From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 14 Aug 2016 19:35:21 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> References: <1471099545.21480.27.camel@trentalancia.net> <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> Message-ID: <1471196121.27146.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick. I have done some further testing and there are some problems... Please read on... On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote: > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: [....] > > > + > > > ?############################## > > > ?# > > > ?# Common local Policy > > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > > ?manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > > ?userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > ? > > > +kernel_dontaudit_read_system_state(gconfd_t) > > > + > > > +fs_getattr_xattr_fs(gconfd_t) > > > + > > > ?userdom_manage_user_tmp_dirs(gconfd_t) > > > ?userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > > +userdom_manage_user_tmp_sockets(gconfd_t) > > > > What is going on there and why did you choose this? > > I think it's to support sockets in /tmp/orbit-USER/linc-.* > > They are created by ORBit2. It's a library and some gnome components > are linked > against it. > > I am now working on a new revised version of this patch which > introduces > specific support for ORBit temporary files. I have tested the above but met the following problem: the /tmp/orbit- USER directory is shared with other applications that run in the generic user domain ! So, if I change the type of the /tmp/orbit-USER directory to a newly created gnome_orbit_tmp_t type, then the other applications cannot access it... So, perhaps, the previous implementation which leads to userdom_manage_user_tmp_sockets(gconfd_t)?is the only way. What do you say ? Regards, Guido