[refpolicy] [PATCH] Update the colord module

[refpolicy] [PATCH] Update the colord module

[Guido Trentalancia]

Update the colord module:

- add support for writing colord subdirectories of /usr/share;
- add support for reading colord subdirectories of /home (e.g.
  ICC profiles).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/colord.fc |    5 +++++
 policy/modules/contrib/colord.te |   13 +++++++++++++
 2 files changed, 18 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
21:27:11.337094143 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
17:39:07.096980948 +0200
@@ -1,3 +1,5 @@
+HOME_DIR/\.local/share/icc(/.*)?
gen_context(system_u:object_r:colord_home_t,s0)
+
 /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
@@ -7,5 +9,8 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
+/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
+/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
+
 /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
 /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
21:27:11.338094155 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
22:01:26.485422418 +0200
@@ -9,12 +9,18 @@ type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
 
+type colord_home_t;
+userdom_user_home_content(colord_home_t);
+
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
 
 type colord_tmpfs_t;
 files_tmpfs_file(colord_tmpfs_t)
 
+type colord_usr_lib_t;
+files_type(colord_usr_lib_t)
+
 type colord_var_lib_t;
 files_type(colord_var_lib_t)
 
@@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
 allow colord_t self:tcp_socket { accept listen };
 allow colord_t self:shm create_shm_perms;
 
+allow colord_t colord_home_t:dir list_dir_perms;
+allow colord_t colord_home_t:file read_file_perms;
+allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
+
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
 manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
 fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
 
+manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
+manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
+
 manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)

[refpolicy] [PATCH] Update the colord module

[Dominick Grift]

On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
> Update the colord module:
> 
> - add support for writing colord subdirectories of /usr/share;
> - add support for reading colord subdirectories of /home (e.g.
>   ICC profiles).
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/colord.fc |    5 +++++
>  policy/modules/contrib/colord.te |   13 +++++++++++++
>  2 files changed, 18 insertions(+)
> 
> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
> 21:27:11.337094143 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
> 17:39:07.096980948 +0200
> @@ -1,3 +1,5 @@
> +HOME_DIR/\.local/share/icc(/.*)?

I thought that by now reference policy implemented $XDG_DATA_DIR,
$XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
~/.cache respectively?

Am i mistaken? I would probably do that first

> gen_context(system_u:object_r:colord_home_t,s0)
> +
>  /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>  /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>  
> @@ -7,5 +9,8 @@
>  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>  
> +/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
> +/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
> +
>  /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>  /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
> 21:27:11.338094155 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
> 22:01:26.485422418 +0200
> @@ -9,12 +9,18 @@ type colord_t;
>  type colord_exec_t;
>  dbus_system_domain(colord_t, colord_exec_t)
>  
> +type colord_home_t;
> +userdom_user_home_content(colord_home_t);
> +
>  type colord_tmp_t;
>  files_tmp_file(colord_tmp_t)
>  
>  type colord_tmpfs_t;
>  files_tmpfs_file(colord_tmpfs_t)
>  
> +type colord_usr_lib_t;
> +files_type(colord_usr_lib_t)
> +
>  type colord_var_lib_t;
>  files_type(colord_var_lib_t)
>  
> @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
>  allow colord_t self:tcp_socket { accept listen };
>  allow colord_t self:shm create_shm_perms;
>  
> +allow colord_t colord_home_t:dir list_dir_perms;
> +allow colord_t colord_home_t:file read_file_perms;
> +allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
> +
>  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>  files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
> @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
>  manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
>  fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
>  
> +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
> +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
> +
>  manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>  files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/ebf19a8c/attachment-0001.bin 

[refpolicy] [PATCH] Update the colord module

[Guido Trentalancia]

Hello Dominick.

> On the 13th August 2016 at 22.23 Dominick Grift <dac.override@gmail.com>
> wrote:
> 
> 
> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
> > Update the colord module:
> > 
> > - add support for writing colord subdirectories of /usr/share;
> > - add support for reading colord subdirectories of /home (e.g.
> >   ICC profiles).
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/contrib/colord.fc |    5 +++++
> >  policy/modules/contrib/colord.te |   13 +++++++++++++
> >  2 files changed, 18 insertions(+)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
> > 21:27:11.337094143 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
> > 17:39:07.096980948 +0200
> > @@ -1,3 +1,5 @@
> > +HOME_DIR/\.local/share/icc(/.*)?
> 
> I thought that by now reference policy implemented $XDG_DATA_DIR,
> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
> ~/.cache respectively?

As already explained in a previous message, I think not all systems support the
XDG variables. For example on my system they are not supported at all and I am
fine with it.

