From 3348d6005968b034da969e923553aae598ddbb64 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 8 Nov 2023 13:45:10 +0100
Subject: [PATCH] Allow graphical applications work in Wayland

Resolves: rhbz#2248488
---
 policy/modules/contrib/sandboxX.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/sandboxX.te b/policy/modules/contrib/sandboxX.te
index 78affa318e..db110bae31 100644
--- a/policy/modules/contrib/sandboxX.te
+++ b/policy/modules/contrib/sandboxX.te
@@ -357,7 +357,8 @@ optional_policy(`
 #
 typeattribute sandbox_web_client_t sandbox_web_type;
 
-allow sandbox_web_client_t sandbox_web_client_t:cap_userns sys_chroot;
+allow sandbox_web_client_t self:user_namespace create;
+allow sandbox_web_client_t self:cap_userns sys_chroot;
 allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
 
 selinux_get_fs_mount(sandbox_web_client_t)
@@ -474,6 +475,10 @@ optional_policy(`
 	chrome_domtrans_sandbox(sandbox_web_type)
 ')
 
+optional_policy(`
+	dbus_watch_config(sandbox_web_type)
+')
+
 optional_policy(`
 	mozilla_plugin_rw_sem(sandbox_web_type)
 ')