[refpolicy] [PATCH v5] dbus: let session bus daemon manage user runtime dirs

Chris PeBenito pebenito at ieee.org
Fri May 26 00:56:56 UTC 2017


On 05/25/2017 07:23 AM, Guido Trentalancia via refpolicy wrote:
> Let the session dbus process manage user runtime directories (with
> its own file type).
>
> This is the fifth version (v5) of the patch, thanks to Dominick
> Grift for revising the previous versions and suggesting improvements,
> although unfortunately this new version needs to revert one of the
> suggested amendments because it was misleading.
>
> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> ---
>  policy/modules/contrib/dbus.fc |    2 ++
>  policy/modules/contrib/dbus.te |    8 ++++++++
>  2 files changed, 10 insertions(+)
>
> --- a/policy/modules/contrib/dbus.fc	2017-03-29 17:58:00.272386397 +0200
> +++ b/policy/modules/contrib/dbus.fc	2017-05-24 19:02:00.142671214 +0200
> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?				gen_context(sys
>
>  /run/dbus(/.*)?					gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
>  /run/messagebus\.pid			--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
> +/run/user/%{USERID}/bus			-s	gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
> +/run/user/%{USERID}/dbus-1(/.*)?		gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
>
>  /usr/bin/dbus-daemon(-1)?		--	gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> --- a/policy/modules/contrib/dbus.te	2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/dbus.te	2017-05-25 13:17:23.354402519 +0200
> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
>  files_pid_file(system_dbusd_var_run_t)
>  init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>
> +type session_dbusd_runtime_t;
> +files_pid_file(session_dbusd_runtime_t)
> +
>  ifdef(`enable_mcs',`
>  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
>  ')
> @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se
>  manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
>  files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
>
> +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
> +
>  kernel_read_system_state(session_bus_type)
>  kernel_read_kernel_sysctls(session_bus_type)

Merged.

-- 
Chris PeBenito


More information about the refpolicy mailing list