zram is a compressed block device in ram
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/kernel/storage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 4dd865b..73599f3 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -59,6 +59,7 @@ ifdef(`distro_redhat', `
/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zram[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
--
1.8.5.5
Tumbler is a D-Bus service for applications to request thumbnails
Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 5961142..6a86cda 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -244,6 +244,7 @@ ifdef(`distro_gentoo',`
/usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
--
1.8.5.5
On 6/23/2014 2:46 PM, Jason Zaman wrote:
> Tumbler is a D-Bus service for applications to request thumbnails
Perhaps I'm misunderstanding, but if this is a service, why aren't you
creating a domain for this? Running a service in dbus's domain
typically isn't the best choice.
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 5961142..6a86cda 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -244,6 +244,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
>
> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 6/23/2014 2:46 PM, Jason Zaman wrote:
> zram is a compressed block device in ram
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/kernel/storage.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 4dd865b..73599f3 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -59,6 +59,7 @@ ifdef(`distro_redhat', `
> /dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zram[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>
> /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, Jun 25, 2014 at 6:33 PM, Christopher J. PeBenito
<[email protected]> wrote:
> On 6/23/2014 2:46 PM, Jason Zaman wrote:
>> Tumbler is a D-Bus service for applications to request thumbnails
>
> Perhaps I'm misunderstanding, but if this is a service, why aren't you
> creating a domain for this? Running a service in dbus's domain
> typically isn't the best choice.
It's not really a service, I just took that description from the xfce site.
Its basically a helper utility that thunar (xfce's file manager) runs when
it needs a thumbnail to display.
it's run by staff_dbus_t (or user_dbus_t etc) so it gets transitioned back
into staff_t to run the tumbler service. Running in the user's domain seems
okay to me since there isnt a specific xfce domain it should be running in.
It isnt actually running in the dbus domain.
$ ps auxZ | grep tumbl
staff_u:staff_r:staff_t jason 27822 1.3 0.2 529784 21860
? SNl 00:43 0:00 /usr/lib64/tumbler-1/tumblerd
>From what i can see, gnome's file manager does not have its own domain
either so it would just end up running in staff_t or user_t same as this.
>
>> Signed-off-by: Jason Zaman <[email protected]>
>> ---
>> policy/modules/kernel/corecommands.fc | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
>> index 5961142..6a86cda 100644
>> --- a/policy/modules/kernel/corecommands.fc
>> +++ b/policy/modules/kernel/corecommands.fc
>> @@ -244,6 +244,7 @@ ifdef(`distro_gentoo',`
>> /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
>> /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
>> /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
>>
>> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
>>
>>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
On 6/28/2014 5:32 PM, Jason Zaman wrote:
> On Wed, Jun 25, 2014 at 6:33 PM, Christopher J. PeBenito
> <[email protected]> wrote:
>> On 6/23/2014 2:46 PM, Jason Zaman wrote:
>>> Tumbler is a D-Bus service for applications to request thumbnails
>>
>> Perhaps I'm misunderstanding, but if this is a service, why aren't you
>> creating a domain for this? Running a service in dbus's domain
>> typically isn't the best choice.
>
> It's not really a service, I just took that description from the xfce site.
> Its basically a helper utility that thunar (xfce's file manager) runs when
> it needs a thumbnail to display.
>
> it's run by staff_dbus_t (or user_dbus_t etc) so it gets transitioned back
> into staff_t to run the tumbler service. Running in the user's domain seems
> okay to me since there isnt a specific xfce domain it should be running in.
> It isnt actually running in the dbus domain.
Ok, I see where my confusion is. It is a DBus service, but it's for the
user's session, not a system service.
Merged.
>>> Signed-off-by: Jason Zaman <[email protected]>
>>> ---
>>> policy/modules/kernel/corecommands.fc | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
>>> index 5961142..6a86cda 100644
>>> --- a/policy/modules/kernel/corecommands.fc
>>> +++ b/policy/modules/kernel/corecommands.fc
>>> @@ -244,6 +244,7 @@ ifdef(`distro_gentoo',`
>>> /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
>>> /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
>>> /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
>>> +/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
>>>
>>> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com