From: dac.override@gmail.com (Dominick Grift) Date: Sun, 14 Aug 2016 19:45:11 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: <1471196121.27146.7.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> <1471196121.27146.7.camel@trentalancia.net> Message-ID: <1f3bc833-88ef-dc8c-db1e-ad2e8b921aef@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/14/2016 07:35 PM, Guido Trentalancia wrote: > Hello Dominick. > > I have done some further testing and there are some problems... > > Please read on... > > On Sat, 13/08/2016 at 22.09 +0200, Guido Trentalancia wrote: >>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > [....] > >>>> + >>>> ############################## >>>> # >>>> # Common local Policy >>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>>> >>>> +kernel_dontaudit_read_system_state(gconfd_t) >>>> + >>>> +fs_getattr_xattr_fs(gconfd_t) >>>> + >>>> userdom_manage_user_tmp_dirs(gconfd_t) >>>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>>> +userdom_manage_user_tmp_sockets(gconfd_t) >>> >>> What is going on there and why did you choose this? >> >> I think it's to support sockets in /tmp/orbit-USER/linc-.* >> >> They are created by ORBit2. It's a library and some gnome components >> are linked >> against it. >> >> I am now working on a new revised version of this patch which >> introduces >> specific support for ORBit temporary files. > > I have tested the above but met the following problem: the /tmp/orbit- > USER directory is shared with other applications that run in the > generic user domain ! Yes > > So, if I change the type of the /tmp/orbit-USER directory to a newly > created gnome_orbit_tmp_t type, then the other applications cannot > access it... You don't have to change the type of the /tmp/orbit-USER directory Instead just make gconfd_t create sockets in user_tmp_t dirs with an automatic type transition to the existing gconfd_tmp_t type: manage_sock_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, sock_file) > > So, perhaps, the previous implementation which leads to > userdom_manage_user_tmp_sockets(gconfd_t) is the only way. I doubt that > > What do you say ? > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/582be4ce/attachment.bin