http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
usr_t is now a xdg_data_dirs type:
If $XDG_DATA_DIRS is either not set or empty, a value equal to
/usr/local/share/:/usr/share/ should be used.
user_tmp_t is now a xdg_runtime_dirs type:
If $XDG_RUNTIME_DIR is not set applications should fall back to a
replacement directory with similar capabilities and print a warning
message. Applications should use this directory for communication and
synchronization purposes and should not place larger files in it, since
it might reside in runtime memory and cannot necessarily be swapped out
to disk.
We need to find a way to deal with /run/user/UID
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.te | 4 ++++
policy/modules/system/userdomain.te | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..a84739e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -156,6 +156,10 @@ files_poly_parent(tmp_t)
type usr_t;
files_mountpoint(usr_t)
+optional_policy(`
+ xdg_data_file(usr_t)
+')
+
#
# var_t is the type of /var
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d657ea7..0a9721e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -89,6 +89,10 @@ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_cont
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+optional_policy(`
+ xdg_runtime_file(user_tmp_t)
+')
+
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
userdom_user_home_content(user_tmpfs_t)
--
1.8.3.1