* [refpolicy] [PATCH] dbus: let session bus daemon manage user runtime dirs @ 2017-05-24 12:39 Guido Trentalancia 2017-05-24 12:44 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 12:39 UTC (permalink / raw) To: refpolicy Let the session dbus process manage user runtime directories. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.te | 2 ++ 1 file changed, 2 insertions(+) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 14:15:08.786740326 +0200 @@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus term_use_all_terms(session_bus_type) +userdom_manage_user_runtime_dirs(session_bus_type) + optional_policy(` xserver_rw_xsession_log(session_bus_type) xserver_use_xdm_fds(session_bus_type) ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH] dbus: let session bus daemon manage user runtime dirs 2017-05-24 12:39 [refpolicy] [PATCH] dbus: let session bus daemon manage user runtime dirs Guido Trentalancia @ 2017-05-24 12:44 ` Dominick Grift 2017-05-24 13:25 ` Guido Trentalancia 2017-05-24 13:25 ` [refpolicy] [PATCH v2] " Guido Trentalancia 0 siblings, 2 replies; 15+ messages in thread From: Dominick Grift @ 2017-05-24 12:44 UTC (permalink / raw) To: refpolicy On Wed, May 24, 2017 at 02:39:02PM +0200, Guido Trentalancia via refpolicy wrote: > Let the session dbus process manage user runtime directories. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/dbus.te | 2 ++ > 1 file changed, 2 insertions(+) > > --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/dbus.te 2017-05-24 14:15:08.786740326 +0200 > @@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus > > term_use_all_terms(session_bus_type) > > +userdom_manage_user_runtime_dirs(session_bus_type) > + is that for "$XDG_RUNTIME_DIR/dbus-1" ? I would probably use a private type here (predictable name so name-based type transition is an option) although i do not know what that dir is used for > optional_policy(` > xserver_rw_xsession_log(session_bus_type) > xserver_use_xdm_fds(session_bus_type) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/8e9a3569/attachment.bin ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH] dbus: let session bus daemon manage user runtime dirs 2017-05-24 12:44 ` Dominick Grift @ 2017-05-24 13:25 ` Guido Trentalancia 2017-05-24 13:25 ` [refpolicy] [PATCH v2] " Guido Trentalancia 1 sibling, 0 replies; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 13:25 UTC (permalink / raw) To: refpolicy On Wed, 24/05/2017 at 14.44 +0200, Dominick Grift via refpolicy wrote: > On Wed, May 24, 2017 at 02:39:02PM +0200, Guido Trentalancia via > refpolicy wrote: > > Let the session dbus process manage user runtime directories. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > --- > > ?policy/modules/contrib/dbus.te |????2 ++ > > ?1 file changed, 2 insertions(+) > > > > --- a/policy/modules/contrib/dbus.te 2017-04-26 > > 17:47:20.555423022 +0200 > > +++ b/policy/modules/contrib/dbus.te 2017-05-24 > > 14:15:08.786740326 +0200 > > @@ -255,6 +255,8 @@ seutil_read_default_contexts(session_bus > > ? > > ?term_use_all_terms(session_bus_type) > > ? > > +userdom_manage_user_runtime_dirs(session_bus_type) > > + > > is that for "$XDG_RUNTIME_DIR/dbus-1" ? I would probably use a > private type here??(predictable name so name-based type transition is > an option) although i do not know what that dir is used for Yes, this is a very good idea, I'll post a revised version of this patch ! > > ?optional_policy(` > > ? xserver_rw_xsession_log(session_bus_type) > > ? xserver_use_xdm_fds(session_bus_type) Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v2] dbus: let session bus daemon manage user runtime dirs 2017-05-24 12:44 ` Dominick Grift 2017-05-24 13:25 ` Guido Trentalancia @ 2017-05-24 13:25 ` Guido Trentalancia 2017-05-24 13:59 ` Dominick Grift 1 sibling, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 13:25 UTC (permalink / raw) To: refpolicy Let the session dbus process manage user runtime directories (with its own file type). This is the second version (v2) of the patch, thanks to Dominick Grift for revising the first version and suggesting improvements. