[refpolicy] [PATCH 2/2] dbus: read user home content files

Guido Trentalancia guido at trentalancia.com
Wed Oct 11 11:46:16 UTC 2017



On the 11th of October 2017 01:52:20 CEST, Chris PeBenito <pebenito at ieee.org> wrote:
>On 10/09/2017 03:03 PM, Guido Trentalancia via refpolicy wrote:
>> 
>> 
>> On the 9th of October 2017 19:56:00 CEST, Chris PeBenito
><pebenito at ieee.org> wrote:
>>> On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>>>> Add permissions required to run Gnome (read user color management
>>>> files).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
>>>> ---
>>>>    policy/modules/contrib/dbus.te |    2 ++
>>>>    1 file changed, 2 insertions(+)
>>>>
>>>> --- a/policy/modules/contrib/dbus.te	2017-09-29 19:01:55.142455647
>>> +0200
>>>> +++ b/policy/modules/contrib/dbus.te	2017-10-06 00:04:54.272534259
>>> +0200
>>>> @@ -147,6 +147,8 @@ seutil_read_default_contexts(system_dbus
>>>>    userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
>>>>    userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>>>>    
>>>> +userdom_read_user_home_content_files(system_dbusd_t)
>>>
>>> Does this not fit in with any of the XDG types instead?
>> 
>> I don't know, it needs to read a file in the ~/.local/share
>subdirectory.
>> 
>> Is there a new specific interface for that?
>
>Nevermind, it hasn't been merged yet.

I use userdom_read_user_data() which only allows reading the ~/.local subdirectory.

But you haven't merged that patch (user data confidentiality patch), so it's not available in the Reference Policy and you have to allow reading the whole user home directory...

Regards, 

Guido 


More information about the refpolicy mailing list