From fcfffd4a2cbfca7fd4f5c1cf61dce01ef134dea1 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Sun, 10 Dec 2023 21:00:32 -0500
Subject: [PATCH] Allow key manipulation

node=localhost type=AVC msg=audit(1701897597.942:245462): avc:  denied { create } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { write } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { search } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { link } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/cockpit.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cockpit.te b/policy/modules/services/cockpit.te
index ca3f12695..eb2cd3812 100644
--- a/policy/modules/services/cockpit.te
+++ b/policy/modules/services/cockpit.te
@@ -204,6 +204,8 @@ userdom_spec_domtrans_all_users(cockpit_session_t)
 
 optional_policy(`
 	systemd_dbus_chat_logind(cockpit_session_t)
+	systemd_search_all_user_keys(cockpit_session_t)
+	systemd_write_all_user_keys(cockpit_session_t)
 ')
 
 optional_policy(`
@@ -211,7 +213,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	userdom_create_all_users_keys(cockpit_session_t)
 	userdom_signal_all_users(cockpit_session_t)
+	userdom_write_all_users_keys(cockpit_session_t)
 ')
 
 optional_policy(`