This patch labels HOME_DIR/\.config as gnome_home_t and then
allows policykit to read such kind of files.
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/apps/gnome.fc refpolicy-git-02022011-test-apply2/policy/modules/apps/gnome.fc
--- refpolicy-git-02022011-test-apply/policy/modules/apps/gnome.fc 2011-01-08 19:07:21.179731404 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/apps/gnome.fc 2011-02-07 00:54:30.568909514 +0100
@@ -1,4 +1,4 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te 2011-01-08 19:07:21.281747514 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 00:55:34.133380018 +0100
@@ -69,6 +69,10 @@ miscfiles_read_localization(policykit_t)
userdom_read_all_users_state(policykit_t)
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
########################################
#
# polkit_auth local policy
On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
> This patch labels HOME_DIR/\.config as gnome_home_t and then
> allows policykit to read such kind of files.
Afaik, this location is used by much more than gnome applications. I don't
have GNOME installed but it is still there for things like XFCE4, epdfview,
zathura etc.
The .config location seems to be part of the XDG Base Directory
Specification (I believe dgrift once referred me to this), independent of
GNOME.
Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
offered in an XDG-specific set of interfaces for all applications adhering
to this specification (rather than using gnome_* interfaces even though they
are not GNOME related).
Wkr,
Sven Vermeulen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/16/2011 03:51 PM, Sven Vermeulen wrote:
> On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
>> This patch labels HOME_DIR/\.config as gnome_home_t and then
>> allows policykit to read such kind of files.
>
> Afaik, this location is used by much more than gnome applications. I don't
> have GNOME installed but it is still there for things like XFCE4, epdfview,
> zathura etc.
>
> The .config location seems to be part of the XDG Base Directory
> Specification (I believe dgrift once referred me to this), independent of
> GNOME.
>
> Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
> xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
> offered in an XDG-specific set of interfaces for all applications adhering
> to this specification (rather than using gnome_* interfaces even though they
> are not GNOME related).
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
In Fedora is it labeled config_home_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1cOgsACgkQrlYvE4MpobPJPwCeOw8BhykJy/zAfl3Q78ouTGpS
62IAoLG5KXmV3KCQEdNMdmKAB/m3aQaO
=Szh7
-----END PGP SIGNATURE-----
Hello Sven,
thanks for your comments.
Yes, in practice, anything other than generic user_home_t is fine.
So, for example, user_xdg_config_t could be used and perhaps the naming
is more appropriate (as formally it's XDG shared with Gnome), but there
is a lack of interfaces for that (i.e. the equivalent of
gnome_read_config()).
Feel free to provide an alternative patch in place of [5/34] that I
proposed.
The important is that .config is not labeled generically and that
policykit can read its content (I believe it only needs to
read .config/user-dirs.*) !
Regards,
Guido
On Wed, 16/02/2011 at 21.51 +0100, Sven Vermeulen wrote:
> On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
> > This patch labels HOME_DIR/\.config as gnome_home_t and then
> > allows policykit to read such kind of files.
>
> Afaik, this location is used by much more than gnome applications. I don't
> have GNOME installed but it is still there for things like XFCE4, epdfview,
> zathura etc.
>
> The .config location seems to be part of the XDG Base Directory
> Specification (I believe dgrift once referred me to this), independent of
> GNOME.
>
> Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
> xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
> offered in an XDG-specific set of interfaces for all applications adhering
> to this specification (rather than using gnome_* interfaces even though they
> are not GNOME related).
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>