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.fc | 1 + policy/modules/contrib/dbus.te | 7 +++++++ 2 files changed, 8 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200 @@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v2] dbus: let session bus daemon manage user runtime dirs 2017-05-24 13:25 ` [refpolicy] [PATCH v2] " Guido Trentalancia @ 2017-05-24 13:59 ` Dominick Grift 2017-05-24 16:48 ` [refpolicy] [PATCH v3] " Guido Trentalancia 0 siblings, 1 reply; 15+ messages in thread From: Dominick Grift @ 2017-05-24 13:59 UTC (permalink / raw) To: refpolicy On Wed, May 24, 2017 at 03:25:52PM +0200, Guido Trentalancia via refpolicy wrote: > Let the session dbus process manage user runtime directories (with > its own file type). > > This is the second version (v2) of the patch, thanks to Dominick > Grift for revising the first version and suggesting improvements. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/dbus.fc | 1 + > policy/modules/contrib/dbus.te | 7 +++++++ > 2 files changed, 8 insertions(+) > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 15:12:46.704726190 +0200 > @@ -4,6 +4,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys > > /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) > > /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/dbus.te 2017-05-24 15:06:23.125727758 +0200 > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > files_pid_file(system_dbusd_var_run_t) > init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > +type session_dbusd_runtime_t; > +files_pid_file(session_dbusd_runtime_t) > + > ifdef(`enable_mcs',` > init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) > ') > @@ -204,6 +207,10 @@ manage_dirs_pattern(session_bus_type, se > manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) > files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file }) Theres no file in /run/user/USERID if there was then you forgot to add the corresponding file context specification there is however a sock file there: "bus" /run/user/%{USERID/bus -s system_u:object_r:session_dbusd_user_runtime_t:s0 userdom_user_runtime_filetrans(session_bus_type, session_dbusd_user_runtime_t, sock_file) > + > kernel_read_system_state(session_bus_type) > kernel_read_kernel_sysctls(session_bus_type) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/6e2afdc6/attachment.bin ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 13:59 ` Dominick Grift @ 2017-05-24 16:48 ` Guido Trentalancia 2017-05-24 16:56 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 16:48 UTC (permalink / raw) To: refpolicy Let the session dbus process manage user runtime directories (with its own file type). This is the third version (v3) of the patch, thanks to Dominick Grift for revising the previous two versions and suggesting improvements. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.te | 8 ++++++++ 2 files changed, 10 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 18:41:36.105674966 +0200 @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 18:43:56.536674392 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 16:48 ` [refpolicy] [PATCH v3] " Guido Trentalancia @ 2017-05-24 16:56 ` Dominick Grift 2017-05-24 17:14 ` Guido Trentalancia 0 siblings, 1 reply; 15+ messages in thread From: Dominick Grift @ 2017-05-24 16:56 UTC (permalink / raw) To: refpolicy On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via refpolicy wrote: > Let the session dbus process manage user runtime directories (with > its own file type). > > This is the third version (v3) of the patch, thanks to Dominick > Grift for revising the previous two versions and suggesting > improvements. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/dbus.fc | 2 ++ > policy/modules/contrib/dbus.te | 8 ++++++++ > 2 files changed, 10 insertions(+) > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 18:41:36.105674966 +0200 > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys > > /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) > +/run/user/%{USERID}/dbus-1/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) The bus socket is not in the dbus-1 dir: $ ls -alZ $XDG_RUNTIME_DIR | grep bus srw-rw-rw-. 