From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 30 Jun 2014 15:30:25 -0400
Subject: [refpolicy] [PATCH] File Context for tumbler
In-Reply-To: <CAPuKSJbGf3NdAGdrMHmotKshS2ChKkTf5FT1nP7xe1utbJSmSg@mail.gmail.com>
References: <1403549214-26532-1-git-send-email-jason@perfinion.com>	<1403549214-26532-2-git-send-email-jason@perfinion.com>	<53AADDC4.6010703@tresys.com>
	<CAPuKSJbGf3NdAGdrMHmotKshS2ChKkTf5FT1nP7xe1utbJSmSg@mail.gmail.com>
Message-ID: <53B1BAD1.1050709@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 6/28/2014 5:32 PM, Jason Zaman wrote:
> On Wed, Jun 25, 2014 at 6:33 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>> On 6/23/2014 2:46 PM, Jason Zaman wrote:
>>> Tumbler is a D-Bus service for applications to request thumbnails
>>
>> Perhaps I'm misunderstanding, but if this is a service, why aren't you
>> creating a domain for this?  Running a service in dbus's domain
>> typically isn't the best choice.
> 
> It's not really a service, I just took that description from the xfce site.
> Its basically a helper utility that thunar (xfce's file manager) runs when
> it needs a thumbnail to display.
> 
> it's run by staff_dbus_t (or user_dbus_t etc) so it gets transitioned back
> into staff_t to run the tumbler service. Running in the user's domain seems
> okay to me since there isnt a specific xfce domain it should be running in.
> It isnt actually running in the dbus domain.

Ok, I see where my confusion is.  It is a DBus service, but it's for the
user's session, not a system service.

Merged.


>>> Signed-off-by: Jason Zaman <jason@perfinion.com>
>>> ---
>>>  policy/modules/kernel/corecommands.fc | 1 +
>>>  1 file changed, 1 insertion(+)
>>>
>>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
>>> index 5961142..6a86cda 100644
>>> --- a/policy/modules/kernel/corecommands.fc
>>> +++ b/policy/modules/kernel/corecommands.fc
>>> @@ -244,6 +244,7 @@ ifdef(`distro_gentoo',`
>>>  /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
>>>  /usr/lib/xfce4/xfconf/xfconfd        --      gen_context(system_u:object_r:bin_t,s0)
>>>  /usr/lib/xfce4/xfwm4/helper-dialog --        gen_context(system_u:object_r:bin_t,s0)
>>> +/usr/lib/tumbler-1/tumblerd  --      gen_context(system_u:object_r:bin_t,s0)
>>>
>>>  /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com