This is probably RHEL only - seeing directories in /run/user/$(UID) created as
tmpfs_t rather than user_runtime_t. This appears fixed in newer systemd-logind.
It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
I don't see this merged into RHEL 7.x as of now but as some point it hopefully
will be merged in and this can go away.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.te | 9 +++++++++
policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2d0393a3..1e8776f4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -450,6 +450,15 @@ userdom_setattr_user_ttys(systemd_logind_t)
userdom_delete_user_runtime_files(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
+# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
+# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
+ifdef(`distro_redhat',`
+ userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
+ userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
+')
+
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 49eff3a6..b2105d12 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`
########################################
## <summary>
+## Create objects in the user runtime root
+## directory with an automatic type transition
+## to the user runtime dir type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_run_filetrans_user_runtime',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.13.6
On 11/30/2017 05:41 PM, David Sugar via refpolicy wrote:
> This is probably RHEL only - seeing directories in /run/user/$(UID) created as
> tmpfs_t rather than user_runtime_t. This appears fixed in newer systemd-logind.
> It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
> hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
> I don't see this merged into RHEL 7.x as of now but as some point it hopefully
> will be merged in and this can go away.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.te | 9 +++++++++
> policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
> 2 files changed, 39 insertions(+)
>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2d0393a3..1e8776f4 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -450,6 +450,15 @@ userdom_setattr_user_ttys(systemd_logind_t)
> userdom_delete_user_runtime_files(systemd_logind_t)
> userdom_use_user_ttys(systemd_logind_t)
>
> +# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> +# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> +# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> +# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
> +ifdef(`distro_redhat',`
> + userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
> + userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
> +')
> +
> optional_policy(`
> dbus_connect_system_bus(systemd_logind_t)
> dbus_system_bus_client(systemd_logind_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 49eff3a6..b2105d12 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`
>
> ########################################
> ## <summary>
> +## Create objects in the user runtime root
> +## directory with an automatic type transition
> +## to the user runtime dir type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_user_run_filetrans_user_runtime',`
> + gen_require(`
> + type user_runtime_t;
> + ')
> +
> + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read and write user tmpfs files.
> ## </summary>
> ## <param name="domain">
>
Merged.
--
Chris PeBenito