From: jason@perfinion.com (Jason Zaman)
Date: Wed, 13 Apr 2016 01:02:35 +0800
Subject: [refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user
In-Reply-To: <570D0995.5010500@tresys.com>
References: <20160411171107.GA1532@meriadoc.perfinion.com>
	<570D0995.5010500@tresys.com>
Message-ID: <20160412170235.GA13053@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
> On 4/11/2016 1:11 PM, Jason Zaman wrote:
> > Hi all,
> > 
> > I submitted patches to add USERID and USERNAME to genhomedircon[1] and
> > am now trying to fix refpol to work with it.
> > 
> > What labels do we want for things in /run/user?
> > Currently refpol has the following which seems pretty weird:
> > /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> > It was originally added from fedora but fedora has since dropped that.
> > 
> > fedora now has:
> > /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
> > 
> > The problem with that fcontext is that users have write perms towards
> > user_tmp_t so they would be able to do other things in /run/user/
> > instead of only within /run/user/%{USERID}/.
> > 
> > I think we should have some kind of _root_t and _home_t like how things
> > are for /home and /home/USERNAME
> 
> This makes sense.

so this?
/var/run/user system_u:object_r:xdg_runtime_root_t:s0
/var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0

Once the patches get merged in to the userspace tools I will start
preparing patches for this.

> > In gentoo we have an xdg module which adds xdg_runtime_home_t which we
> > have for the user's dir. I was thinking to add an xdg_runtime_dir_t or
> > _root_t. then things would get search perms towards that root dir and
> > get normal write perms within the actual runtime dir. Only
> > logind/consolekit would need to manage xdg_runtime_dir_t.
> > 
> > If we send (parts of?) the xdg module upstream from gentoo, would it be
> > accepted? and if not, I want to at least fix the label for /run/user/
> > (xdg_runtime_dir_t or whatever is decided) in refpol and then I can
> > carry the xdg_runtime_home_t part in gentoo only.
> 
> Which group (if any) specified how /run/user/UID should be used? XDG?

https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

I think systemd started it, but ConsoleKit2 supports it too and it is
officially a freedesktop/XDG spec.

-- Jason