From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 15 Aug 2016 00:13:50 +0200 (CEST) Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> Message-ID: <227506330.956594.1471212830732.JavaMail.open-xchange@popper08.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick ! > On 08/13/2016 04:45 PM, Guido Trentalancia wrote: > > Update for the gnome module: > > > > - a new gstreamer_orcexec_t type and file context is introduced > > to support the OIL Runtime Compiler (ORC) optimized code > > execution (used for example by pulseaudio); > > - add support for more permissions needed in gconfd_t and gnome > > keyring domains; > > - add support for a few needed fs and kernel permissions. > > > > This patch should be applied before applying the pulseaudio patch. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/gnome.fc | 7 ++ > > policy/modules/contrib/gnome.if | 99 > > +++++++++++++++++++++++++++++++++++++++- > > policy/modules/contrib/gnome.te | 8 +++ > > 3 files changed, 112 insertions(+), 2 deletions(-) [...] > > + > > ############################## > > # > > # Common local Policy > > @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ > > manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) > > userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) > > > > +kernel_dontaudit_read_system_state(gconfd_t) > > + > > +fs_getattr_xattr_fs(gconfd_t) > > + > > userdom_manage_user_tmp_dirs(gconfd_t) > > userdom_tmp_filetrans_user_tmp(gconfd_t, dir) > > +userdom_manage_user_tmp_sockets(gconfd_t) > > What is going on there and why did you choose this? Other applications (such as firefox) need to write those sockets, therefore the policy you suggested in a previous message is not feasible. In other words those sockets should be created as user_tmp_t and not as a private gconf_tmp_t. > > userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) > > > > optional_policy(` Regards, Guido