From: jason@perfinion.com (Jason Zaman)
Date: Sat, 28 May 2016 18:36:04 +0800
Subject: [refpolicy] [PATCH v3 2/4] userdomain: Introduce types for
 /run/user
In-Reply-To: <f25adde8-5704-7560-de0f-497639b87fe2@gmail.com>
References: <1464381326-24198-1-git-send-email-jason@perfinion.com>
	<1464381326-24198-2-git-send-email-jason@perfinion.com>
	<857541c6-16ab-f5b8-e41f-2ba28d734f06@gmail.com>
	<20160528102940.GA25312@meriadoc>
	<f25adde8-5704-7560-de0f-497639b87fe2@gmail.com>
Message-ID: <20160528103604.GB25312@meriadoc>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, May 28, 2016 at 12:30:45PM +0200, Dominick Grift wrote:
> On 05/28/2016 12:29 PM, Jason Zaman wrote:
> > On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote:
> >> On 05/27/2016 10:35 PM, Jason Zaman wrote:
> >>> These are the types for /run/user, analogous to /home's
> >>> home_root_t and home_dir_t. ---
> >>> policy/modules/system/userdomain.fc |  5 +++++ 
> >>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
> >>> 2 files changed, 25 insertions(+)
> >>> 
> >>> diff --git a/policy/modules/system/userdomain.fc 
> >>> b/policy/modules/system/userdomain.fc index db75976..634d29d 
> >>> 100644 --- a/policy/modules/system/userdomain.fc +++ 
> >>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR
> >>> -d 
> >>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
> >>>  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
> >>> 
> >>> /tmp/gconfd-USER -d
> >>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user
> >>> -d gen_context(system_u:object_r:user_runtime_root_t,s0) 
> >>> +/var/run/user/[^/]+	-d 
> >>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
> >> 
> >> The above is probably a bad idea. because only /run/user/$UID
> >> should be considered user_runtime_dir_t dirs. Plus there will
> >> unlikely be anything but /run/user/$UID.
> > 
> > I would normally agree. The reason I added this was because the 
> > %{USERID} part depends on the genhomedircon stuff I added recently
> > which most people do not have yet. Adding this for now should
> > bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so
> > these two fcontexts will not conflict either.
> 
> Good point.

Although it seems I forgot to add a fallback for <<none>> tho.
> 
> > 
> > -- Jason
> >> 
> >>> +/var/run/user/%{USERID}	-d 
> >>> gen_context(system_u:object_r:user_runtime_dir_t,s0) 
> >>> +/var/run/user/%{USERID}/.+	<<none>> diff --git 
> >>> a/policy/modules/system/userdomain.te 
> >>> b/policy/modules/system/userdomain.te index 2a36851..c613553 
> >>> 100644 --- a/policy/modules/system/userdomain.te +++ 
> >>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ 
> >>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t 
> >>> alias { staff_tty_device_t sysadm_tty_device_t
> >>> secadm_tty_device_t auditadm_tty_device_t
> >>> unconfined_tty_device_t }; dev_node(user_tty_device_t)
> >>> ubac_constrained(user_tty_device_t) + +type
> >>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) 
> >>> +files_type(user_runtime_root_t) 
> >>> +files_mountpoint(user_runtime_root_t) 
> >>> +files_associate_tmp(user_runtime_root_t) 
> >>> +files_poly(user_runtime_root_t) 
> >>> +files_poly_member(user_runtime_root_t) 
> >>> +files_poly_parent(user_runtime_root_t) 
> >>> +ubac_constrained(user_runtime_root_t) + +type
> >>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t) 
> >>> +files_type(user_runtime_dir_t) 
> >>> +files_mountpoint(user_runtime_dir_t) 
> >>> +files_associate_tmp(user_runtime_dir_t) 
> >>> +files_poly(user_runtime_dir_t) 
> >>> +files_poly_member(user_runtime_dir_t) 
> >>> +files_poly_parent(user_runtime_dir_t) 
> >>> +ubac_constrained(user_runtime_dir_t)
> >>> 
> >> 
> >> 
> >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D
> >> 2C7B 6B02 
> >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0
> 2
> >>
> >> 
> Dominick Grift
> >> _______________________________________________ refpolicy mailing
> >> list refpolicy at oss.tresys.com 
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift