From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 14 Aug 2016 23:14:17 +0200 (CEST) Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> Message-ID: <760247119.997218.1471209257066.JavaMail.open-xchange@popper06.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick ! Finally I am able to clarify one of the two open questions about the gnome module... > On the 13th of August 2016 at 16.51 Dominick Grift > wrote: > > > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) [...] > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 > > 16:02:14.950814302 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 > > 00:55:24.980149003 +0200 > > @@ -1,4 +1,4 @@ > > -## GNU network object model environment. > > + > > > > ######################################## > > ## > > @@ -100,9 +100,15 @@ template(`gnome_role_template',` > > > > allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms > > manage_sock_file_perms }; > > > > + userdom_manage_user_home_content_dirs($1_gkeyringd_t) > > + userdom_manage_user_home_content_files($1_gkeyringd_t) > > + userdom_manage_user_home_content_sockets($1_gkeyringd_t) > > + > > I don't like this, and I dont understand it It's needed to write .xsession-errors and the .cache subdirectory in the user home. It is quite important, as the latter is used, amongst other things, to store user credentials: for example, when the user enters the password in the evolution mail client to retrieve his/her mail, then the password entered is stored in the cache and the user does not need to enter the password again when the mail is received again periodically later. I hope this clarifies the matter. I am checking the other issue (socket creation in /tmp) by testing the policy you suggested but unfortunately, I can anticipate that there are issues. Will let you know more precisely when I have finished testing it. Regards, Guido