Therefore, unless strictly necessary, I would prefer not to change this.

Do you have reasons to think that it is strictly necessary ?

Regards,

Guido

[refpolicy] [PATCH] Update the colord module

[Jason Zaman]

On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote:
> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
> > Update the colord module:
> > 
> > - add support for writing colord subdirectories of /usr/share;
> > - add support for reading colord subdirectories of /home (e.g.
> >   ICC profiles).
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/contrib/colord.fc |    5 +++++
> >  policy/modules/contrib/colord.te |   13 +++++++++++++
> >  2 files changed, 18 insertions(+)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
> > 21:27:11.337094143 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
> > 17:39:07.096980948 +0200
> > @@ -1,3 +1,5 @@
> > +HOME_DIR/\.local/share/icc(/.*)?
> 
> I thought that by now reference policy implemented $XDG_DATA_DIR,
> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
> ~/.cache respectively?
> 
> Am i mistaken? I would probably do that first

Refpolicy does not. We do have them in gentoo but they didnt fit
upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but
the others I have not.

In gentoo we have templates to add specific types for ~/.config/name or
~/.cache/name. Should I send them upstream?

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793

-- Jason

> 
> > gen_context(system_u:object_r:colord_home_t,s0)
> > +
> >  /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
> >  /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
> >  
> > @@ -7,5 +9,8 @@
> >  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
> >  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
> >  
> > +/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
> > +/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
> > +
> >  /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
> >  /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
> > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
> > 21:27:11.338094155 +0200
> > +++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
> > 22:01:26.485422418 +0200
> > @@ -9,12 +9,18 @@ type colord_t;
> >  type colord_exec_t;
> >  dbus_system_domain(colord_t, colord_exec_t)
> >  
> > +type colord_home_t;
> > +userdom_user_home_content(colord_home_t);
> > +
> >  type colord_tmp_t;
> >  files_tmp_file(colord_tmp_t)
> >  
> >  type colord_tmpfs_t;
> >  files_tmpfs_file(colord_tmpfs_t)
> >  
> > +type colord_usr_lib_t;
> > +files_type(colord_usr_lib_t)
> > +
> >  type colord_var_lib_t;
> >  files_type(colord_var_lib_t)
> >  
> > @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
> >  allow colord_t self:tcp_socket { accept listen };
> >  allow colord_t self:shm create_shm_perms;
> >  
> > +allow colord_t colord_home_t:dir list_dir_perms;
> > +allow colord_t colord_home_t:file read_file_perms;
> > +allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
> > +
> >  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> >  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> >  files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
> > @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
> >  manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
> >  fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
> >  
> > +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
> > +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
> > +
> >  manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> >  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
> >  files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> 
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> 




> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH] Update the colord module

[Dominick Grift]

On 08/14/2016 06:16 AM, Jason Zaman wrote:
> On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote:
>> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
>>> Update the colord module:
>>>
>>> - add support for writing colord subdirectories of /usr/share;
>>> - add support for reading colord subdirectories of /home (e.g.
>>>   ICC profiles).
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/contrib/colord.fc |    5 +++++
>>>  policy/modules/contrib/colord.te |   13 +++++++++++++
>>>  2 files changed, 18 insertions(+)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
>>> 21:27:11.337094143 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
>>> 17:39:07.096980948 +0200
>>> @@ -1,3 +1,5 @@
>>> +HOME_DIR/\.local/share/icc(/.*)?
>>
>> I thought that by now reference policy implemented $XDG_DATA_DIR,
>> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
>> ~/.cache respectively?
>>
>> Am i mistaken? I would probably do that first
> 
> Refpolicy does not. We do have them in gentoo but they didnt fit
> upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but
> the others I have not.
> 
> In gentoo we have templates to add specific types for ~/.config/name or
> ~/.cache/name. Should I send them upstream?
> 
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793
> 

I think it is time that we come to some consensus about this at least
(assuming that it was decided to not take advantage of the XDG spec in
refpolicy).

