From: jason@perfinion.com (Jason Zaman) Date: Thu, 27 Oct 2016 11:25:29 +0800 Subject: [refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext In-Reply-To: <52D44D76-A406-4BDD-9312-82706A192527@trentalancia.net> References: <1477502361-20223-1-git-send-email-jason@perfinion.com> <1477502361-20223-4-git-send-email-jason@perfinion.com> <52D44D76-A406-4BDD-9312-82706A192527@trentalancia.net> Message-ID: <20161027032529.GA7404@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Oct 27, 2016 at 12:53:36AM +0200, Guido Trentalancia wrote: > Hello! > > I am using the latest version of Gnome and it works fine without the changes that you are proposing, therefore I suspect that they are distribution-specific... > > Can you please confirm? It is definitely not distro-specific. It's been in the code for years already. https://git.gnome.org/browse/gnome-keyring/tree/daemon/gkd-util.c?h=3.20.0#n121 gnome-keyring will use $XDG_RUNTIME_DIR if your env specifies it. Maybe you need to setup your login stuff differently? -- Jason > If so, they should be included within appropriate "ifdef" statements so that they only get compiled on that specific distribution. > > Otherwise, how can I reproduce it? > > Regards, > > Guido > > On the 26th of October 2016 19:19:21 CEST, Jason Zaman via refpolicy wrote: > >--- > > gnome.fc | 1 + > > gnome.if | 2 ++ > > gnome.te | 4 +++- > > 3 files changed, 6 insertions(+), 1 deletion(-) > > > >diff --git a/gnome.fc b/gnome.fc > >index 230ee6c..43c0ed2 100644 > >--- a/gnome.fc > >+++ b/gnome.fc > >@@ -17,5 +17,6 @@ > >HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > >/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > >/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > > > >+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0) > >/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > >/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > >diff --git a/gnome.if b/gnome.if > >index 838be50..640aeea 100644 > >--- a/gnome.if > >+++ b/gnome.if > >@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',` > > ') > > > > files_search_tmp($2) > >+ userdom_search_user_runtime($2) > > stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, > >$1_gkeyringd_t) > > ') > > > >@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',` > > ') > > > > files_search_tmp($1) > >+ userdom_search_user_runtime($1) > > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, > >gkeyringd_domain) > > ') > > > >diff --git a/gnome.te b/gnome.te > >index bf48475..9c792fd 100644 > >--- a/gnome.te > >+++ b/gnome.te > >@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, > >gnome_keyring_home_t, dir, "keyrings") > >manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, > >gnome_keyring_tmp_t) > >manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, > >gnome_keyring_tmp_t) > > files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) > >+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, > >dir) > > > >-kernel_read_system_state(gkeyringd_domain) > > kernel_read_crypto_sysctls(gkeyringd_domain) > >+kernel_read_kernel_sysctls(gkeyringd_domain) > >+kernel_read_system_state(gkeyringd_domain) > > > > dev_read_rand(gkeyringd_domain) > > dev_read_sysfs(gkeyringd_domain) >