1 kcinimod kcinimod wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24 17:05 bus drwx------. 3 kcinimod kcinimod wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24 17:19 dbus-1 > > /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/dbus.te 2017-05-24 18:43:56.536674392 +0200 > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > files_pid_file(system_dbusd_var_run_t) > init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > +type session_dbusd_runtime_t; > +files_pid_file(session_dbusd_runtime_t) It is not a pid file its a userdom_user_runtime_file() or userdom_user_tmp_file() > + > ifdef(`enable_mcs',` > init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) > ') > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) > files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) There are no files here > +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) > + > kernel_read_system_state(session_bus_type) > kernel_read_kernel_sysctls(session_bus_type) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/e81c8a6d/attachment.bin ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 16:56 ` Dominick Grift @ 2017-05-24 17:14 ` Guido Trentalancia 2017-05-24 17:19 ` Dominick Grift 2017-05-24 23:19 ` [refpolicy] [PATCH v3] " Chris PeBenito 0 siblings, 2 replies; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 17:14 UTC (permalink / raw) To: refpolicy On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via refpolicy wrote: > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via > refpolicy wrote: > > Let the session dbus process manage user runtime directories (with > > its own file type). > > > > This is the third version (v3) of the patch, thanks to Dominick > > Grift for revising the previous two versions and suggesting > > improvements. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > --- > > ?policy/modules/contrib/dbus.fc |????2 ++ > > ?policy/modules/contrib/dbus.te |????8 ++++++++ > > ?2 files changed, 10 insertions(+) > > > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 > > 17:58:00.272386397 +0200 > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 > > 18:41:36.105674966 +0200 > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? > > gen_context(sys > > ? > > ?/run/dbus(/.*)? gen_context > > (system_u:object_r:system_dbusd_var_run_t,s0) > > ?/run/messagebus\.pid -- gen_context( > > system_u:object_r:system_dbusd_var_run_t,s0) > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system > > _u:object_r:session_dbusd_runtime_t,s0) > > +/run/user/%{USERID}/dbus-1/bus -s gen_contex > > t(system_u:object_r:session_dbusd_runtime_t,s0) > > The bus socket is not in the dbus-1 dir: > > $ ls -alZ $XDG_RUNTIME_DIR | grep bus > srw-rw-rw-. 1 kcinimod kcinimod > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May 24 > 17:05 bus > drwx------. 3 kcinimod kcinimod > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May 24 > 17:19 dbus-1 I have fixed the above in the next version (v4)... Thanks for telling me. > > ? > > ?/usr/bin/dbus-daemon(-1)? -- gen_context(sys > > tem_u:object_r:dbusd_exec_t,s0) > > ? > > --- a/policy/modules/contrib/dbus.te 2017-04-26 > > 17:47:20.555423022 +0200 > > +++ b/policy/modules/contrib/dbus.te 2017-05-24 > > 18:43:56.536674392 +0200 > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > > ?files_pid_file(system_dbusd_var_run_t) > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > ? > > +type session_dbusd_runtime_t; > > +files_pid_file(session_dbusd_runtime_t) > > It is not a pid file its a userdom_user_runtime_file() or > userdom_user_tmp_file() userdom_user_runtime_file() does not exist, however I can change it to userdom_user_tmp_file(). > > + > > ?ifdef(`enable_mcs',` > > ? init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 > > - mcs_systemhigh) > > ?') > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t, > > session_dbusd_tmp_t) > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir > > file }) > > ? > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, > > session_dbusd_runtime_t) > > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, > > session_dbusd_runtime_t) > > There are no files here Well, if there is a directory, then it is used for storing files... I am fine with keeping the files pattern. > > +manage_sock_files_pattern(session_bus_type, > > session_dbusd_runtime_t, session_dbusd_runtime_t) > > +userdom_user_runtime_filetrans(session_bus_type, > > session_dbusd_runtime_t, { dir file sock_file }) > > + > > ?kernel_read_system_state(session_bus_type) > > ?kernel_read_kernel_sysctls(session_bus_type) Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 17:14 ` Guido Trentalancia @ 2017-05-24 17:19 ` Dominick Grift 2017-05-24 17:32 ` Guido Trentalancia 2017-05-24 17:44 ` [refpolicy] [PATCH v4] " Guido Trentalancia 2017-05-24 23:19 ` [refpolicy] [PATCH v3] " Chris PeBenito 1 sibling, 2 replies; 15+ messages in thread From: Dominick Grift @ 2017-05-24 17:19 UTC (permalink / raw) To: refpolicy On Wed, May 24, 2017 at 07:14:42PM +0200, Guido Trentalancia via refpolicy wrote: > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > refpolicy wrote: > > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via > > refpolicy wrote: > > > Let the session dbus process manage user runtime directories (with > > > its own file type). > > > > > > This is the third version (v3) of the patch, thanks to Dominick > > > Grift for revising the previous two versions and suggesting > > > improvements. > > > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > > --- > > > ?policy/modules/contrib/dbus.fc |????2 ++ > > > ?policy/modules/contrib/dbus.te |????8 ++++++++ > > > ?2 files changed, 10 insertions(+) > > > > > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 > > > 17:58:00.272386397 +0200 > > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 > > > 18:41:36.105674966 +0200 > > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? > > > gen_context(sys > > > ? > > > ?/run/dbus(/.*)? gen_context > > > (system_u:object_r:system_dbusd_var_run_t,s0) > > > ?/run/messagebus\.pid -- gen_context( > > > system_u:object_r:system_dbusd_var_run_t,s0) > > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system > > > _u:object_r:session_dbusd_runtime_t,s0) > > > +/run/user/%{USERID}/dbus-1/bus -s gen_contex > > > t(system_u:object_r:session_dbusd_runtime_t,s0) > > > > The bus socket is not in the dbus-1 dir: > > > > $ ls -alZ $XDG_RUNTIME_DIR | grep bus > > srw-rw-rw-. 1 kcinimod kcinimod > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May 24 > > 17:05 bus > > drwx------. 3 kcinimod kcinimod > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May 24 > > 17:19 dbus-1 > > I have fixed the above in the next version (v4)... Thanks for telling > me. > > > > ? > > > ?/usr/bin/dbus-daemon(-1)? -- gen_context(sys > > > tem_u:object_r:dbusd_exec_t,s0) > > > ? > > > --- a/policy/modules/contrib/dbus.te 2017-04-26 > > > 17:47:20.555423022 +0200 > > > +++ b/policy/modules/contrib/dbus.te 2017-05-24 > > > 18:43:56.536674392 +0200 > > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > > > ?files_pid_file(system_dbusd_var_run_t) > > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > > ? > > > +type session_dbusd_runtime_t; > > > +files_pid_file(session_dbusd_runtime_t) > > > > It is not a pid file its a userdom_user_runtime_file() or > > userdom_user_tmp_file() > > userdom_user_runtime_file() does not exist, however I can change it to > userdom_user_tmp_file(). > > > > + > > > ?ifdef(`enable_mcs',` > > > ? init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 > > > - mcs_systemhigh) > > > ?') > > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t, > > > session_dbusd_tmp_t) > > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir > > > file }) > > > ? > > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, > > > session_dbusd_runtime_t) > > > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, > > > session_dbusd_runtime_t) > > > > There are no files here > > Well, if there is a directory, then it is used for storing files... > > I am fine with keeping the files pattern. Okay but the filetrans below for files does not make sense > > > > +manage_sock_files_pattern(session_bus_type, > > > session_dbusd_runtime_t, session_dbusd_runtime_t) > > > +userdom_user_runtime_filetrans(session_bus_type, > > > session_dbusd_runtime_t, { dir file sock_file }) > > > + > > > ?kernel_read_system_state(session_bus_type) > > > ?kernel_read_kernel_sysctls(session_bus_type) > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/0b468922/attachment.bin ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 17:19 ` Dominick Grift @ 2017-05-24 17:32 ` Guido Trentalancia 2017-05-24 17:44 ` [refpolicy] [PATCH v4] " Guido Trentalancia 1 sibling, 0 replies; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 17:32 UTC (permalink / raw) To: refpolicy On Wed, 24/05/2017 at 19.19 +0200, Dominick Grift via refpolicy wrote: > On Wed, May 24, 2017 at 07:14:42PM +0200, Guido Trentalancia via > refpolicy wrote: > > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > > refpolicy wrote: > > > On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via > > > refpolicy wrote: > > > > Let the session dbus process manage user runtime directories > > > > (with > > > > its own file type). > > > > > > > > This is the third version (v3) of the patch, thanks to Dominick > > > > Grift for revising the previous two versions and suggesting > > > > improvements. > > > > > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > > > --- > > > > ?policy/modules/contrib/dbus.fc |????2 ++ > > > > ?policy/modules/contrib/dbus.te |????8 ++++++++ > > > > ?2 files changed, 10 insertions(+) > > > > > > > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 > > > > 17:58:00.272386397 +0200 > > > > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 > > > > 18:41:36.105674966 +0200 > > > > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? > > > > gen_context(sys > > > > ? > > > > ?/run/dbus(/.*)? gen_con > > > > text > > > > (system_u:object_r:system_dbusd_var_run_t,s0) > > > > ?/run/messagebus\.pid -- gen_cont > > > > ext( > > > > system_u:object_r:system_dbusd_var_run_t,s0) > > > > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(sy > > > > stem > > > > _u:object_r:session_dbusd_runtime_t,s0) > > > > +/run/user/%{USERID}/dbus-1/bus -s gen_co > > > > ntex > > > > t(system_u:object_r:session_dbusd_runtime_t,s0) > > > > > > The bus socket is not in the dbus-1 dir: > > > > > > $ ls -alZ $XDG_RUNTIME_DIR | grep bus > > > srw-rw-rw-. 1 kcinimod kcinimod > > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0??????0 May > > > 24 > > > 17:05 bus > > > drwx------. 3 kcinimod kcinimod > > > wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0?????60 May > > > 24 > > > 17:19 dbus-1 > > > > I have fixed the above in the next version (v4)... Thanks for > > telling > > me. > > > > > > ? > > > > ?/usr/bin/dbus-daemon(-1)? -- gen_context > > > > (sys > > > > tem_u:object_r:dbusd_exec_t,s0) > > > > ? > > > > --- a/policy/modules/contrib/dbus.te 2017-04-26 > > > > 17:47:20.555423022 +0200 > > > > +++ b/policy/modules/contrib/dbus.te 2017-05-24 > > > > 18:43:56.536674392 +0200 > > > > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > > > > ?files_pid_file(system_dbusd_var_run_t) > > > > ?init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > > > ? > > > > +type session_dbusd_runtime_t; > > > > +files_pid_file(session_dbusd_runtime_t) > > > > > > It is not a pid file its a userdom_user_runtime_file() or > > > userdom_user_tmp_file() > > > > userdom_user_runtime_file() does not exist, however I can change it > > to > > userdom_user_tmp_file(). > > > > > > + > > > > ?ifdef(`enable_mcs',` > > > > ? init_ranged_system_domain(system_dbusd_t, > > > > dbusd_exec_t, s0 > > > > - mcs_systemhigh) > > > > ?') > > > > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > > > > ?manage_files_pattern(session_bus_type, session_dbusd_tmp_t, > > > > session_dbusd_tmp_t) > > > > ?files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { > > > > dir > > > > file }) > > > > ? > > > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, > > > > session_dbusd_runtime_t) > > > > +manage_files_pattern(session_bus_type, > > > > session_dbusd_runtime_t, > > > > session_dbusd_runtime_t) > > > > > > There are no files here > > > > Well, if there is a directory, then it is used for storing files... > > > > I am fine with keeping the files pattern. > > Okay but the filetrans below for files does not make sense It does not harm and it might be useful in the future. > > > > +manage_sock_files_pattern(session_bus_type, > > > > session_dbusd_runtime_t, session_dbusd_runtime_t) > > > > +userdom_user_runtime_filetrans(session_bus_type, > > > > session_dbusd_runtime_t, { dir file sock_file }) > > > > + > > > > ?kernel_read_system_state(session_bus_type) > > > > ?kernel_read_kernel_sysctls(session_bus_type) Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v4] dbus: let session bus daemon manage user runtime dirs 2017-05-24 17:19 ` Dominick Grift 2017-05-24 17:32 ` Guido Trentalancia @ 2017-05-24 17:44 ` Guido Trentalancia 2017-05-25 11:23 ` [refpolicy] [PATCH v5] " Guido Trentalancia 1 sibling, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-05-24 17:44 UTC (permalink / raw) To: refpolicy Let the session dbus process manage user runtime directories (with its own file type). This is the fourth version (v4) of the patch, thanks to Dominick Grift for revising the previous versions and suggesting improvements. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.te | 8 ++++++++ 2 files changed, 10 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200 @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-24 19:18:29.074667171 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +userdom_user_tmp_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v5] dbus: let session bus daemon manage user runtime dirs 2017-05-24 17:44 ` [refpolicy] [PATCH v4] " Guido Trentalancia @ 2017-05-25 11:23 ` Guido Trentalancia 2017-05-26 0:56 ` Chris PeBenito 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-05-25 11:23 UTC (permalink / raw) To: refpolicy Let the session dbus process manage user runtime directories (with its own file type). This is the fifth version (v5) of the patch, thanks to Dominick Grift for revising the previous versions and suggesting improvements, although unfortunately this new version needs to revert one of the suggested amendments because it was misleading. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.fc | 2 ++ policy/modules/contrib/dbus.te | 8 ++++++++ 2 files changed, 10 insertions(+) --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 +++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200 @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/dbus.te 2017-05-25 13:17:23.354402519 +0200 @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) + ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) ') @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v5] dbus: let session bus daemon manage user runtime dirs 2017-05-25 11:23 ` [refpolicy] [PATCH v5] " Guido Trentalancia @ 2017-05-26 0:56 ` Chris PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Chris PeBenito @ 2017-05-26 0:56 UTC (permalink / raw) To: refpolicy On 05/25/2017 07:23 AM, Guido Trentalancia via refpolicy wrote: > Let the session dbus process manage user runtime directories (with > its own file type). > > This is the fifth version (v5) of the patch, thanks to Dominick > Grift for revising the previous versions and suggesting improvements, > although unfortunately this new version needs to revert one of the > suggested amendments because it was misleading. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/dbus.fc | 2 ++ > policy/modules/contrib/dbus.te | 8 ++++++++ > 2 files changed, 10 insertions(+) > > --- a/policy/modules/contrib/dbus.fc 2017-03-29 17:58:00.272386397 +0200 > +++ b/policy/modules/contrib/dbus.fc 2017-05-24 19:02:00.142671214 +0200 > @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(sys > > /run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > /run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) > +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) > +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) > > /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) > > --- a/policy/modules/contrib/dbus.