From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 25 May 2017 13:23:26 +0200 Subject: [refpolicy] [PATCH v5] dbus: let session bus daemon manage user runtime dirs In-Reply-To: <1495647882.7185.4.camel@trentalancia.com> References: <1495629542.7394.3.camel@trentalancia.com> <20170524124454.GB1910@julius.enp8s0.d30> <1495632352.13711.1.camel@trentalancia.com> <20170524135934.GC1910@julius.enp8s0.d30> <1495644480.13711.7.camel@trentalancia.com> <20170524165602.GA8657@julius.enp8s0.d30> <1495646082.4687.1.camel@trentalancia.com> <20170524171951.GB8657@julius.enp8s0.d30> <1495647882.7185.4.camel@trentalancia.com> Message-ID: <1495711406.16506.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let the session dbus process manage user runtime directories (with its own file type). This is the fifth version (v5) of the patch, thanks to Dominick Grift for revising the previous versions and suggesting improvements, although unfortunately this new version needs to revert one of the suggested amendments because it was misleading. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.te | 8 ++++++++ 2 files changed, 10 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200 @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-25 13:17:23.354402519 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type)