From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 28 May 2016 12:30:45 +0200
Subject: [refpolicy] [PATCH v3 2/4] userdomain: Introduce types for
 /run/user
In-Reply-To: <20160528102940.GA25312@meriadoc>
References: <1464381326-24198-1-git-send-email-jason@perfinion.com>
	<1464381326-24198-2-git-send-email-jason@perfinion.com>
	<857541c6-16ab-f5b8-e41f-2ba28d734f06@gmail.com>
	<20160528102940.GA25312@meriadoc>
Message-ID: <f25adde8-5704-7560-de0f-497639b87fe2@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/28/2016 12:29 PM, Jason Zaman wrote:
> On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote:
>> On 05/27/2016 10:35 PM, Jason Zaman wrote:
>>> These are the types for /run/user, analogous to /home's
>>> home_root_t and home_dir_t. ---
>>> policy/modules/system/userdomain.fc |  5 +++++ 
>>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
>>> 2 files changed, 25 insertions(+)
>>> 
>>> diff --git a/policy/modules/system/userdomain.fc 
>>> b/policy/modules/system/userdomain.fc index db75976..634d29d 
>>> 100644 --- a/policy/modules/system/userdomain.fc +++ 
>>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR
>>> -d 
>>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
>>>  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
>>> 
>>> /tmp/gconfd-USER -d
>>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user
>>> -d gen_context(system_u:object_r:user_runtime_root_t,s0) 
>>> +/var/run/user/[^/]+	-d 
>>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
>> 
>> The above is probably a bad idea. because only /run/user/$UID
>> should be considered user_runtime_dir_t dirs. Plus there will
>> unlikely be anything but /run/user/$UID.
> 
> I would normally agree. The reason I added this was because the 
> %{USERID} part depends on the genhomedircon stuff I added recently
> which most people do not have yet. Adding this for now should
> bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so
> these two fcontexts will not conflict either.

Good point.

> 
> -- Jason
>> 
>>> +/var/run/user/%{USERID}	-d 
>>> gen_context(system_u:object_r:user_runtime_dir_t,s0) 
>>> +/var/run/user/%{USERID}/.+	<<none>> diff --git 
>>> a/policy/modules/system/userdomain.te 
>>> b/policy/modules/system/userdomain.te index 2a36851..c613553 
>>> 100644 --- a/policy/modules/system/userdomain.te +++ 
>>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ 
>>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t 
>>> alias { staff_tty_device_t sysadm_tty_device_t
>>> secadm_tty_device_t auditadm_tty_device_t
>>> unconfined_tty_device_t }; dev_node(user_tty_device_t)
>>> ubac_constrained(user_tty_device_t) + +type
>>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) 
>>> +files_type(user_runtime_root_t) 
>>> +files_mountpoint(user_runtime_root_t) 
>>> +files_associate_tmp(user_runtime_root_t) 
>>> +files_poly(user_runtime_root_t) 
>>> +files_poly_member(user_runtime_root_t) 
>>> +files_poly_parent(user_runtime_root_t) 
>>> +ubac_constrained(user_runtime_root_t) + +type
>>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t) 
>>> +files_type(user_runtime_dir_t) 
>>> +files_mountpoint(user_runtime_dir_t) 
>>> +files_associate_tmp(user_runtime_dir_t) 
>>> +files_poly(user_runtime_dir_t) 
>>> +files_poly_member(user_runtime_dir_t) 
>>> +files_poly_parent(user_runtime_dir_t) 
>>> +ubac_constrained(user_runtime_dir_t)
>>> 
>> 
>> 
>> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D
>> 2C7B 6B02 
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0
2
>>
>> 
Dominick Grift
>> _______________________________________________ refpolicy mailing
>> list refpolicy at oss.tresys.com 
>> http://oss.tresys.com/mailman/listinfo/refpolicy


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXSXNQAAoJECV0jlU3+UdpRb4MAKDzU4OXLmVjBBjOoayAUJu2
69RFeo3x7WSMiULp3w+XdJYUaK0LMWn6fOVpgdDtKvEHeFRtVIA8VL8ZtiNIpmOK
RdHLW+bfQQQJPe+rZkBXvGoRu3ypmUwr9PJ1Zc4xNuW5qaTfFJQhQFEjGbJB0UMA
FMG/KbzDP0vbfgmbuc4x4dL8Sz0K9daN4F0bEeqawkwcrir9xZvUX66/Fol7M42S
7MD+U8hHdR0CM91sFnE3GvPUmV7/T5aWYairnKogw5o8XjZebE9/PzvksxjVgv+G
raczWJcPN716iXvoXH5pUAOyS6lwFeRSMAApfHlm9/ixixql7iZ05ZTDVuZ9uYhP
nHMk694HGo6Q6QWt5e7c0cDEDO3FjAz9IYfmb9f44/v4MZ9IBONgVsO1CS8s8yHX
oB51sbhtTkFB3DDGOAXdMkHzrKECEHXkZvMJStZadFvItcJdSCjdsJc0Y4G9H1Jz
aYX4KxjKhh+I8Jm8GXEMF4ckeNIpF0fD1u3LM9acVA==
=O58K
-----END PGP SIGNATURE-----