Let the session dbus process manage user runtime directories.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te 2017-05-24 14:15:08.786740326 +0200
@@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus
term_use_all_terms(session_bus_type)
+userdom_manage_user_runtime_dirs(session_bus_type)
+
optional_policy(`
xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
On Wed, May 24, 2017 at 02:39:02PM +0200, Guido Trentalancia via refpolicy wrote:
> Let the session dbus process manage user runtime directories.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-05-24 14:15:08.786740326 +0200
> @@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus
>
> term_use_all_terms(session_bus_type)
>
> +userdom_manage_user_runtime_dirs(session_bus_type)
> +
is that for "$XDG_RUNTIME_DIR/dbus-1" ? I would probably use a private type here (predictable name so name-based type transition is an option) although i do not know what that dir is used for
> optional_policy(`
> xserver_rw_xsession_log(session_bus_type)
> xserver_use_xdm_fds(session_bus_type)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/8e9a3569/attachment.bin
On Wed, 24/05/2017 at 14.44 +0200, Dominick Grift via
refpolicy wrote:
> On Wed, May 24, 2017 at 02:39:02PM +0200, Guido Trentalancia via
> refpolicy wrote:
> > Let the session dbus process manage user runtime directories.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/dbus.te |????2 ++
> > ?1 file changed, 2 insertions(+)
> >
> > --- a/policy/modules/contrib/dbus.te 2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/dbus.te 2017-05-24
> > 14:15:08.786740326 +0200
> > @@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus
> > ?
> > ?term_use_all_terms(session_bus_type)
> > ?
> > +userdom_manage_user_runtime_dirs(session_bus_type)
> > +
>
> is that for "$XDG_RUNTIME_DIR/dbus-1" ? I would probably use a
> private type here??(predictable name so name-based type transition is
> an option) although i do not know what that dir is used for
Yes, this is a very good idea, I'll post a revised version of this
patch !
> > ?optional_policy(`
> > ? xserver_rw_xsession_log(session_bus_type)
> > ? xserver_use_xdm_fds(session_bus_type)
Regards,
Guido
Let the session dbus process manage user runtime directories (with
its own file type).
This is the second version (v2) of the patch, thanks to Dominick
Grift for revising the first version and suggesting improvements.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.fc | 1 +
policy/modules/contrib/dbus.te | 7 +++++++
2 files changed, 8 insertions(+)
--- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
+++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200
@@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
--- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
@@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file })
+
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
On Wed, May 24, 2017 at 03:25:52PM +0200, Guido Trentalancia via refpolicy wrote:
> Let the session dbus process manage user runtime directories (with
> its own file type).
>
> This is the second version (v2) of the patch, thanks to Dominick
> Grift for revising the first version and suggesting improvements.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.fc | 1 +
> policy/modules/contrib/dbus.te | 7 +++++++
> 2 files changed, 8 insertions(+)
>
> --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200
> @@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
>
> /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200
> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> files_pid_file(system_dbusd_var_run_t)
> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>
> +type session_dbusd_runtime_t;
> +files_pid_file(session_dbusd_runtime_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
> ')
> @@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se
> manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
> files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
>
> +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file })
Theres no file in /run/user/USERID if there was then you forgot to add the corresponding file context specification
there is however a sock file there: "bus"
/run/user/%{USERID/bus -s system_u:object_r:session_dbusd_user_runtime_t:s0
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_user_runtime_t, sock_file)
> +
> kernel_read_system_state(session_bus_type)
> kernel_read_kernel_sysctls(session_bus_type)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/6e2afdc6/attachment.bin
Let the session dbus process manage user runtime directories (with
its own file type).
This is the third version (v3) of the patch, thanks to Dominick
Grift for revising the previous two versions and suggesting
improvements.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.fc | 2 ++
policy/modules/contrib/dbus.te | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
+++ b/policy/modules/contrib/dbus.fc 2017-05-24 18:41:36.105674966 +0200
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
--- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te 2017-05-24 18:43:56.536674392 +0200
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
@@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via refpolicy wrote:
> Let the session dbus process manage user runtime directories (with
> its own file type).
