From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 09 Oct 2012 15:52:36 +0200 Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module In-Reply-To: <50742A52.4090806@tresys.com> References: <1349277155-3545-1-git-send-email-dominick.grift@gmail.com> <1349348491.22995.43.camel@d30.localdomain> <506DA2E4.1080004@redhat.com> <1349364272.22995.49.camel@d30.localdomain> <50742A52.4090806@tresys.com> Message-ID: <1349790756.30521.17.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-10-09 at 09:44 -0400, Christopher J. PeBenito wrote: > On 10/04/12 11:24, Dominick Grift wrote: > > > > > > On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote: > > > >> That is fine, and something we can try out in Fedora 19. > > > > I think we should should extend the userdomain policy module to reflect > > the freedesktop changes > > > > That means deal appropriately with /run/user/UID, $HOME/.cache > > $HOME/.config and $HOME/.local/share in the userdomain policy module > > My understanding is that freedesktop is oriented towards X desktops, so it would seem that enhancing xserver_role() would be more appropriate. > More (or less) specifically "free desktops" The problem is that for example the XDG runtime dir, is always created, whether you have xserver installed or not. So then you will depend on the xserver policy for proper labeling That is assuming that we implement a user_runtime_t. Which is another thing we need to consider: What to label /run/user and /run/user/UID? ( fedora has /run/user(/.*)? user_tmp_t )