From: jason@perfinion.com (Jason Zaman) Date: Sat, 28 May 2016 18:36:04 +0800 Subject: [refpolicy] [PATCH v3 2/4] userdomain: Introduce types for /run/user In-Reply-To: References: <1464381326-24198-1-git-send-email-jason@perfinion.com> <1464381326-24198-2-git-send-email-jason@perfinion.com> <857541c6-16ab-f5b8-e41f-2ba28d734f06@gmail.com> <20160528102940.GA25312@meriadoc> Message-ID: <20160528103604.GB25312@meriadoc> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, May 28, 2016 at 12:30:45PM +0200, Dominick Grift wrote: > On 05/28/2016 12:29 PM, Jason Zaman wrote: > > On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote: > >> On 05/27/2016 10:35 PM, Jason Zaman wrote: > >>> These are the types for /run/user, analogous to /home's > >>> home_root_t and home_dir_t. --- > >>> policy/modules/system/userdomain.fc | 5 +++++ > >>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ > >>> 2 files changed, 25 insertions(+) > >>> > >>> diff --git a/policy/modules/system/userdomain.fc > >>> b/policy/modules/system/userdomain.fc index db75976..634d29d > >>> 100644 --- a/policy/modules/system/userdomain.fc +++ > >>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR > >>> -d > >>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) > >>> HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) > >>> > >>> /tmp/gconfd-USER -d > >>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user > >>> -d gen_context(system_u:object_r:user_runtime_root_t,s0) > >>> +/var/run/user/[^/]+ -d > >>> gen_context(system_u:object_r:user_runtime_dir_t,s0) > >> > >> The above is probably a bad idea. because only /run/user/$UID > >> should be considered user_runtime_dir_t dirs. Plus there will > >> unlikely be anything but /run/user/$UID. > > > > I would normally agree. The reason I added this was because the > > %{USERID} part depends on the genhomedircon stuff I added recently > > which most people do not have yet. Adding this for now should > > bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so > > these two fcontexts will not conflict either. > > Good point. Although it seems I forgot to add a fallback for <> tho. > > > > > -- Jason > >> > >>> +/var/run/user/%{USERID} -d > >>> gen_context(system_u:object_r:user_runtime_dir_t,s0) > >>> +/var/run/user/%{USERID}/.+ <> diff --git > >>> a/policy/modules/system/userdomain.te > >>> b/policy/modules/system/userdomain.te index 2a36851..c613553 > >>> 100644 --- a/policy/modules/system/userdomain.te +++ > >>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ > >>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t > >>> alias { staff_tty_device_t sysadm_tty_device_t > >>> secadm_tty_device_t auditadm_tty_device_t > >>> unconfined_tty_device_t }; dev_node(user_tty_device_t) > >>> ubac_constrained(user_tty_device_t) + +type > >>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) > >>> +files_type(user_runtime_root_t) > >>> +files_mountpoint(user_runtime_root_t) > >>> +files_associate_tmp(user_runtime_root_t) > >>> +files_poly(user_runtime_root_t) > >>> +files_poly_member(user_runtime_root_t) > >>> +files_poly_parent(user_runtime_root_t) > >>> +ubac_constrained(user_runtime_root_t) + +type > >>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t) > >>> +files_type(user_runtime_dir_t) > >>> +files_mountpoint(user_runtime_dir_t) > >>> +files_associate_tmp(user_runtime_dir_t) > >>> +files_poly(user_runtime_dir_t) > >>> +files_poly_member(user_runtime_dir_t) > >>> +files_poly_parent(user_runtime_dir_t) > >>> +ubac_constrained(user_runtime_dir_t) > >>> > >> > >> > >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D > >> 2C7B 6B02 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0 > 2 > >> > >> > Dominick Grift > >> _______________________________________________ refpolicy mailing > >> list refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift