From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 3 Dec 2017 16:34:20 -0500
Subject: [refpolicy] [PATCH 1/1] Work around systemd-logind patch not in
 RHEL 7.x yet
In-Reply-To: <CO1PR15MB1032A906DBEEBDBBD1B62CC6B9380@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032A906DBEEBDBBD1B62CC6B9380@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <ab9a7efa-db9a-2f95-8347-850484f2819b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/30/2017 05:41 PM, David Sugar via refpolicy wrote:
> This is probably RHEL only - seeing directories in /run/user/$(UID) created as
>   tmpfs_t rather than user_runtime_t.  This appears fixed in newer systemd-logind.
> It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
> hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
> I don't see this merged into RHEL 7.x as of now but as some point it hopefully
> will be merged in and this can go away.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/systemd.te    |  9 +++++++++
>   policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
>   2 files changed, 39 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2d0393a3..1e8776f4 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -450,6 +450,15 @@ userdom_setattr_user_ttys(systemd_logind_t)
>   userdom_delete_user_runtime_files(systemd_logind_t)
>   userdom_use_user_ttys(systemd_logind_t)
>   
> +# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> +# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> +# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> +# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
> +ifdef(`distro_redhat',`
> +	userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
> +	userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
> +')
> +
>   optional_policy(`
>   	dbus_connect_system_bus(systemd_logind_t)
>   	dbus_system_bus_client(systemd_logind_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 49eff3a6..b2105d12 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`
>   
>   ########################################
>   ## <summary>
> +##	Create objects in the user runtime root
> +##	directory with an automatic type transition
> +##	to the user runtime dir type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	The class of the object to be created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_user_run_filetrans_user_runtime',`
> +	gen_require(`
> +		type user_runtime_t;
> +	')
> +
> +	fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>   ##	Read and write user tmpfs files.
>   ## </summary>
>   ## <param name="domain">
> 

Merged.

-- 
Chris PeBenito