From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 15:25:52 +0200 Subject: [refpolicy] [PATCH v2] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <20170524124454.GB1910@julius.enp8s0.d30> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> Message-ID: <1495632352.13711.1.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let the session dbus process manage user runtime directories (with its own file type). This is the second version (v2) of the patch, thanks to Dominick Grift for revising the first version and suggesting improvements. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/dbus.fc | 1 + policy/modules/contrib/dbus.te | 7 +++++++ 2 files changed, 8 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200 @@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type)