>
> This is the third version (v3) of the patch, thanks to Dominick
> Grift for revising the previous two versions and suggesting
> improvements.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.fc | 2 ++
> policy/modules/contrib/dbus.te | 8 ++++++++
> 2 files changed, 10 insertions(+)
>
> --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 18:41:36.105674966 +0200
> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
>
> /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
> +/run/user/%{USERID}/dbus-1/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
The bus socket is not in the dbus-1 dir:
$ ls -alZ $XDG_RUNTIME_DIR | grep bus
srw-rw-rw-. 1 kcinimod kcinimod wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24 17:05 bus
drwx------. 3 kcinimod kcinimod wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24 17:19 dbus-1
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-05-24 18:43:56.536674392 +0200
> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> files_pid_file(system_dbusd_var_run_t)
> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>
> +type session_dbusd_runtime_t;
> +files_pid_file(session_dbusd_runtime_t)
It is not a pid file its a userdom_user_runtime_file() or userdom_user_tmp_file()
> +
> ifdef(`enable_mcs',`
> init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
> ')
> @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
> files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
>
> +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
There are no files here
> +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
> +
> kernel_read_system_state(session_bus_type)
> kernel_read_kernel_sysctls(session_bus_type)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/e81c8a6d/attachment.bin
On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
refpolicy wrote:
> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> refpolicy wrote:
> > Let the session dbus process manage user runtime directories (with
> > its own file type).
> >
> > This is the third version (v3) of the patch, thanks to Dominick
> > Grift for revising the previous two versions and suggesting
> > improvements.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/dbus.fc |????2 ++
> > ?policy/modules/contrib/dbus.te |????8 ++++++++
> > ?2 files changed, 10 insertions(+)
> >
> > --- a/policy/modules/contrib/dbus.fc 2017-03-29
> > 17:58:00.272386397 +0200
> > +++ b/policy/modules/contrib/dbus.fc 2017-05-24
> > 18:41:36.105674966 +0200
> > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?
> > gen_context(sys
> > ?
> > ?/run/dbus(/.*)? gen_context
> > (system_u:object_r:system_dbusd_var_run_t,s0)
> > ?/run/messagebus\.pid -- gen_context(
> > system_u:object_r:system_dbusd_var_run_t,s0)
> > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system
> > _u:object_r:session_dbusd_runtime_t,s0)
> > +/run/user/%{USERID}/dbus-1/bus -s gen_contex
> > t(system_u:object_r:session_dbusd_runtime_t,s0)
>
> The bus socket is not in the dbus-1 dir:
>
> $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> srw-rw-rw-. 1 kcinimod kcinimod
> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May 24
> 17:05 bus
> drwx------. 3 kcinimod kcinimod
> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May 24
> 17:19 dbus-1
I have fixed the above in the next version (v4)... Thanks for telling
me.
> > ?
> > ?/usr/bin/dbus-daemon(-1)? -- gen_context(sys
> > tem_u:object_r:dbusd_exec_t,s0)
> > ?
> > --- a/policy/modules/contrib/dbus.te 2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/dbus.te 2017-05-24
> > 18:43:56.536674392 +0200
> > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> > ?files_pid_file(system_dbusd_var_run_t)
> > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> > ?
> > +type session_dbusd_runtime_t;
> > +files_pid_file(session_dbusd_runtime_t)
>
> It is not a pid file its a userdom_user_runtime_file() or
> userdom_user_tmp_file()
userdom_user_runtime_file() does not exist, however I can change it to
userdom_user_tmp_file().
> > +
> > ?ifdef(`enable_mcs',`
> > ? init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0
> > - mcs_systemhigh)
> > ?')
> > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t,
> > session_dbusd_tmp_t)
> > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir
> > file })
> > ?
> > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t,
> > session_dbusd_runtime_t)
> > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t,
> > session_dbusd_runtime_t)
>
> There are no files here
Well, if there is a directory, then it is used for storing files...
