From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 14 Aug 2016 11:30:07 +0200
Subject: [refpolicy] [PATCH] Update the colord module
In-Reply-To: <b3c372e5-cee5-f7c8-3069-ea2e976bedcd@gmail.com>
References: <1723933090.942512.1471119061166.JavaMail.open-xchange@popper02.register.it>
	<f07ea434-9c5e-d1c2-a0ad-aebfb8070e78@gmail.com>
	<20160814040950.GA5261@meriadoc.perfinion.com>
	<b3c372e5-cee5-f7c8-3069-ea2e976bedcd@gmail.com>
Message-ID: <5ef16597-d8a1-716a-80b0-7fb20bdea398@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/14/2016 11:05 AM, Dominick Grift wrote:
> On 08/14/2016 06:16 AM, Jason Zaman wrote:
>> On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote:
>>> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
>>>> Update the colord module:
>>>>
>>>> - add support for writing colord subdirectories of /usr/share;
>>>> - add support for reading colord subdirectories of /home (e.g.
>>>>   ICC profiles).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/contrib/colord.fc |    5 +++++
>>>>  policy/modules/contrib/colord.te |   13 +++++++++++++
>>>>  2 files changed, 18 insertions(+)
>>>>
>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
>>>> 21:27:11.337094143 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
>>>> 17:39:07.096980948 +0200
>>>> @@ -1,3 +1,5 @@
>>>> +HOME_DIR/\.local/share/icc(/.*)?
>>>
>>> I thought that by now reference policy implemented $XDG_DATA_DIR,
>>> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
>>> ~/.cache respectively?
>>>
>>> Am i mistaken? I would probably do that first
>>
>> Refpolicy does not. We do have them in gentoo but they didnt fit
>> upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but
>> the others I have not.
>>
>> In gentoo we have templates to add specific types for ~/.config/name or
>> ~/.cache/name. Should I send them upstream?
>>
>> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793
>>
> 
> I think it is time that we come to some consensus about this at least
> (assuming that it was decided to not take advantage of the XDG spec in
> refpolicy).
> 

Whatever is decided. I will be neutral. I will point out however that I
think that XDG spec, in my opinion, I one of the few opportunities for
us to bring some order to the chaos that is ~

>> -- Jason
>>
>>>
>>>> gen_context(system_u:object_r:colord_home_t,s0)
>>>> +
>>>>  /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  
>>>> @@ -7,5 +9,8 @@
>>>>  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  
>>>> +/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>>> +/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>>> +
>>>>  /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>>>  /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
>>>> 21:27:11.338094155 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
>>>> 22:01:26.485422418 +0200
>>>> @@ -9,12 +9,18 @@ type colord_t;
>>>>  type colord_exec_t;
>>>>  dbus_system_domain(colord_t, colord_exec_t)
>>>>  
>>>> +type colord_home_t;
>>>> +userdom_user_home_content(colord_home_t);
>>>> +
>>>>  type colord_tmp_t;
>>>>  files_tmp_file(colord_tmp_t)
>>>>  
>>>>  type colord_tmpfs_t;
>>>>  files_tmpfs_file(colord_tmpfs_t)
>>>>  
>>>> +type colord_usr_lib_t;
>>>> +files_type(colord_usr_lib_t)
>>>> +
>>>>  type colord_var_lib_t;
>>>>  files_type(colord_var_lib_t)
>>>>  
>>>> @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
>>>>  allow colord_t self:tcp_socket { accept listen };
>>>>  allow colord_t self:shm create_shm_perms;
>>>>  
>>>> +allow colord_t colord_home_t:dir list_dir_perms;
>>>> +allow colord_t colord_home_t:file read_file_perms;
>>>> +allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
>>>> +
>>>>  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>>  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>>  files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
>>>> @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
>>>>  manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
>>>>  fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
>>>>  
>>>> +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>>> +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>>> +
>>>>  manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>>  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>>  files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>
>>>
>>>
>>> -- 
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>
>>
>>
>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/0c28ee8c/attachment-0001.bin