From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 11 Oct 2017 13:46:16 +0200 Subject: [refpolicy] [PATCH 2/2] dbus: read user home content files In-Reply-To: References: <1507316441.20230.11.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On the 11th of October 2017 01:52:20 CEST, Chris PeBenito wrote: >On 10/09/2017 03:03 PM, Guido Trentalancia via refpolicy wrote: >> >> >> On the 9th of October 2017 19:56:00 CEST, Chris PeBenito > wrote: >>> On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote: >>>> Add permissions required to run Gnome (read user color management >>>> files). >>>> >>>> Signed-off-by: Guido Trentalancia >>>> --- >>>> policy/modules/contrib/dbus.te | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> --- a/policy/modules/contrib/dbus.te 2017-09-29 19:01:55.142455647 >>> +0200 >>>> +++ b/policy/modules/contrib/dbus.te 2017-10-06 00:04:54.272534259 >>> +0200 >>>> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus >>>> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) >>>> userdom_dontaudit_search_user_home_dirs(system_dbusd_t) >>>> >>>> +userdom_read_user_home_content_files(system_dbusd_t) >>> >>> Does this not fit in with any of the XDG types instead? >> >> I don't know, it needs to read a file in the ~/.local/share >subdirectory. >> >> Is there a new specific interface for that? > >Nevermind, it hasn't been merged yet. I use userdom_read_user_data() which only allows reading the ~/.local subdirectory. But you haven't merged that patch (user data confidentiality patch), so it's not available in the Reference Policy and you have to allow reading the whole user home directory... Regards, Guido