From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 24 May 2017 19:19:15 -0400 Subject: [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <1495646082.4687.1.camel@trentalancia.com> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> <1495632352.13711.1.camel@trentalancia.com> <20170524135934.GC1910@julius.enp8s0.d30> <1495644480.13711.7.camel@trentalancia.com> <20170524165602.GA8657@julius.enp8s0.d30> <1495646082.4687.1.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote: > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > refpolicy wrote: >> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via >> refpolicy wrote: >>> Let the session dbus process manage user runtime directories (with >>> its own file type). >>> >>> This is the third version (v3) of the patch, thanks to Dominick >>> Grift for revising the previous two versions and suggesting >>> improvements. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/dbus.fc | 2 ++ >>> policy/modules/contrib/dbus.te | 8 ++++++++ >>> 2 files changed, 10 insertions(+) >>> >>> --- a/policy/modules/contrib/dbus.fc 2017-03-29 >>> 17:58:00.272386397 +0200 >>> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 >>> 18:41:36.105674966 +0200 >>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? >>> gen_context(sys >>> >>> /run/dbus(/.*)? gen_context >>> (system_u:object_r:system_dbusd_var_run_t,s0) >>> /run/messagebus\.pid -- gen_context( >>> system_u:object_r:system_dbusd_var_run_t,s0) >>> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system >>> _u:object_r:session_dbusd_runtime_t,s0) >>> +/run/user/%{USERID}/dbus-1/bus -s gen_contex >>> t(system_u:object_r:session_dbusd_runtime_t,s0) >> >> The bus socket is not in the dbus-1 dir: >> >> $ ls -alZ $XDG_RUNTIME_DIR | grep bus >> srw-rw-rw-. 1 kcinimod kcinimod >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24 >> 17:05 bus >> drwx------. 3 kcinimod kcinimod >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24 >> 17:19 dbus-1 > > I have fixed the above in the next version (v4)... Thanks for telling > me. > >>> >>> /usr/bin/dbus-daemon(-1)? -- gen_context(sys >>> tem_u:object_r:dbusd_exec_t,s0) >>> >>> --- a/policy/modules/contrib/dbus.te 2017-04-26 >>> 17:47:20.555423022 +0200 >>> +++ b/policy/modules/contrib/dbus.te 2017-05-24 >>> 18:43:56.536674392 +0200 >>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; >>> files_pid_file(system_dbusd_var_run_t) >>> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") >>> >>> +type session_dbusd_runtime_t; >>> +files_pid_file(session_dbusd_runtime_t) >> >> It is not a pid file its a userdom_user_runtime_file() or >> userdom_user_tmp_file() > > userdom_user_runtime_file() does not exist, however I can change it to > userdom_user_tmp_file(). Pid is actually right, for now, as pids (in the refpolicy sense) are slowly turning into being a subset of runtime files. Eventually the refpolicy pid file concept might go away. -- Chris PeBenito