From: dsugar@tresys.com (David Sugar) Date: Thu, 30 Nov 2017 22:41:46 +0000 Subject: [refpolicy] [PATCH 1/1] Work around systemd-logind patch not in RHEL 7.x yet Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is probably RHEL only - seeing directories in /run/user/$(UID) created as tmpfs_t rather than user_runtime_t. This appears fixed in newer systemd-logind. It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016 hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229 I don't see this merged into RHEL 7.x as of now but as some point it hopefully will be merged in and this can go away. Signed-off-by: Dave Sugar --- policy/modules/system/systemd.te | 9 +++++++++ policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 2d0393a3..1e8776f4 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -450,6 +450,15 @@ userdom_setattr_user_ttys(systemd_logind_t) userdom_delete_user_runtime_files(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) +# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x +# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 +# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context +# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed. +ifdef(`distro_redhat',` + userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir) + userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir) +') + optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 49eff3a6..b2105d12 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',` ######################################## ## +## Create objects in the user runtime root +## directory with an automatic type transition +## to the user runtime dir type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_run_filetrans_user_runtime',` + gen_require(` + type user_runtime_t; + ') + + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3) +') + +######################################## +## ## Read and write user tmpfs files. ## ## -- 2.13.6