I am fine with keeping the files pattern.
> > +manage_sock_files_pattern(session_bus_type,
> > session_dbusd_runtime_t, session_dbusd_runtime_t)
> > +userdom_user_runtime_filetrans(session_bus_type,
> > session_dbusd_runtime_t, { dir file sock_file })
> > +
> > ?kernel_read_system_state(session_bus_type)
> > ?kernel_read_kernel_sysctls(session_bus_type)
Regards,
Guido
On Wed, May 24, 2017 at 07:14:42PM +0200, Guido Trentalancia via refpolicy wrote:
> On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
> refpolicy wrote:
> > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> > refpolicy wrote:
> > > Let the session dbus process manage user runtime directories (with
> > > its own file type).
> > >
> > > This is the third version (v3) of the patch, thanks to Dominick
> > > Grift for revising the previous two versions and suggesting
> > > improvements.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > ?policy/modules/contrib/dbus.fc |????2 ++
> > > ?policy/modules/contrib/dbus.te |????8 ++++++++
> > > ?2 files changed, 10 insertions(+)
> > >
> > > --- a/policy/modules/contrib/dbus.fc 2017-03-29
> > > 17:58:00.272386397 +0200
> > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24
> > > 18:41:36.105674966 +0200
> > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?
> > > gen_context(sys
> > > ?
> > > ?/run/dbus(/.*)? gen_context
> > > (system_u:object_r:system_dbusd_var_run_t,s0)
> > > ?/run/messagebus\.pid -- gen_context(
> > > system_u:object_r:system_dbusd_var_run_t,s0)
> > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system
> > > _u:object_r:session_dbusd_runtime_t,s0)
> > > +/run/user/%{USERID}/dbus-1/bus -s gen_contex
> > > t(system_u:object_r:session_dbusd_runtime_t,s0)
> >
> > The bus socket is not in the dbus-1 dir:
> >
> > $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> > srw-rw-rw-. 1 kcinimod kcinimod
> > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May 24
> > 17:05 bus
> > drwx------. 3 kcinimod kcinimod
> > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May 24
> > 17:19 dbus-1
>
> I have fixed the above in the next version (v4)... Thanks for telling
> me.
>
> > > ?
> > > ?/usr/bin/dbus-daemon(-1)? -- gen_context(sys
> > > tem_u:object_r:dbusd_exec_t,s0)
> > > ?
> > > --- a/policy/modules/contrib/dbus.te 2017-04-26
> > > 17:47:20.555423022 +0200
> > > +++ b/policy/modules/contrib/dbus.te 2017-05-24
> > > 18:43:56.536674392 +0200
> > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> > > ?files_pid_file(system_dbusd_var_run_t)
> > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> > > ?
> > > +type session_dbusd_runtime_t;
> > > +files_pid_file(session_dbusd_runtime_t)
> >
> > It is not a pid file its a userdom_user_runtime_file() or
> > userdom_user_tmp_file()
>
> userdom_user_runtime_file() does not exist, however I can change it to
> userdom_user_tmp_file().
>
> > > +
> > > ?ifdef(`enable_mcs',`
> > > ? init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0
> > > - mcs_systemhigh)
> > > ?')
> > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t,
> > > session_dbusd_tmp_t)
> > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir
> > > file })
> > > ?
> > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t,
> > > session_dbusd_runtime_t)
> > > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t,
> > > session_dbusd_runtime_t)
> >
> > There are no files here
>
> Well, if there is a directory, then it is used for storing files...
>
> I am fine with keeping the files pattern.
