From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 19:32:00 +0200 Subject: [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <20170524171951.GB8657@julius.enp8s0.d30> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> <1495632352.13711.1.camel@trentalancia.com> <20170524135934.GC1910@julius.enp8s0.d30> <1495644480.13711.7.camel@trentalancia.com> <20170524165602.GA8657@julius.enp8s0.d30> <1495646082.4687.1.camel@trentalancia.com> <20170524171951.GB8657@julius.enp8s0.d30> Message-ID: <1495647120.7185.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 24/05/2017 at 19.19 +0200, Dominick Grift via refpolicy wrote: > On Wed, May 24, 2017 at 07:14:42PM +0200, Guido Trentalancia via > refpolicy wrote: > > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > > refpolicy wrote: > > > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via > > > refpolicy wrote: > > > > Let the session dbus process manage user runtime directories > > > > (with > > > > its own file type). > > > > > > > > This is the third version (v3) of the patch, thanks to Dominick > > > > Grift for revising the previous two versions and suggesting > > > > improvements. > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/contrib/dbus.fc |????2 ++ > > > > ?policy/modules/contrib/dbus.te |????8 ++++++++ > > > > ?2 files changed, 10 insertions(+) > > > > > > > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 > > > > 17:58:00.272386397 +0200 > > > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 > > > > 18:41:36.105674966 +0200 > > > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? > > > > gen_context(sys > > > > ? > > > > ?/run/dbus(/.*)? gen_con > > > > text > > > > (system_u:object_r:system_dbusd_var_run_t,s0) > > > > ?/run/messagebus\.pid -- gen_cont > > > > ext( > > > > system_u:object_r:system_dbusd_var_run_t,s0) > > > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(sy > > > > stem > > > > _u:object_r:session_dbusd_runtime_t,s0) > > > > +/run/user/%{USERID}/dbus-1/bus -s gen_co > > > > ntex > > > > t(system_u:object_r:session_dbusd_runtime_t,s0) > > > > > > The bus socket is not in the dbus-1 dir: > > > > > > $ ls -alZ $XDG_RUNTIME_DIR | grep bus > > > srw-rw-rw-. 1 kcinimod kcinimod > > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May > > > 24 > > > 17:05 bus > > > drwx------. 3 kcinimod kcinimod > > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May > > > 24 > > > 17:19 dbus-1 > > > > I have fixed the above in the next version (v4)... Thanks for > > telling > > me. > > > > > > ? > > > > ?/usr/bin/dbus-daemon(-1)? -- gen_context > > > > (sys > > > > tem_u:object_r:dbusd_exec_t,s0) > > > > ? > > > > --- a/policy/modules/contrib/dbus.te 2017-04-26 > > > > 17:47:20.555423022 +0200 > > > > +++ b/policy/modules/contrib/dbus.te 2017-05-24 > > > > 18:43:56.536674392 +0200 > > > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > > > > ?files_pid_file(system_dbusd_var_run_t) > > > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > > > ? > > > > +type session_dbusd_runtime_t; > > > > +files_pid_file(session_dbusd_runtime_t) > > > > > > It is not a pid file its a userdom_user_runtime_file() or > > > userdom_user_tmp_file() > > > > userdom_user_runtime_file() does not exist, however I can change it > > to > > userdom_user_tmp_file(). > > > > > > + > > > > ?ifdef(`enable_mcs',` > > > > ? init_ranged_system_domain(system_dbusd_t, > > > > dbusd_exec_t, s0 > > > > - mcs_systemhigh) > > > > ?') > > > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > > > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t, > > > > session_dbusd_tmp_t) > > > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { > > > > dir > > > > file }) > > > > ? > > > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, > > > > session_dbusd_runtime_t) > > > > +manage_files_pattern(session_bus_type, > > > > session_dbusd_runtime_t, > > > > session_dbusd_runtime_t) > > > > > > There are no files here > > > > Well, if there is a directory, then it is used for storing files... > > > > I am fine with keeping the files pattern. > > Okay but the filetrans below for files does not make sense It does not harm and it might be useful in the future. > > > > +manage_sock_files_pattern(session_bus_type, > > > > session_dbusd_runtime_t, session_dbusd_runtime_t) > > > > +userdom_user_runtime_filetrans(session_bus_type, > > > > session_dbusd_runtime_t, { dir file sock_file }) > > > > + > > > > ?kernel_read_system_state(session_bus_type) > > > > ?kernel_read_kernel_sysctls(session_bus_type) Regards, Guido