From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 15 Aug 2016 00:13:50 +0200 (CEST)
Subject: [refpolicy] [PATCH] Update for the gnome policy and file
 contexts
In-Reply-To: <e4796821-1139-a8d5-e29e-91ad07c603ac@gmail.com>
References: <1471099545.21480.27.camel@trentalancia.net>
	<e4796821-1139-a8d5-e29e-91ad07c603ac@gmail.com>
Message-ID: <227506330.956594.1471212830732.JavaMail.open-xchange@popper08.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Dominick !

> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
> > Update for the gnome module:
> > 
> > - a new gstreamer_orcexec_t type and file context is introduced
> >   to support the OIL Runtime Compiler (ORC) optimized code
> >   execution (used for example by pulseaudio);
> > - add support for more permissions needed in gconfd_t and gnome
> >   keyring domains;
> > - add support for a few needed fs and kernel permissions. 
> > 
> > This patch should be applied before applying the pulseaudio patch.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/contrib/gnome.fc |    7 ++
> >  policy/modules/contrib/gnome.if |   99
> > +++++++++++++++++++++++++++++++++++++++-
> >  policy/modules/contrib/gnome.te |    8 +++
> >  3 files changed, 112 insertions(+), 2 deletions(-)

[...]

> > +
> >  ##############################
> >  #
> >  # Common local Policy
> > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
> >  manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
> >  userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
> >  
> > +kernel_dontaudit_read_system_state(gconfd_t)
> > +
> > +fs_getattr_xattr_fs(gconfd_t)
> > +
> >  userdom_manage_user_tmp_dirs(gconfd_t)
> >  userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
> > +userdom_manage_user_tmp_sockets(gconfd_t)
> 
> What is going on there and why did you choose this?

Other applications (such as firefox) need to write those sockets, therefore the
policy you suggested in a previous message is not feasible.

In other words those sockets should be created as user_tmp_t and not as a
private gconf_tmp_t.

> >  userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
> >  
> >  optional_policy(`

Regards,

Guido