[refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs

Guido Trentalancia guido at trentalancia.com
Wed May 24 17:14:42 UTC 2017


On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
refpolicy wrote:
> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> refpolicy wrote:
> > Let the session dbus process manage user runtime directories (with
> > its own file type).
> > 
> > This is the third version (v3) of the patch, thanks to Dominick
> > Grift for revising the previous two versions and suggesting
> > improvements.
> > 
> > Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> > ---
> >  policy/modules/contrib/dbus.fc |    2 ++
> >  policy/modules/contrib/dbus.te |    8 ++++++++
> >  2 files changed, 10 insertions(+)
> > 
> > --- a/policy/modules/contrib/dbus.fc	2017-03-29
> > 17:58:00.272386397 +0200
> > +++ b/policy/modules/contrib/dbus.fc	2017-05-24
> > 18:41:36.105674966 +0200
> > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?				
> > gen_context(sys
> >  
> >  /run/dbus(/.*)?					gen_context
> > (system_u:object_r:system_dbusd_var_run_t,s0)
> >  /run/messagebus\.pid			--	gen_context(
> > system_u:object_r:system_dbusd_var_run_t,s0)
> > +/run/user/%{USERID}/dbus-1(/.*)?		gen_context(system
> > _u:object_r:session_dbusd_runtime_t,s0)
> > +/run/user/%{USERID}/dbus-1/bus		-s	gen_contex
> > t(system_u:object_r:session_dbusd_runtime_t,s0)
> 
> The bus socket is not in the dbus-1 dir:
> 
> $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> srw-rw-rw-. 1 kcinimod kcinimod
> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0      0 May 24
> 17:05 bus
> drwx------. 3 kcinimod kcinimod
> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0     60 May 24
> 17:19 dbus-1

I have fixed the above in the next version (v4)... Thanks for telling
me.

> >  
> >  /usr/bin/dbus-daemon(-1)?		--	gen_context(sys
> > tem_u:object_r:dbusd_exec_t,s0)
> >  
> > --- a/policy/modules/contrib/dbus.te	2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/dbus.te	2017-05-24
> > 18:43:56.536674392 +0200
> > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> >  files_pid_file(system_dbusd_var_run_t)
> >  init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> >  
> > +type session_dbusd_runtime_t;
> > +files_pid_file(session_dbusd_runtime_t)
> 
> It is not a pid file its a userdom_user_runtime_file() or
> userdom_user_tmp_file()

userdom_user_runtime_file() does not exist, however I can change it to
userdom_user_tmp_file().

> > +
> >  ifdef(`enable_mcs',`
> >  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0
> > - mcs_systemhigh)
> >  ')
> > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
> >  manage_files_pattern(session_bus_type, session_dbusd_tmp_t,
> > session_dbusd_tmp_t)
> >  files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir
> > file })
> >  
> > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t,
> > session_dbusd_runtime_t)
> > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t,
> > session_dbusd_runtime_t)
> 
> There are no files here

Well, if there is a directory, then it is used for storing files...

I am fine with keeping the files pattern.

> > +manage_sock_files_pattern(session_bus_type,
> > session_dbusd_runtime_t, session_dbusd_runtime_t)
> > +userdom_user_runtime_filetrans(session_bus_type,
> > session_dbusd_runtime_t, { dir file sock_file })
> > +
> >  kernel_read_system_state(session_bus_type)
> >  kernel_read_kernel_sysctls(session_bus_type)

Regards,

Guido


More information about the refpolicy mailing list