From: jason@perfinion.com (Jason Zaman) Date: Fri, 27 May 2016 23:19:49 +0800 Subject: [refpolicy] [PATCH 3/4] userdomain: user_tmp requires searching /run/user In-Reply-To: References: <1464330186-19174-1-git-send-email-jason@perfinion.com> <1464330186-19174-3-git-send-email-jason@perfinion.com> Message-ID: <20160527151949.GA6787@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, May 27, 2016 at 10:23:41AM -0400, Christopher J. PeBenito wrote: > On 5/27/2016 2:23 AM, Jason Zaman wrote: > > --- > > policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++-------- > > 1 file changed, 48 insertions(+), 12 deletions(-) > > > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > index d604147..54c63b0 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',` > > # > > interface(`userdom_exec_user_tmp_files',` > > gen_require(` > > - type user_tmp_t; > > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > > ') > > > > exec_files_pattern($1, user_tmp_t, user_tmp_t) > > files_search_tmp($1) > > + allow $1 user_runtime_dir_t:dir search_dir_perms; > > + allow $1 user_runtime_root_t:dir search_dir_perms; > > + files_search_pids($1) > > ') > > Since this repeats a bunch below, why not add a > userdom_search_user_runtime() which allows the search on the two dir types? Yeah, I thought of that, i'll re-send this patch. I originally thought this way was preferred since a ton of other policies do it explicitly. -- Jason