From: dac.override@gmail.com (Dominick Grift) Date: Sat, 28 May 2016 12:20:26 +0200 Subject: [refpolicy] [PATCH v3 2/4] userdomain: Introduce types for /run/user In-Reply-To: <1464381326-24198-2-git-send-email-jason@perfinion.com> References: <1464381326-24198-1-git-send-email-jason@perfinion.com> <1464381326-24198-2-git-send-email-jason@perfinion.com> Message-ID: <857541c6-16ab-f5b8-e41f-2ba28d734f06@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/27/2016 10:35 PM, Jason Zaman wrote: > These are the types for /run/user, analogous to /home's home_root_t > and home_dir_t. --- policy/modules/system/userdomain.fc | 5 +++++ > policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ 2 > files changed, 25 insertions(+) > > diff --git a/policy/modules/system/userdomain.fc > b/policy/modules/system/userdomain.fc index db75976..634d29d > 100644 --- a/policy/modules/system/userdomain.fc +++ > b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR -d > gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) > HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) > > /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) + > +/var/run/user -d > gen_context(system_u:object_r:user_runtime_root_t,s0) > +/var/run/user/[^/]+ -d > gen_context(system_u:object_r:user_runtime_dir_t,s0) The above is probably a bad idea. because only /run/user/$UID should be considered user_runtime_dir_t dirs. Plus there will unlikely be anything but /run/user/$UID. > +/var/run/user/%{USERID} -d > gen_context(system_u:object_r:user_runtime_dir_t,s0) > +/var/run/user/%{USERID}/.+ <> diff --git > a/policy/modules/system/userdomain.te > b/policy/modules/system/userdomain.te index 2a36851..c613553 > 100644 --- a/policy/modules/system/userdomain.te +++ > b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ > userdom_user_home_content(user_tmpfs_t) type user_tty_device_t > alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t > auditadm_tty_device_t unconfined_tty_device_t }; > dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + > +type user_runtime_root_t; > +fs_associate_tmpfs(user_runtime_root_t) > +files_type(user_runtime_root_t) > +files_mountpoint(user_runtime_root_t) > +files_associate_tmp(user_runtime_root_t) > +files_poly(user_runtime_root_t) > +files_poly_member(user_runtime_root_t) > +files_poly_parent(user_runtime_root_t) > +ubac_constrained(user_runtime_root_t) + +type user_runtime_dir_t; > +fs_associate_tmpfs(user_runtime_dir_t) > +files_type(user_runtime_dir_t) > +files_mountpoint(user_runtime_dir_t) > +files_associate_tmp(user_runtime_dir_t) > +files_poly(user_runtime_dir_t) > +files_poly_member(user_runtime_dir_t) > +files_poly_parent(user_runtime_dir_t) > +ubac_constrained(user_runtime_dir_t) > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXSXDlAAoJECV0jlU3+Udp8SgL/38pPw0rayEQNT4bRt/0jj57 9s8BYE3bkAI4fqTqEww3MN86/bFsDIFURWJgcUj4v/HgvguQWgODHxEMJaWIJGTA HN5VOoeA7yWF4aYcbC85vqpEItBO5Ngb4jGsSzFkguXm4m77hY+iWGOJSMcemET5 a1X7ej9TFlg75Amp39S9KmqxDi89E4ZL+po/rN/FkWmrw2CCBxQF3WnYREXOkNO/ 8Ga0ijkfxyZbgr6wgkSiR0XVJE2hZu5+OYJtAazNyLSkoyaHDlG6pQIkg3YtPMaV vlfy7Gsjp97P9Gfgg04qJLLepUzJRTa+BpZ/TL+jU1EOdUKb1YoMbnqPhnAeBXoD TFC8xcpwBgodFsWzAAFAPpZSViB0/XN+Wa2Y2+yLf8dp/cpsH+JboskVup6/bNoY e64obHr2zbXKzlil76a0Z7Au3paYFnaip+8tyFWyV8SaM3gBZHbJV/i3I4bOLOyP c5QKOPEKikcPEz+HoKGG93cAcmvSVczxxCdm0WgA9g== =HYBn -----END PGP SIGNATURE-----