From: dac.override@gmail.com (Dominick Grift) Date: Sat, 28 May 2016 12:30:45 +0200 Subject: [refpolicy] [PATCH v3 2/4] userdomain: Introduce types for /run/user In-Reply-To: <20160528102940.GA25312@meriadoc> References: <1464381326-24198-1-git-send-email-jason@perfinion.com> <1464381326-24198-2-git-send-email-jason@perfinion.com> <857541c6-16ab-f5b8-e41f-2ba28d734f06@gmail.com> <20160528102940.GA25312@meriadoc> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/28/2016 12:29 PM, Jason Zaman wrote: > On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote: >> On 05/27/2016 10:35 PM, Jason Zaman wrote: >>> These are the types for /run/user, analogous to /home's >>> home_root_t and home_dir_t. --- >>> policy/modules/system/userdomain.fc | 5 +++++ >>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ >>> 2 files changed, 25 insertions(+) >>> >>> diff --git a/policy/modules/system/userdomain.fc >>> b/policy/modules/system/userdomain.fc index db75976..634d29d >>> 100644 --- a/policy/modules/system/userdomain.fc +++ >>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR >>> -d >>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) >>> HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) >>> >>> /tmp/gconfd-USER -d >>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user >>> -d gen_context(system_u:object_r:user_runtime_root_t,s0) >>> +/var/run/user/[^/]+ -d >>> gen_context(system_u:object_r:user_runtime_dir_t,s0) >> >> The above is probably a bad idea. because only /run/user/$UID >> should be considered user_runtime_dir_t dirs. Plus there will >> unlikely be anything but /run/user/$UID. > > I would normally agree. The reason I added this was because the > %{USERID} part depends on the genhomedircon stuff I added recently > which most people do not have yet. Adding this for now should > bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so > these two fcontexts will not conflict either. Good point. > > -- Jason >> >>> +/var/run/user/%{USERID} -d >>> gen_context(system_u:object_r:user_runtime_dir_t,s0) >>> +/var/run/user/%{USERID}/.+ <> diff --git >>> a/policy/modules/system/userdomain.te >>> b/policy/modules/system/userdomain.te index 2a36851..c613553 >>> 100644 --- a/policy/modules/system/userdomain.te +++ >>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ >>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t >>> alias { staff_tty_device_t sysadm_tty_device_t >>> secadm_tty_device_t auditadm_tty_device_t >>> unconfined_tty_device_t }; dev_node(user_tty_device_t) >>> ubac_constrained(user_tty_device_t) + +type >>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) >>> +files_type(user_runtime_root_t) >>> +files_mountpoint(user_runtime_root_t) >>> +files_associate_tmp(user_runtime_root_t) >>> +files_poly(user_runtime_root_t) >>> +files_poly_member(user_runtime_root_t) >>> +files_poly_parent(user_runtime_root_t) >>> +ubac_constrained(user_runtime_root_t) + +type >>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t) >>> +files_type(user_runtime_dir_t) >>> +files_mountpoint(user_runtime_dir_t) >>> +files_associate_tmp(user_runtime_dir_t) >>> +files_poly(user_runtime_dir_t) >>> +files_poly_member(user_runtime_dir_t) >>> +files_poly_parent(user_runtime_dir_t) >>> +ubac_constrained(user_runtime_dir_t) >>> >> >> >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D >> 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0 2 >> >> Dominick Grift >> _______________________________________________ refpolicy mailing >> list refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXSXNQAAoJECV0jlU3+UdpRb4MAKDzU4OXLmVjBBjOoayAUJu2 69RFeo3x7WSMiULp3w+XdJYUaK0LMWn6fOVpgdDtKvEHeFRtVIA8VL8ZtiNIpmOK RdHLW+bfQQQJPe+rZkBXvGoRu3ypmUwr9PJ1Zc4xNuW5qaTfFJQhQFEjGbJB0UMA FMG/KbzDP0vbfgmbuc4x4dL8Sz0K9daN4F0bEeqawkwcrir9xZvUX66/Fol7M42S 7MD+U8hHdR0CM91sFnE3GvPUmV7/T5aWYairnKogw5o8XjZebE9/PzvksxjVgv+G raczWJcPN716iXvoXH5pUAOyS6lwFeRSMAApfHlm9/ixixql7iZ05ZTDVuZ9uYhP nHMk694HGo6Q6QWt5e7c0cDEDO3FjAz9IYfmb9f44/v4MZ9IBONgVsO1CS8s8yHX oB51sbhtTkFB3DDGOAXdMkHzrKECEHXkZvMJStZadFvItcJdSCjdsJc0Y4G9H1Jz aYX4KxjKhh+I8Jm8GXEMF4ckeNIpF0fD1u3LM9acVA== =O58K -----END PGP SIGNATURE-----