From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 12 Apr 2016 13:57:52 -0400 Subject: [refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user In-Reply-To: <20160412170235.GA13053@meriadoc.perfinion.com> References: <20160411171107.GA1532@meriadoc.perfinion.com> <570D0995.5010500@tresys.com> <20160412170235.GA13053@meriadoc.perfinion.com> Message-ID: <570D3720.8070301@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 4/12/2016 1:02 PM, Jason Zaman wrote: > On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote: >> On 4/11/2016 1:11 PM, Jason Zaman wrote: >>> Hi all, >>> >>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and >>> am now trying to fix refpol to work with it. >>> >>> What labels do we want for things in /run/user? >>> Currently refpol has the following which seems pretty weird: >>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) >>> It was originally added from fedora but fedora has since dropped that. >>> >>> fedora now has: >>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) >>> >>> The problem with that fcontext is that users have write perms towards >>> user_tmp_t so they would be able to do other things in /run/user/ >>> instead of only within /run/user/%{USERID}/. >>> >>> I think we should have some kind of _root_t and _home_t like how things >>> are for /home and /home/USERNAME >> >> This makes sense. > > so this? > /var/run/user system_u:object_r:xdg_runtime_root_t:s0 > /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0 > > Once the patches get merged in to the userspace tools I will start > preparing patches for this. > [...] >> Which group (if any) specified how /run/user/UID should be used? XDG? > > https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > > I think systemd started it, but ConsoleKit2 supports it too and it is > officially a freedesktop/XDG spec. I think it makes more sense for these not to be XDG-named types, since XDG isn't the only one that uses it. Perhaps something like user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and user_tmp_t (I'm open to other suggestions). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com