From: dac.override@gmail.com (Dominick Grift) Date: Wed, 24 May 2017 15:59:34 +0200 Subject: [refpolicy] [PATCH v2] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <1495632352.13711.1.camel@trentalancia.com> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> <1495632352.13711.1.camel@trentalancia.com> Message-ID: <20170524135934.GC1910@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, May 24, 2017 at 03:25:52PM +0200, Guido Trentalancia via refpolicy wrote: > Let the session dbus process manage user runtime directories (with > its own file type). > > This is the second version (v2) of the patch, thanks to Dominick > Grift for revising the first version and suggesting improvements. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/dbus.fc | 1 + > policy/modules/contrib/dbus.te | 7 +++++++ > 2 files changed, 8 insertions(+) > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200 > @@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys > > /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) > > /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200 > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > files_pid_file(system_dbusd_var_run_t) > init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > +type session_dbusd_runtime_t; > +files_pid_file(session_dbusd_runtime_t) > + > ifdef(`enable_mcs',` > init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) > ') > @@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se > manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) > files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file }) Theres no file in /run/user/USERID if there was then you forgot to add the corresponding file context specification there is however a sock file there: "bus" /run/user/%{USERID/bus -s system_u:object_r:session_dbusd_user_runtime_t:s0 userdom_user_runtime_filetrans(session_bus_type, session_dbusd_user_runtime_t, sock_file) > + > kernel_read_system_state(session_bus_type) > kernel_read_kernel_sysctls(session_bus_type) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/6e2afdc6/attachment.bin