Okay but the filetrans below for files does not make sense
>
> > > +manage_sock_files_pattern(session_bus_type,
> > > session_dbusd_runtime_t, session_dbusd_runtime_t)
> > > +userdom_user_runtime_filetrans(session_bus_type,
> > > session_dbusd_runtime_t, { dir file sock_file })
> > > +
> > > ?kernel_read_system_state(session_bus_type)
> > > ?kernel_read_kernel_sysctls(session_bus_type)
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/0b468922/attachment.bin
On Wed, 24/05/2017 at 19.19 +0200, Dominick Grift via
refpolicy wrote:
> On Wed, May 24, 2017 at 07:14:42PM +0200, Guido Trentalancia via
> refpolicy wrote:
> > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
> > refpolicy wrote:
> > > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> > > refpolicy wrote:
> > > > Let the session dbus process manage user runtime directories
> > > > (with
> > > > its own file type).
> > > >
> > > > This is the third version (v3) of the patch, thanks to Dominick
> > > > Grift for revising the previous two versions and suggesting
> > > > improvements.
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > > > ?policy/modules/contrib/dbus.fc |????2 ++
> > > > ?policy/modules/contrib/dbus.te |????8 ++++++++
> > > > ?2 files changed, 10 insertions(+)
> > > >
> > > > --- a/policy/modules/contrib/dbus.fc 2017-03-29
> > > > 17:58:00.272386397 +0200
> > > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24
> > > > 18:41:36.105674966 +0200
> > > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?
> > > > gen_context(sys
> > > > ?
> > > > ?/run/dbus(/.*)? gen_con
> > > > text
> > > > (system_u:object_r:system_dbusd_var_run_t,s0)
> > > > ?/run/messagebus\.pid -- gen_cont
> > > > ext(
> > > > system_u:object_r:system_dbusd_var_run_t,s0)
> > > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(sy
> > > > stem
> > > > _u:object_r:session_dbusd_runtime_t,s0)
> > > > +/run/user/%{USERID}/dbus-1/bus -s gen_co
> > > > ntex
> > > > t(system_u:object_r:session_dbusd_runtime_t,s0)
> > >
> > > The bus socket is not in the dbus-1 dir:
> > >
> > > $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> > > srw-rw-rw-. 1 kcinimod kcinimod
> > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May
> > > 24
> > > 17:05 bus
> > > drwx------. 3 kcinimod kcinimod
> > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May
> > > 24
> > > 17:19 dbus-1
> >
> > I have fixed the above in the next version (v4)... Thanks for
> > telling
> > me.
> >
> > > > ?
> > > > ?/usr/bin/dbus-daemon(-1)? -- gen_context
> > > > (sys
> > > > tem_u:object_r:dbusd_exec_t,s0)
> > > > ?
> > > > --- a/policy/modules/contrib/dbus.te 2017-04-26
> > > > 17:47:20.555423022 +0200
> > > > +++ b/policy/modules/contrib/dbus.te 2017-05-24
> > > > 18:43:56.536674392 +0200
> > > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> > > > ?files_pid_file(system_dbusd_var_run_t)
> > > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> > > > ?
> > > > +type session_dbusd_runtime_t;
> > > > +files_pid_file(session_dbusd_runtime_t)
> > >
> > > It is not a pid file its a userdom_user_runtime_file() or
> > > userdom_user_tmp_file()
> >
> > userdom_user_runtime_file() does not exist, however I can change it
> > to
> > userdom_user_tmp_file().
> >
> > > > +
> > > > ?ifdef(`enable_mcs',`
> > > > ? init_ranged_system_domain(system_dbusd_t,
> > > > dbusd_exec_t, s0
> > > > - mcs_systemhigh)
> > > > ?')
> > > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> > > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t,
> > > > session_dbusd_tmp_t)
> > > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, {
> > > > dir
> > > > file })
> > > > ?
> > > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t,
> > > > session_dbusd_runtime_t)
> > > > +manage_files_pattern(session_bus_type,
> > > > session_dbusd_runtime_t,
> > > > session_dbusd_runtime_t)
> > >
> > > There are no files here
> >
> > Well, if there is a directory, then it is used for storing files...
> >
> > I am fine with keeping the files pattern.
>
> Okay but the filetrans below for files does not make sense
It does not harm and it might be useful in the future.
