[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

Miroslav Grepl mgrepl at redhat.com
Wed Apr 13 16:18:55 UTC 2016

On 04/12/2016 07:57 PM, Christopher J. PeBenito wrote:
> On 4/12/2016 1:02 PM, Jason Zaman wrote:
>> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
>>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
>>>> Hi all,
>>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
>>>> am now trying to fix refpol to work with it.
>>>> What labels do we want for things in /run/user?
>>>> Currently refpol has the following which seems pretty weird:
>>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
>>>> It was originally added from fedora but fedora has since dropped that.
>>>> fedora now has:
>>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
>>>> The problem with that fcontext is that users have write perms towards
>>>> user_tmp_t so they would be able to do other things in /run/user/
>>>> instead of only within /run/user/%{USERID}/.
>>>> I think we should have some kind of _root_t and _home_t like how things
>>>> are for /home and /home/USERNAME
>>> This makes sense.
>> so this?
>> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
>> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
>> Once the patches get merged in to the userspace tools I will start
>> preparing patches for this.
> [...]
>>> Which group (if any) specified how /run/user/UID should be used? XDG?
>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>> I think systemd started it, but ConsoleKit2 supports it too and it is
>> officially a freedesktop/XDG spec.
> I think it makes more sense for these not to be XDG-named types, since
> XDG isn't the only one that uses it.  Perhaps something like
> user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
> user_tmp_t (I'm open to other suggestions).

Ok, this is again https://github.com/systemd/systemd/issues/257.

Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

More information about the refpolicy mailing list