From: jason@perfinion.com (Jason Zaman) Date: Sun, 29 Jun 2014 01:32:46 +0400 Subject: [refpolicy] [PATCH] File Context for tumbler In-Reply-To: <53AADDC4.6010703@tresys.com> References: <1403549214-26532-1-git-send-email-jason@perfinion.com> <1403549214-26532-2-git-send-email-jason@perfinion.com> <53AADDC4.6010703@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Jun 25, 2014 at 6:33 PM, Christopher J. PeBenito wrote: > On 6/23/2014 2:46 PM, Jason Zaman wrote: >> Tumbler is a D-Bus service for applications to request thumbnails > > Perhaps I'm misunderstanding, but if this is a service, why aren't you > creating a domain for this? Running a service in dbus's domain > typically isn't the best choice. It's not really a service, I just took that description from the xfce site. Its basically a helper utility that thunar (xfce's file manager) runs when it needs a thumbnail to display. it's run by staff_dbus_t (or user_dbus_t etc) so it gets transitioned back into staff_t to run the tumbler service. Running in the user's domain seems okay to me since there isnt a specific xfce domain it should be running in. It isnt actually running in the dbus domain. $ ps auxZ | grep tumbl staff_u:staff_r:staff_t jason 27822 1.3 0.2 529784 21860 ? SNl 00:43 0:00 /usr/lib64/tumbler-1/tumblerd >From what i can see, gnome's file manager does not have its own domain either so it would just end up running in staff_t or user_t same as this. > >> Signed-off-by: Jason Zaman >> --- >> policy/modules/kernel/corecommands.fc | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc >> index 5961142..6a86cda 100644 >> --- a/policy/modules/kernel/corecommands.fc >> +++ b/policy/modules/kernel/corecommands.fc >> @@ -244,6 +244,7 @@ ifdef(`distro_gentoo',` >> /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) >> >> /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0) >> >> > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com