From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 18:48:00 +0200 Subject: [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <20170524135934.GC1910@julius.enp8s0.d30> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> <1495632352.13711.1.camel@trentalancia.com> <20170524135934.GC1910@julius.enp8s0.d30> Message-ID: <1495644480.13711.7.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let the session dbus process manage user runtime directories (with its own file type). This is the third version (v3) of the patch, thanks to Dominick Grift for revising the previous two versions and suggesting improvements. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.te | 8 ++++++++ 2 files changed, 10 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 18:41:36.105674966 +0200 @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 18:43:56.536674392 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type)