Add permissions required to run Gnome (read user color management
files).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/dbus.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647 +0200
+++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259 +0200
@@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_read_user_home_content_files(system_dbusd_t)
+
ifdef(`init_systemd', `
# gdm3 causes system_dbusd_t to want this access
dev_rw_dri(system_dbusd_t)
On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> Add permissions required to run Gnome (read user color management
> files).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259 +0200
> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>
> +userdom_read_user_home_content_files(system_dbusd_t)
Does this not fit in with any of the XDG types instead?
> ifdef(`init_systemd', `
> # gdm3 causes system_dbusd_t to want this access
> dev_rw_dri(system_dbusd_t)
--
Chris PeBenito
On the 9th of October 2017 19:56:00 CEST, Chris PeBenito <[email protected]> wrote:
>On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>> Add permissions required to run Gnome (read user color management
>> files).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/dbus.te | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647
>+0200
>> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259
>+0200
>> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
>> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
>> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>>
>> +userdom_read_user_home_content_files(system_dbusd_t)
>
>Does this not fit in with any of the XDG types instead?
I don't know, it needs to read a file in the ~/.local/share subdirectory.
Is there a new specific interface for that?
>> ifdef(`init_systemd', `
>> # gdm3 causes system_dbusd_t to want this access
>> dev_rw_dri(system_dbusd_t)
Regards,
Guido
On 10/09/2017 03:03 PM, Guido Trentalancia via refpolicy wrote:
>
>
> On the 9th of October 2017 19:56:00 CEST, Chris PeBenito <[email protected]> wrote:
>> On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>>> Add permissions required to run Gnome (read user color management
>>> files).
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/dbus.te | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647
>> +0200
>>> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259
>> +0200
>>> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
>>> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
>>> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>>>
>>> +userdom_read_user_home_content_files(system_dbusd_t)
>>
>> Does this not fit in with any of the XDG types instead?
>
> I don't know, it needs to read a file in the ~/.local/share subdirectory.
>
> Is there a new specific interface for that?
Nevermind, it hasn't been merged yet.
--
Chris PeBenito
On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> Add permissions required to run Gnome (read user color management
> files).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647 +0200
> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259 +0200
> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>
> +userdom_read_user_home_content_files(system_dbusd_t)
> +
> ifdef(`init_systemd', `
> # gdm3 causes system_dbusd_t to want this access
> dev_rw_dri(system_dbusd_t)
Merged.
--
Chris PeBenito
On the 11th of October 2017 01:52:20 CEST, Chris PeBenito <[email protected]> wrote:
>On 10/09/2017 03:03 PM, Guido Trentalancia via refpolicy wrote:
>>
>>
>> On the 9th of October 2017 19:56:00 CEST, Chris PeBenito
><[email protected]> wrote:
>>> On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>>>> Add permissions required to run Gnome (read user color management
>>>> files).
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>> ---
>>>> policy/modules/contrib/dbus.te | 2 ++
>>>> 1 file changed, 2 insertions(+)
>>>>
>>>> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647
>>> +0200
>>>> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259
>>> +0200
>>>> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
>>>> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
>>>> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>>>>
>>>> +userdom_read_user_home_content_files(system_dbusd_t)
>>>
>>> Does this not fit in with any of the XDG types instead?
>>
>> I don't know, it needs to read a file in the ~/.local/share
>subdirectory.
>>
>> Is there a new specific interface for that?
>
>Nevermind, it hasn't been merged yet.
I use userdom_read_user_data() which only allows reading the ~/.local subdirectory.
But you haven't merged that patch (user data confidentiality patch), so it's not available in the Reference Policy and you have to allow reading the whole user home directory...
Regards,
Guido