> > > > +manage_sock_files_pattern(session_bus_type,
> > > > session_dbusd_runtime_t, session_dbusd_runtime_t)
> > > > +userdom_user_runtime_filetrans(session_bus_type,
> > > > session_dbusd_runtime_t, { dir file sock_file })
> > > > +
> > > > ?kernel_read_system_state(session_bus_type)
> > > > ?kernel_read_kernel_sysctls(session_bus_type)
Regards,
Guido
Let the session dbus process manage user runtime directories (with
its own file type).
This is the fourth version (v4) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.fc | 2 ++
policy/modules/contrib/dbus.te | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
+++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
--- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te 2017-05-24 19:18:29.074667171 +0200
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
+type session_dbusd_runtime_t;
+userdom_user_tmp_file(session_dbusd_runtime_t)
+
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
@@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote:
> On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
> refpolicy wrote:
>> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
>> refpolicy wrote:
>>> Let the session dbus process manage user runtime directories (with
>>> its own file type).
>>>
>>> This is the third version (v3) of the patch, thanks to Dominick
>>> Grift for revising the previous two versions and suggesting
>>> improvements.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/dbus.fc | 2 ++
>>> policy/modules/contrib/dbus.te | 8 ++++++++
>>> 2 files changed, 10 insertions(+)
>>>
>>> --- a/policy/modules/contrib/dbus.fc 2017-03-29
>>> 17:58:00.272386397 +0200
>>> +++ b/policy/modules/contrib/dbus.fc 2017-05-24
>>> 18:41:36.105674966 +0200
>>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?
>>> gen_context(sys
>>>
>>> /run/dbus(/.*)? gen_context
>>> (system_u:object_r:system_dbusd_var_run_t,s0)
>>> /run/messagebus\.pid -- gen_context(
>>> system_u:object_r:system_dbusd_var_run_t,s0)
>>> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system
>>> _u:object_r:session_dbusd_runtime_t,s0)
>>> +/run/user/%{USERID}/dbus-1/bus -s gen_contex
>>> t(system_u:object_r:session_dbusd_runtime_t,s0)
>>
>> The bus socket is not in the dbus-1 dir:
>>
>> $ ls -alZ $XDG_RUNTIME_DIR | grep bus
>> srw-rw-rw-. 1 kcinimod kcinimod
>> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24
>> 17:05 bus
>> drwx------. 3 kcinimod kcinimod
>> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24
>> 17:19 dbus-1
>
> I have fixed the above in the next version (v4)... Thanks for telling
> me.
>
>>>
>>> /usr/bin/dbus-daemon(-1)? -- gen_context(sys
>>> tem_u:object_r:dbusd_exec_t,s0)
>>>
>>> --- a/policy/modules/contrib/dbus.te 2017-04-26
>>> 17:47:20.555423022 +0200
>>> +++ b/policy/modules/contrib/dbus.te 2017-05-24
>>> 18:43:56.536674392 +0200
>>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
>>> files_pid_file(system_dbusd_var_run_t)
>>> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>>>
>>> +type session_dbusd_runtime_t;
>>> +files_pid_file(session_dbusd_runtime_t)
>>
>> It is not a pid file its a userdom_user_runtime_file() or
>> userdom_user_tmp_file()
>
> userdom_user_runtime_file() does not exist, however I can change it to
> userdom_user_tmp_file().
Pid is actually right, for now, as pids (in the refpolicy sense) are
slowly turning into being a subset of runtime files. Eventually the
refpolicy pid file concept might go away.
--
Chris PeBenito
On Wed, May 24, 2017 at 07:19:15PM -0400, Chris PeBenito via refpolicy wrote:
> On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote:
> > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
> > refpolicy wrote:
> >> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> >> refpolicy wrote:
> >>> Let the session dbus process manage user runtime directories (with
> >>> its own file type).
> >>>
> >>> This is the third version (v3) of the patch, thanks to Dominick
> >>> Grift for revising the previous two versions and suggesting
> >>> improvements.