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/dbus.te 2017-05-25 13:17:23.354402519 +0200 > @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > files_pid_file(system_dbusd_var_run_t) > init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > > +type session_dbusd_runtime_t; > +files_pid_file(session_dbusd_runtime_t) > + > ifdef(`enable_mcs',` > init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) > ') > @@ -204,6 +207,11 @@ manage_dirs_pattern(session_bus_type, se > manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) > files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) > > +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) > + > kernel_read_system_state(session_bus_type) > kernel_read_kernel_sysctls(session_bus_type) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 17:14 ` Guido Trentalancia 2017-05-24 17:19 ` Dominick Grift @ 2017-05-24 23:19 ` Chris PeBenito 2017-05-25 5:57 ` Dominick Grift 1 sibling, 1 reply; 15+ messages in thread From: Chris PeBenito @ 2017-05-24 23:19 UTC (permalink / raw) To: refpolicy On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote: > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > refpolicy wrote: >> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via >> refpolicy wrote: >>> Let the session dbus process manage user runtime directories (with >>> its own file type). >>> >>> This is the third version (v3) of the patch, thanks to Dominick >>> Grift for revising the previous two versions and suggesting >>> improvements. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> >>> --- >>> policy/modules/contrib/dbus.fc | 2 ++ >>> policy/modules/contrib/dbus.te | 8 ++++++++ >>> 2 files changed, 10 insertions(+) >>> >>> --- a/policy/modules/contrib/dbus.fc 2017-03-29 >>> 17:58:00.272386397 +0200 >>> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 >>> 18:41:36.105674966 +0200 >>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? >>> gen_context(sys >>> >>> /run/dbus(/.*)? gen_context >>> (system_u:object_r:system_dbusd_var_run_t,s0) >>> /run/messagebus\.pid -- gen_context( >>> system_u:object_r:system_dbusd_var_run_t,s0) >>> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system >>> _u:object_r:session_dbusd_runtime_t,s0) >>> +/run/user/%{USERID}/dbus-1/bus -s gen_contex >>> t(system_u:object_r:session_dbusd_runtime_t,s0) >> >> The bus socket is not in the dbus-1 dir: >> >> $ ls -alZ $XDG_RUNTIME_DIR | grep bus >> srw-rw-rw-. 1 kcinimod kcinimod >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24 >> 17:05 bus >> drwx------. 3 kcinimod kcinimod >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24 >> 17:19 dbus-1 > > I have fixed the above in the next version (v4)... Thanks for telling > me. > >>> >>> /usr/bin/dbus-daemon(-1)? -- gen_context(sys >>> tem_u:object_r:dbusd_exec_t,s0) >>> >>> --- a/policy/modules/contrib/dbus.te 2017-04-26 >>> 17:47:20.555423022 +0200 >>> +++ b/policy/modules/contrib/dbus.te 2017-05-24 >>> 18:43:56.536674392 +0200 >>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; >>> files_pid_file(system_dbusd_var_run_t) >>> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") >>> >>> +type session_dbusd_runtime_t; >>> +files_pid_file(session_dbusd_runtime_t) >> >> It is not a pid file its a userdom_user_runtime_file() or >> userdom_user_tmp_file() > > userdom_user_runtime_file() does not exist, however I can change it to > userdom_user_tmp_file(). Pid is actually right, for now, as pids (in the refpolicy sense) are slowly turning into being a subset of runtime files. Eventually the refpolicy pid file concept might go away. -- Chris PeBenito ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] [PATCH v3] dbus: let session bus daemon manage user runtime dirs 2017-05-24 23:19 ` [refpolicy] [PATCH