From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 9 Nov 2013 10:39:58 +0100 Subject: [refpolicy] [RFC] Changes with regard to XDG base dir spec: Message-ID: <1383989998-2504-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html usr_t is now a xdg_data_dirs type: If $XDG_DATA_DIRS is either not set or empty, a value equal to /usr/local/share/:/usr/share/ should be used. user_tmp_t is now a xdg_runtime_dirs type: If $XDG_RUNTIME_DIR is not set applications should fall back to a replacement directory with similar capabilities and print a warning message. Applications should use this directory for communication and synchronization purposes and should not place larger files in it, since it might reside in runtime memory and cannot necessarily be swapped out to disk. We need to find a way to deal with /run/user/UID Signed-off-by: Dominick Grift --- policy/modules/kernel/files.te | 4 ++++ policy/modules/system/userdomain.te | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..a84739e 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -156,6 +156,10 @@ files_poly_parent(tmp_t) type usr_t; files_mountpoint(usr_t) +optional_policy(` + xdg_data_file(usr_t) +') + # # var_t is the type of /var # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index d657ea7..0a9721e 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -89,6 +89,10 @@ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_cont files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) +optional_policy(` + xdg_runtime_file(user_tmp_t) +') + type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; files_tmpfs_file(user_tmpfs_t) userdom_user_home_content(user_tmpfs_t) -- 1.8.3.1