From: jason@perfinion.com (Jason Zaman) Date: Sun, 14 Aug 2016 12:16:46 +0800 Subject: [refpolicy] [PATCH] Update the colord module In-Reply-To: References: <1723933090.942512.1471119061166.JavaMail.open-xchange@popper02.register.it> Message-ID: <20160814040950.GA5261@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote: > On 08/13/2016 10:11 PM, Guido Trentalancia wrote: > > Update the colord module: > > > > - add support for writing colord subdirectories of /usr/share; > > - add support for reading colord subdirectories of /home (e.g. > > ICC profiles). > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/colord.fc | 5 +++++ > > policy/modules/contrib/colord.te | 13 +++++++++++++ > > 2 files changed, 18 insertions(+) > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc 2016-08-06 > > 21:27:11.337094143 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc 2016-08-13 > > 17:39:07.096980948 +0200 > > @@ -1,3 +1,5 @@ > > +HOME_DIR/\.local/share/icc(/.*)? > > I thought that by now reference policy implemented $XDG_DATA_DIR, > $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and > ~/.cache respectively? > > Am i mistaken? I would probably do that first Refpolicy does not. We do have them in gentoo but they didnt fit upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but the others I have not. In gentoo we have templates to add specific types for ~/.config/name or ~/.cache/name. Should I send them upstream? https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793 -- Jason > > > gen_context(system_u:object_r:colord_home_t,s0) > > + > > /usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) > > /usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) > > > > @@ -7,5 +9,8 @@ > > /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) > > /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) > > > > +/usr/share/color(/.*)? gen_context(system_u:object_r:colord_usr_lib_t,s0) > > +/usr/share/colord(/.*)? gen_context(system_u:object_r:colord_usr_lib_t,s0) > > + > > /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) > > /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te 2016-08-06 > > 21:27:11.338094155 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-13 > > 22:01:26.485422418 +0200 > > @@ -9,12 +9,18 @@ type colord_t; > > type colord_exec_t; > > dbus_system_domain(colord_t, colord_exec_t) > > > > +type colord_home_t; > > +userdom_user_home_content(colord_home_t); > > + > > type colord_tmp_t; > > files_tmp_file(colord_tmp_t) > > > > type colord_tmpfs_t; > > files_tmpfs_file(colord_tmpfs_t) > > > > +type colord_usr_lib_t; > > +files_type(colord_usr_lib_t) > > + > > type colord_var_lib_t; > > files_type(colord_var_lib_t) > > > > @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve > > allow colord_t self:tcp_socket { accept listen }; > > allow colord_t self:shm create_shm_perms; > > > > +allow colord_t colord_home_t:dir list_dir_perms; > > +allow colord_t colord_home_t:file read_file_perms; > > +allow colord_t colord_home_t:lnk_file read_lnk_file_perms; > > + > > manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) > > manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) > > files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) > > @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp > > manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) > > fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) > > > > +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t) > > +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t) > > + > > manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) > > manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) > > files_var_lib_filetrans(colord_t, colord_var_lib_t, dir) > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy