From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 04 Oct 2012 10:53:24 -0400 Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module In-Reply-To: <1349348491.22995.43.camel@d30.localdomain> References: <1349277155-3545-1-git-send-email-dominick.grift@gmail.com> <1349348491.22995.43.camel@d30.localdomain> Message-ID: <506DA2E4.1080004@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/04/2012 07:01 AM, Dominick Grift wrote: > > > On Wed, 2012-10-03 at 20:16 +0200, Sven Vermeulen wrote: > >> In the XDG policy we use in Gentoo, we have xdg_cache_home_t, >> xdg_config_home_t, xdg_data_home_t and xdg_runtime_home_t (for >> /run/user/USER stuff). It also supports file transitions for applications >> that make specific locations therein (like ~/.config/chromium, >> ~/.config/epdfview, ...) as to isolate (confine) the applications more. > > The $XDG_RUNTIME_DIR is indeed something we need to discus in my view > > Fedora currently labels /run/user type user_tmp_t > > This is probably the easiest solution but not the prettiest. > > The /run/user/UID directory has various content that use to go into either > $TMP or $HOME > > It can be considered the pid dir for users. > > Problem with Fedora's solution, i think, is that she just added a file > context spec for and did not take care of the type transition. Instead > relying on systemd to use setfscreate or reset the file context to what is > specified. > > In that light i do not really like that /run/user ( root owned ) as well as > /run/user/UID (user owned) are labeled user_tmp_t. > > I think i would rather prefer something similar to how we deal with user > home dirs. > > /home (home_root_t) /home/USER (user_home_dir_t) > > /run/user (home_root_t) /run/user/UID (user_home_dir_t) > > In the current gnome patch however i have totally neglected > XDG_RUNTIME_DIR. Bear in mind that not every system has that variable set > and that various programs and libraries fall back to either $TMP or > $HOME(/\.cache)? > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > That is fine, and something we can try out in Fedora 19. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBtouQACgkQrlYvE4MpobP5NQCg0Y+HozBVrdJUutYC75M+xq0S ydwAoItB+ikzRMx9KSsqfvJDVPPgyBWR =qHwT -----END PGP SIGNATURE-----