> >>>
> >>> Signed-off-by: Guido Trentalancia <[email protected]>
> >>> ---
> >>> policy/modules/contrib/dbus.fc | 2 ++
> >>> policy/modules/contrib/dbus.te | 8 ++++++++
> >>> 2 files changed, 10 insertions(+)
> >>>
> >>> --- a/policy/modules/contrib/dbus.fc 2017-03-29
> >>> 17:58:00.272386397 +0200
> >>> +++ b/policy/modules/contrib/dbus.fc 2017-05-24
> >>> 18:41:36.105674966 +0200
> >>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?
> >>> gen_context(sys
> >>>
> >>> /run/dbus(/.*)? gen_context
> >>> (system_u:object_r:system_dbusd_var_run_t,s0)
> >>> /run/messagebus\.pid -- gen_context(
> >>> system_u:object_r:system_dbusd_var_run_t,s0)
> >>> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system
> >>> _u:object_r:session_dbusd_runtime_t,s0)
> >>> +/run/user/%{USERID}/dbus-1/bus -s gen_contex
> >>> t(system_u:object_r:session_dbusd_runtime_t,s0)
> >>
> >> The bus socket is not in the dbus-1 dir:
> >>
> >> $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> >> srw-rw-rw-. 1 kcinimod kcinimod
> >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24
> >> 17:05 bus
> >> drwx------. 3 kcinimod kcinimod
> >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24
> >> 17:19 dbus-1
> >
> > I have fixed the above in the next version (v4)... Thanks for telling
> > me.
> >
> >>>
> >>> /usr/bin/dbus-daemon(-1)? -- gen_context(sys
> >>> tem_u:object_r:dbusd_exec_t,s0)
> >>>
> >>> --- a/policy/modules/contrib/dbus.te 2017-04-26
> >>> 17:47:20.555423022 +0200
> >>> +++ b/policy/modules/contrib/dbus.te 2017-05-24
> >>> 18:43:56.536674392 +0200
> >>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> >>> files_pid_file(system_dbusd_var_run_t)
> >>> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> >>>
> >>> +type session_dbusd_runtime_t;
> >>> +files_pid_file(session_dbusd_runtime_t)
> >>
> >> It is not a pid file its a userdom_user_runtime_file() or
> >> userdom_user_tmp_file()
> >
> > userdom_user_runtime_file() does not exist, however I can change it to
> > userdom_user_tmp_file().
>
> Pid is actually right, for now, as pids (in the refpolicy sense) are
> slowly turning into being a subset of runtime files. Eventually the
> refpolicy pid file concept might go away.
logind needs to be able to purse XDG_RUNTIME_DIR and allowing logind to unlink all pid files would be too coarse IMHO
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170525/059ca4fc/attachment.bin
Let the session dbus process manage user runtime directories (with
its own file type).
This is the fifth version (v5) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements,
although unfortunately this new version needs to revert one of the
suggested amendments because it was misleading.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.fc | 2 ++
policy/modules/contrib/dbus.te | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
+++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
--- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te 2017-05-25 13:17:23.354402519 +0200
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
@@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
On 05/25/2017 07:23 AM, Guido Trentalancia via refpolicy wrote:
> Let the session dbus process manage user runtime directories (with
> its own file type).
>
> This is the fifth version (v5) of the patch, thanks to Dominick
> Grift for revising the previous versions and suggesting improvements,
> although unfortunately this new version needs to revert one of the
> suggested amendments because it was misleading.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.fc | 2 ++
> policy/modules/contrib/dbus.te | 8 ++++++++
> 2 files changed, 10 insertions(+)
>
> --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200
> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200
> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys
>
> /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-05-25 13:17:23.354402519 +0200
> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> files_pid_file(system_dbusd_var_run_t)
> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>
> +type session_dbusd_runtime_t;
> +files_pid_file(session_dbusd_runtime_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
> ')
> @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
> files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
>
> +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
> +
> kernel_read_system_state(session_bus_type)
> kernel_read_kernel_sysctls(session_bus_type)
Merged.
--
Chris PeBenito