From: dac.override@gmail.com (Dominick Grift) Date: Mon, 15 Aug 2016 08:00:09 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: <227506330.956594.1471212830732.JavaMail.open-xchange@popper08.register.it> References: <1471099545.21480.27.camel@trentalancia.net> <227506330.956594.1471212830732.JavaMail.open-xchange@popper08.register.it> Message-ID: <88196c62-5651-c914-d3a5-8a0f5e9f2ff9@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/15/2016 12:13 AM, Guido Trentalancia wrote: > Hello Dominick ! > >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>> Update for the gnome module: >>> >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for a few needed fs and kernel permissions. >>> >>> This patch should be applied before applying the pulseaudio patch. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/gnome.fc | 7 ++ >>> policy/modules/contrib/gnome.if | 99 >>> +++++++++++++++++++++++++++++++++++++++- >>> policy/modules/contrib/gnome.te | 8 +++ >>> 3 files changed, 112 insertions(+), 2 deletions(-) > > [...] > >>> + >>> ############################## >>> # >>> # Common local Policy >>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>> >>> +kernel_dontaudit_read_system_state(gconfd_t) >>> + >>> +fs_getattr_xattr_fs(gconfd_t) >>> + >>> userdom_manage_user_tmp_dirs(gconfd_t) >>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>> +userdom_manage_user_tmp_sockets(gconfd_t) >> >> What is going on there and why did you choose this? > > Other applications (such as firefox) need to write those sockets, therefore the > policy you suggested in a previous message is not feasible. > How do you figure that? > In other words those sockets should be created as user_tmp_t and not as a > private gconf_tmp_t. > >>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>> >>> optional_policy(` > > Regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/fbf3e512/attachment.bin