v3] " Chris PeBenito @ 2017-05-25 5:57 ` Dominick Grift 0 siblings, 0 replies; 15+ messages in thread From: Dominick Grift @ 2017-05-25 5:57 UTC (permalink / raw) To: refpolicy On Wed, May 24, 2017 at 07:19:15PM -0400, Chris PeBenito via refpolicy wrote: > On 05/24/2017 01:14 PM, Guido Trentalancia via refpolicy wrote: > > On Wed, 24/05/2017 at 18.56 +0200, Dominick Grift via > > refpolicy wrote: > >> On Wed, May 24, 2017 at 06:48:00PM +0200, Guido Trentalancia via > >> refpolicy wrote: > >>> Let the session dbus process manage user runtime directories (with > >>> its own file type). > >>> > >>> This is the third version (v3) of the patch, thanks to Dominick > >>> Grift for revising the previous two versions and suggesting > >>> improvements. > >>> > >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > >>> --- > >>> policy/modules/contrib/dbus.fc | 2 ++ > >>> policy/modules/contrib/dbus.te | 8 ++++++++ > >>> 2 files changed, 10 insertions(+) > >>> > >>> --- a/policy/modules/contrib/dbus.fc 2017-03-29 > >>> 17:58:00.272386397 +0200 > >>> +++ b/policy/modules/contrib/dbus.fc 2017-05-24 > >>> 18:41:36.105674966 +0200 > >>> @@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? > >>> gen_context(sys > >>> > >>> /run/dbus(/.*)? gen_context > >>> (system_u:object_r:system_dbusd_var_run_t,s0) > >>> /run/messagebus\.pid -- gen_context( > >>> system_u:object_r:system_dbusd_var_run_t,s0) > >>> +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system > >>> _u:object_r:session_dbusd_runtime_t,s0) > >>> +/run/user/%{USERID}/dbus-1/bus -s gen_contex > >>> t(system_u:object_r:session_dbusd_runtime_t,s0) > >> > >> The bus socket is not in the dbus-1 dir: > >> > >> $ ls -alZ $XDG_RUNTIME_DIR | grep bus > >> srw-rw-rw-. 1 kcinimod kcinimod > >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 0 May 24 > >> 17:05 bus > >> drwx------. 3 kcinimod kcinimod > >> wheel.id:wheel.role:dbus.user.tmpfs.user_tmpfs_file:s0 60 May 24 > >> 17:19 dbus-1 > > > > I have fixed the above in the next version (v4)... Thanks for telling > > me. > > > >>> > >>> /usr/bin/dbus-daemon(-1)? -- gen_context(sys > >>> tem_u:object_r:dbusd_exec_t,s0) > >>> > >>> --- a/policy/modules/contrib/dbus.te 2017-04-26 > >>> 17:47:20.555423022 +0200 > >>> +++ b/policy/modules/contrib/dbus.te 2017-05-24 > >>> 18:43:56.536674392 +0200 > >>> @@ -47,6 +47,9 @@ type system_dbusd_var_run_t; > >>> files_pid_file(system_dbusd_var_run_t) > >>> init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") > >>> > >>> +type session_dbusd_runtime_t; > >>> +files_pid_file(session_dbusd_runtime_t) > >> > >> It is not a pid file its a userdom_user_runtime_file() or > >> userdom_user_tmp_file() > > > > userdom_user_runtime_file() does not exist, however I can change it to > > userdom_user_tmp_file(). > > Pid is actually right, for now, as pids (in the refpolicy sense) are > slowly turning into being a subset of runtime files. Eventually the > refpolicy pid file concept might go away. logind needs to be able to purse XDG_RUNTIME_DIR and allowing logind to unlink all pid files would be too coarse IMHO > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170525/059ca4fc/attachment.bin ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2017-05-26 0:56 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-05-24 12:39 [refpolicy] [PATCH] dbus: let session bus daemon manage user runtime dirs Guido Trentalancia 2017-05-24 12:44 ` Dominick Grift 2017-05-24 13:25 ` Guido Trentalancia 2017-05-24 13:25 ` [refpolicy] [PATCH v2] " Guido Trentalancia 2017-05-24 13:59 ` Dominick Grift 2017-05-24 16:48 ` [refpolicy] [PATCH v3] " Guido Trentalancia 2017-05-24 16:56 ` Dominick Grift 2017-05-24 17:14 ` Guido Trentalancia 2017-05-24 17:19 ` Dominick Grift 2017-05-24 17:32 ` Guido Trentalancia 2017-05-24 17:44 ` [refpolicy] [PATCH v4] " Guido Trentalancia 2017-05-25 11:23 ` [refpolicy] [PATCH v5] " Guido Trentalancia 2017-05-26 0:56 ` Chris PeBenito 2017-05-24 23:19 ` [refpolicy] [PATCH v3] " Chris PeBenito 2017-05-25 5:57 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.