From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 24 May 2017 19:44:42 +0200
Subject: [refpolicy] [PATCH v4] dbus: let session bus daemon manage user
	runtime dirs
In-Reply-To: <20170524171951.GB8657@julius.enp8s0.d30>
References: <1495629542.7394.3.camel@trentalancia.com>
	<20170524124454.GB1910@julius.enp8s0.d30>
	<1495632352.13711.1.camel@trentalancia.com>
	<20170524135934.GC1910@julius.enp8s0.d30>
	<1495644480.13711.7.camel@trentalancia.com>
	<20170524165602.GA8657@julius.enp8s0.d30>
	<1495646082.4687.1.camel@trentalancia.com>
	<20170524171951.GB8657@julius.enp8s0.d30>
Message-ID: <1495647882.7185.4.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Let the session dbus process manage user runtime directories (with
its own file type).

This is the fourth version (v4) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/dbus.fc |    2 ++
 policy/modules/contrib/dbus.te |    8 ++++++++
 2 files changed, 10 insertions(+)

--- a/policy/modules/contrib/dbus.fc	2017-03-29 17:58:00.272386397 +0200
+++ b/policy/modules/contrib/dbus.fc	2017-05-24 19:02:00.142671214 +0200
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?				gen_context(sys
 
 /run/dbus(/.*)?					gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 /run/messagebus\.pid			--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus			-s	gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)?		gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
 
 /usr/bin/dbus-daemon(-1)?		--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
--- a/policy/modules/contrib/dbus.te	2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/dbus.te	2017-05-24 19:18:29.074667171 +0200
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
 
+type session_dbusd_runtime_t;
+userdom_user_tmp_file(session_dbusd_runtime_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
 
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)