From: dac.override@gmail.com (Dominick Grift) Date: Sun, 14 Aug 2016 11:05:54 +0200 Subject: [refpolicy] [PATCH] Update the colord module In-Reply-To: <20160814040950.GA5261@meriadoc.perfinion.com> References: <1723933090.942512.1471119061166.JavaMail.open-xchange@popper02.register.it> <20160814040950.GA5261@meriadoc.perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/14/2016 06:16 AM, Jason Zaman wrote: > On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote: >> On 08/13/2016 10:11 PM, Guido Trentalancia wrote: >>> Update the colord module: >>> >>> - add support for writing colord subdirectories of /usr/share; >>> - add support for reading colord subdirectories of /home (e.g. >>> ICC profiles). >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/colord.fc | 5 +++++ >>> policy/modules/contrib/colord.te | 13 +++++++++++++ >>> 2 files changed, 18 insertions(+) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc 2016-08-06 >>> 21:27:11.337094143 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc 2016-08-13 >>> 17:39:07.096980948 +0200 >>> @@ -1,3 +1,5 @@ >>> +HOME_DIR/\.local/share/icc(/.*)? >> >> I thought that by now reference policy implemented $XDG_DATA_DIR, >> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and >> ~/.cache respectively? >> >> Am i mistaken? I would probably do that first > > Refpolicy does not. We do have them in gentoo but they didnt fit > upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but > the others I have not. > > In gentoo we have templates to add specific types for ~/.config/name or > ~/.cache/name. Should I send them upstream? > > https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793 > I think it is time that we come to some consensus about this at least (assuming that it was decided to not take advantage of the XDG spec in refpolicy). > -- Jason > >> >>> gen_context(system_u:object_r:colord_home_t,s0) >>> + >>> /usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) >>> /usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) >>> >>> @@ -7,5 +9,8 @@ >>> /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) >>> /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) >>> >>> +/usr/share/color(/.*)? gen_context(system_u:object_r:colord_usr_lib_t,s0) >>> +/usr/share/colord(/.*)? gen_context(system_u:object_r:colord_usr_lib_t,s0) >>> + >>> /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) >>> /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te 2016-08-06 >>> 21:27:11.338094155 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te 2016-08-13 >>> 22:01:26.485422418 +0200 >>> @@ -9,12 +9,18 @@ type colord_t; >>> type colord_exec_t; >>> dbus_system_domain(colord_t, colord_exec_t) >>> >>> +type colord_home_t; >>> +userdom_user_home_content(colord_home_t); >>> + >>> type colord_tmp_t; >>> files_tmp_file(colord_tmp_t) >>> >>> type colord_tmpfs_t; >>> files_tmpfs_file(colord_tmpfs_t) >>> >>> +type colord_usr_lib_t; >>> +files_type(colord_usr_lib_t) >>> + >>> type colord_var_lib_t; >>> files_type(colord_var_lib_t) >>> >>> @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve >>> allow colord_t self:tcp_socket { accept listen }; >>> allow colord_t self:shm create_shm_perms; >>> >>> +allow colord_t colord_home_t:dir list_dir_perms; >>> +allow colord_t colord_home_t:file read_file_perms; >>> +allow colord_t colord_home_t:lnk_file read_lnk_file_perms; >>> + >>> manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) >>> manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) >>> files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) >>> @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp >>> manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) >>> fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) >>> >>> +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t) >>> +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t) >>> + >>> manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) >>> manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) >>> files_var_lib_filetrans(colord_t, colord_var_lib_t, dir) >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> > > > > >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/f128cbc8/attachment.bin