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 	auth_rw_faillog($1_su_t)
-	auth_use_pam_systemd($1_su_t)
 
 	corecmd_search_bin($1_su_t)
 
@@ -227,6 +226,10 @@ template(`su_role_template',`
 		')
 	')
 
+	optional_policy(`
+		auth_use_pam_systemd($1_su_t)
+	')
+
 	tunable_policy(`allow_polyinstantiation',`
 		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index fb92132d..2b70d124 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -100,10 +100,8 @@ interface(`auth_use_pam',`
 ## </param>
 #
 interface(`auth_use_pam_systemd',`
-	optional_policy(`
-		dbus_system_bus_client($1)
-		systemd_dbus_chat_logind($1)
-	')
+	dbus_system_bus_client($1)
+	systemd_dbus_chat_logind($1)
 ')
 
 ########################################

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5f624126..931d8591 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -283,7 +283,6 @@ auth_use_nsswitch(newrole_t)
 auth_run_chk_passwd(newrole_t, newrole_roles)
 auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
-auth_use_pam_systemd(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
@@ -313,6 +312,10 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	auth_use_pam_systemd(newrole_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(newrole_t)
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     4266a333c75861d4030687bafa5e26606230abbf
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 12 00:57:05 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4266a333

systemd, udev, usermanage: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/usermanage.te | 2 +-
 policy/modules/system/systemd.te   | 2 +-
 policy/modules/system/udev.te      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d8ba89e6..f9a224a1 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.22.0)
+policy_module(usermanage, 1.22.1)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 25e9550d..07529a5d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.7.3)
+policy_module(systemd, 1.7.4)
 
 #########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f6a9d652..8149ea9a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.25.0)
+policy_module(udev, 1.25.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     9c2a5171c53779f30d0cd3a89668809045277af1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 15 08:31:09 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 22:07:35 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c2a5171

systemd: Add elogind support

Elogind is based off systemd-logind extracted to stand alone.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/sudo.if       |  2 ++
 policy/modules/system/authlogin.if |  5 +++++
 policy/modules/system/systemd.fc   |  5 +++++
 policy/modules/system/systemd.te   | 29 ++++++++++++++++++++++++++++-
 4 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 51bc9343..eada7c28 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,8 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		systemd_dbus_chat_logind($1_sudo_t)
+		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 753a7735..e807f91f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -67,6 +67,11 @@ interface(`auth_use_pam',`
 		optional_policy(`
 			fprintd_dbus_chat($1)
 		')
+
+		optional_policy(`
+			systemd_dbus_chat_logind($1)
+			systemd_write_inherited_logind_sessions_pipes($1)
+		')
 	')
 
 	optional_policy(`

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 7de7e677..67e81209 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
+/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
 # Systemd generators
 /usr/lib/systemd/system-environment-generators/.*				--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/.*							--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
@@ -71,6 +75,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 
 /run/user/%{USERID}/systemd	-d	gen_context(system_u:object_r:systemd_user_runtime_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5b5b07a..8a294661 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -144,6 +144,9 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
 
 type systemd_logind_t;
 type systemd_logind_exec_t;
+optional_policy(`
+	dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
+')
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
 
@@ -154,6 +157,7 @@ init_mountpoint(systemd_logind_inhibit_runtime_t)
 type systemd_logind_runtime_t alias systemd_logind_var_run_t;
 files_runtime_file(systemd_logind_runtime_t)
 init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_runtime_file(systemd_logind_runtime_t, file, "elogind.pid")
 init_mountpoint(systemd_logind_runtime_t)
 
 type systemd_logind_var_lib_t;
@@ -585,7 +589,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -597,6 +601,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
+files_runtime_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
+
+create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 
 manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
@@ -612,6 +619,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
 
 kernel_read_kernel_sysctls(systemd_logind_t)
 
+auth_write_login_records(systemd_logind_t)
+
 dev_getattr_dri_dev(systemd_logind_t)
 dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
@@ -631,9 +640,12 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_purge_tmp(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
+fs_manage_cgroup_dirs(systemd_logind_t)
+fs_manage_cgroup_files(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
@@ -643,6 +655,8 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 
+logging_send_audit_msgs(systemd_logind_t)
+
 selinux_use_status_page(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
@@ -656,6 +670,7 @@ term_use_unallocated_ttys(systemd_logind_t)
 auth_manage_faillog(systemd_logind_t)
 auth_use_nsswitch(systemd_logind_t)
 
+init_create_runtime_dirs(systemd_logind_t)
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
@@ -702,6 +717,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+       fs_read_nfs_files(systemd_logind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_read_cifs_files(systemd_logind_t)
+')
+
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -742,6 +765,10 @@ optional_policy(`
 	policykit_dbus_chat(systemd_logind_t)
 ')
 
+optional_policy(`
+	shutdown_domtrans(systemd_logind_t)
+')
+
 optional_policy(`
 	xserver_read_state(systemd_logind_t)
 	xserver_dbus_chat(systemd_logind_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     90a1d9d4ed373333ffbd6519e5dab72505cfd504
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Tue Nov 19 22:41:17 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90a1d9d4

mozilla adds .mozilla directory to /etc/skel which useradd tries to copy

When the copy fails it stops copying any other files.

node=asdf type=AVC msg=audit(1731544222.421:251876): avc:  denied  { create } for  pid=14952 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=0
node=asdf type=AVC msg=audit(1731545219.731:272250): avc:  denied  { create } for  pid=19939 comm="useradd" name=".mozilla" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.731:272251): avc:  denied  { setattr } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { search } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { write } for  pid=19939 comm="useradd" name=".mozilla" dev="dm-7" ino=1703938 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272255): avc:  denied  { add_name } for  pid=19939 comm="useradd" name="extensions" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272262): avc:  denied  { create } for  pid=19939 comm="useradd" name="plugins" scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1
node=asdf type=AVC msg=audit(1731545219.732:272263): avc:  denied  { setattr } for  pid=19939 comm="useradd" name="plugins" dev="dm-7" ino=1703940 scontext=system_u:system_r:useradd_t:s0 tcontext=user_u:object_r:mozilla_plugin_home_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/usermanage.te  |  3 ++
 policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6be3f2aaa..606ef8acf 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -551,10 +551,13 @@ seutil_run_setfiles(useradd_t, useradd_roles)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
+userdom_create_all_user_home_dirs(useradd_t)
+userdom_create_all_user_home_files(useradd_t)
 userdom_manage_user_home_dirs(useradd_t)
 userdom_home_filetrans_user_home_dir(useradd_t)
 userdom_manage_user_home_content_dirs(useradd_t)
 userdom_manage_user_home_content_files(useradd_t)
+userdom_write_all_user_home_files(useradd_t)
 userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 
 optional_policy(`

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bb293dc61..aaa7718e6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2144,6 +2144,68 @@ interface(`userdom_manage_user_home_content_dirs',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Create all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	create_dirs_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+	setattr_dirs_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Create all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_user_home_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	create_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+	setattr_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Write all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_home_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	write_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete all user home content directories.