[refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs

Dominick Grift dac.override at gmail.com
Thu May 25 05:57:22 UTC 2017


On Wed, May 24, 2017 at 07:19:15PM -0400, Chris PeBenito via refpolicy wrote:
> On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote:
> > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via
> > refpolicy wrote:
> >> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via
> >> refpolicy wrote:
> >>> Let the session dbus process manage user runtime directories (with
> >>> its own file type).
> >>>
> >>> This is the third version (v3) of the patch, thanks to Dominick
> >>> Grift for revising the previous two versions and suggesting
> >>> improvements.
> >>>
> >>> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> >>> ---
> >>>  policy/modules/contrib/dbus.fc |    2 ++
> >>>  policy/modules/contrib/dbus.te |    8 ++++++++
> >>>  2 files changed, 10 insertions(+)
> >>>
> >>> --- a/policy/modules/contrib/dbus.fc	2017-03-29
> >>> 17:58:00.272386397 +0200
> >>> +++ b/policy/modules/contrib/dbus.fc	2017-05-24
> >>> 18:41:36.105674966 +0200
> >>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?				
> >>> gen_context(sys
> >>>
> >>>  /run/dbus(/.*)?					gen_context
> >>> (system_u:object_r:system_dbusd_var_run_t,s0)
> >>>  /run/messagebus\.pid			--	gen_context(
> >>> system_u:object_r:system_dbusd_var_run_t,s0)
> >>> +/run/user/%{USERID}/dbus-1(/.*)?		gen_context(system
> >>> _u:object_r:session_dbusd_runtime_t,s0)
> >>> +/run/user/%{USERID}/dbus-1/bus		-s	gen_contex
> >>> t(system_u:object_r:session_dbusd_runtime_t,s0)
> >>
> >> The bus socket is not in the dbus-1 dir:
> >>
> >> $ ls -alZ $XDG_RUNTIME_DIR | grep bus
> >> srw-rw-rw-. 1 kcinimod kcinimod
> >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0      0 May 24
> >> 17:05 bus
> >> drwx------. 3 kcinimod kcinimod
> >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0     60 May 24
> >> 17:19 dbus-1
> >
> > I have fixed the above in the next version (v4)... Thanks for telling
> > me.
> >
> >>>
> >>>  /usr/bin/dbus-daemon(-1)?		--	gen_context(sys
> >>> tem_u:object_r:dbusd_exec_t,s0)
> >>>
> >>> --- a/policy/modules/contrib/dbus.te	2017-04-26
> >>> 17:47:20.555423022 +0200
> >>> +++ b/policy/modules/contrib/dbus.te	2017-05-24
> >>> 18:43:56.536674392 +0200
> >>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
> >>>  files_pid_file(system_dbusd_var_run_t)
> >>>  init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
> >>>
> >>> +type session_dbusd_runtime_t;
> >>> +files_pid_file(session_dbusd_runtime_t)
> >>
> >> It is not a pid file its a userdom_user_runtime_file() or
> >> userdom_user_tmp_file()
> >
> > userdom_user_runtime_file() does not exist, however I can change it to
> > userdom_user_tmp_file().
> 
> Pid is actually right, for now, as pids (in the refpolicy sense) are 
> slowly turning into being a subset of runtime files.  Eventually the 
> refpolicy pid file concept might go away.

logind needs to be able to purse XDG_RUNTIME_DIR and allowing logind to unlink all pid files would be too coarse IMHO

> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170525/059ca4fc/attachment.bin 


More information about the refpolicy mailing list