From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 9 Oct 2012 10:02:25 -0400 Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module In-Reply-To: <1349790756.30521.17.camel@d30.localdomain> References: <1349277155-3545-1-git-send-email-dominick.grift@gmail.com> <1349348491.22995.43.camel@d30.localdomain> <506DA2E4.1080004@redhat.com> <1349364272.22995.49.camel@d30.localdomain> <50742A52.4090806@tresys.com> <1349790756.30521.17.camel@d30.localdomain> Message-ID: <50742E71.1010601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/09/12 09:52, Dominick Grift wrote: > > > On Tue, 2012-10-09 at 09:44 -0400, Christopher J. PeBenito wrote: >> On 10/04/12 11:24, Dominick Grift wrote: >>> >>> >>> On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote: >>> >>>> That is fine, and something we can try out in Fedora 19. >>> >>> I think we should should extend the userdomain policy module to reflect >>> the freedesktop changes >>> >>> That means deal appropriately with /run/user/UID, $HOME/.cache >>> $HOME/.config and $HOME/.local/share in the userdomain policy module >> >> My understanding is that freedesktop is oriented towards X desktops, so it would seem that enhancing xserver_role() would be more appropriate. >> > > More (or less) specifically "free desktops" > > The problem is that for example the XDG runtime dir, is always created, > whether you have xserver installed or not. > > So then you will depend on the xserver policy for proper labeling > > That is assuming that we implement a user_runtime_t. Which is another > thing we need to consider: > > What to label /run/user and /run/user/UID? ( fedora has /run/user(/.*)? > user_tmp_t ) user_tmp_t, as I said in my other email in this thread. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com