Subject: [PATCH 2/2 v1]: Allow speech-dispatcherd.service

systemctl start speech-dispatcherd.service, the following AVC denial occurs: 240:type=AVC msg=audit(1714149641.308:1054): avc: denied { execute } for pid=6921 comm=speech-dispatch name=bash dev=dm-0 ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 241:type=AVC msg=audit(1714149641.308:1055): avc: denied { name_connect } for pid=6909 comm=speech-dispatch dest=59125 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 244:type=AVC msg=audit(1714149641.313:1058): avc: denied { execute_no_trans } for pid=6924 comm=speech-dispatch path=/usr/lib64/speech-dispatcher-modules/sd_cicero dev=dm-0 ino=34460340 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0 Related discussion: fedora-selinux#2100 Signed-off-by: gordonwwang <[email protected]>
gordonwwang · Apr 28, 2024 · 0fc3c53 · 0fc3c53
1 parent ae3088d
commit 0fc3c53
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/policy/modules/contrib/speech-dispatcher.fc b/policy/modules/contrib/speech-dispatcher.fc
@@ -3,5 +3,6 @@ HOME_DIR/\.cache/speech-dispatcher(/.*)?	gen_context(system_u:object_r:speech_di
 /usr/bin/speech-dispatcher		--	gen_context(system_u:object_r:speech_dispatcher_exec_t,s0)
 
 /usr/lib/systemd/system/speech-dispatcherd.service		--	gen_context(system_u:object_r:speech_dispatcher_unit_file_t,s0)
+/usr/lib/speech-dispatcher-modules(/.*)?    gen_context(system_u:object_r:speech_dispatcher_modules_t,s0)
 
 /var/log/speech-dispatcher(/.*)?		gen_context(system_u:object_r:speech_dispatcher_log_t,s0)
diff --git a/policy/modules/contrib/speech-dispatcher.te b/policy/modules/contrib/speech-dispatcher.te
@@ -2,6 +2,7 @@ policy_module(speech-dispatcher, 1.0.0)
 
 gen_require(`
     type cache_home_t;
+    type ephemeral_port_t;
 ')
 
 ########################################
@@ -36,6 +37,9 @@ type speech_dispatcher_tmpfs_t;
 typealias speech_dispatcher_tmpfs_t alias speech-dispatcher_tmpfs_t;
 files_tmpfs_file(speech_dispatcher_tmpfs_t)
 
+type speech_dispatcher_modules_t;
+files_type(speech_dispatcher_modules_t)
+
 ########################################
 #
 # speech-dispatcher local policy
@@ -48,6 +52,8 @@ allow speech_dispatcher_t self:unix_stream_socket create_stream_socket_perms;
 allow speech_dispatcher_t self:tcp_socket create_socket_perms;
 allow speech_dispatcher_t speech_dispatcher_home_t:file create_file_perms;
 allow speech_dispatcher_t speech_dispatcher_home_t:dir create_dir_perms;
+allow speech_dispatcher_t ephemeral_port_t:tcp_socket name_connect;
+corecmd_exec_shell(speech_dispatcher_t)
 
 manage_dirs_pattern(speech_dispatcher_t, speech_dispatcher_log_t, speech_dispatcher_log_t)
 manage_files_pattern(speech_dispatcher_t, speech_dispatcher_log_t, speech_dispatcher_log_t)
@@ -66,6 +72,12 @@ userdom_filetrans_home_content(speech_dispatcher_t,speech_dispatcher_home_t, dir
 userdom_filetrans_home_content(speech_dispatcher_t,speech_dispatcher_home_t, dir, ".config/speech-dispatcher")
 filetrans_pattern(speech_dispatcher_t, cache_home_t, speech_dispatcher_home_t, dir, "speech-dispatcher")
 
+exec_files_pattern(speech_dispatcher_t, speech_dispatcher_modules_t, speech_dispatcher_modules_t)
+read_lnk_files_pattern(speech_dispatcher_t, speech_dispatcher_modules_t, speech_dispatcher_modules_t)
+manage_dirs_pattern(speech_dispatcher_t, speech_dispatcher_modules_t, speech_dispatcher_modules_t)
+
+manage_sock_files_pattern(speech_dispatcher_t, speech_dispatcher_home_t, speech_dispatcher_home_t)
+
 kernel_read_system_state(speech_dispatcher_t)
 
 auth_read_passwd(speech_dispatcher_t)