> -- Jason
> 
>>
>>> gen_context(system_u:object_r:colord_home_t,s0)
>>> +
>>>  /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>  /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>  
>>> @@ -7,5 +9,8 @@
>>>  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>  
>>> +/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>> +/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>> +
>>>  /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>>  /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
>>> 21:27:11.338094155 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
>>> 22:01:26.485422418 +0200
>>> @@ -9,12 +9,18 @@ type colord_t;
>>>  type colord_exec_t;
>>>  dbus_system_domain(colord_t, colord_exec_t)
>>>  
>>> +type colord_home_t;
>>> +userdom_user_home_content(colord_home_t);
>>> +
>>>  type colord_tmp_t;
>>>  files_tmp_file(colord_tmp_t)
>>>  
>>>  type colord_tmpfs_t;
>>>  files_tmpfs_file(colord_tmpfs_t)
>>>  
>>> +type colord_usr_lib_t;
>>> +files_type(colord_usr_lib_t)
>>> +
>>>  type colord_var_lib_t;
>>>  files_type(colord_var_lib_t)
>>>  
>>> @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
>>>  allow colord_t self:tcp_socket { accept listen };
>>>  allow colord_t self:shm create_shm_perms;
>>>  
>>> +allow colord_t colord_home_t:dir list_dir_perms;
>>> +allow colord_t colord_home_t:file read_file_perms;
>>> +allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
>>> +
>>>  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>  files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
>>> @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
>>>  manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
>>>  fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
>>>  
>>> +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>> +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>> +
>>>  manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>  files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>>
>> -- 
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
> 
> 
> 
> 
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/f128cbc8/attachment.bin 

[refpolicy] [PATCH] Update the colord module

[Dominick Grift]

On 08/14/2016 11:05 AM, Dominick Grift wrote:
> On 08/14/2016 06:16 AM, Jason Zaman wrote:
>> On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote:
>>> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
>>>> Update the colord module:
>>>>
>>>> - add support for writing colord subdirectories of /usr/share;
>>>> - add support for reading colord subdirectories of /home (e.g.
>>>>   ICC profiles).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/contrib/colord.fc |    5 +++++
>>>>  policy/modules/contrib/colord.te |   13 +++++++++++++
>>>>  2 files changed, 18 insertions(+)
>>>>
>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
>>>> 21:27:11.337094143 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
>>>> 17:39:07.096980948 +0200
>>>> @@ -1,3 +1,5 @@
>>>> +HOME_DIR/\.local/share/icc(/.*)?
>>>
>>> I thought that by now reference policy implemented $XDG_DATA_DIR,
>>> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
>>> ~/.cache respectively?
>>>
>>> Am i mistaken? I would probably do that first
>>
>> Refpolicy does not. We do have them in gentoo but they didnt fit
>> upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but
>> the others I have not.
>>
>> In gentoo we have templates to add specific types for ~/.config/name or
>> ~/.cache/name. Should I send them upstream?
>>
>> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793
>>
> 
> I think it is time that we come to some consensus about this at least
> (assuming that it was decided to not take advantage of the XDG spec in
> refpolicy).
> 

Whatever is decided. I will be neutral. I will point out however that I
think that XDG spec, in my opinion, I one of the few opportunities for
us to bring some order to the chaos that is ~

>> -- Jason
>>
>>>
>>>> gen_context(system_u:object_r:colord_home_t,s0)
>>>> +
>>>>  /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  
>>>> @@ -7,5 +9,8 @@
>>>>  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
>>>>  
>>>> +/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>>> +/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
>>>> +
>>>>  /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>>>  /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
>>>> 21:27:11.338094155 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
>>>> 22:01:26.485422418 +0200
>>>> @@ -9,12 +9,18 @@ type colord_t;
>>>>  type colord_exec_t;
>>>>  dbus_system_domain(colord_t, colord_exec_t)
>>>>  
>>>> +type colord_home_t;
>>>> +userdom_user_home_content(colord_home_t);
>>>> +
>>>>  type colord_tmp_t;
>>>>  files_tmp_file(colord_tmp_t)
>>>>  
>>>>  type colord_tmpfs_t;
>>>>  files_tmpfs_file(colord_tmpfs_t)
>>>>  
>>>> +type colord_usr_lib_t;
>>>> +files_type(colord_usr_lib_t)
>>>> +
>>>>  type colord_var_lib_t;
>>>>  files_type(colord_var_lib_t)
>>>>  
>>>> @@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
>>>>  allow colord_t self:tcp_socket { accept listen };
>>>>  allow colord_t self:shm create_shm_perms;
>>>>  
>>>> +allow colord_t colord_home_t:dir list_dir_perms;
>>>> +allow colord_t colord_home_t:file read_file_perms;
>>>> +allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
>>>> +
>>>>  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>>  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
>>>>  files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
>>>> @@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
>>>>  manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
>>>>  fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
>>>>  
>>>> +manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>>> +manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
>>>> +
>>>>  manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>>  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>>>>  files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>
>>>
>>>
>>> -- 
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>
>>
>>
>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/0c28ee8c/attachment-0001.bin 

[refpolicy] [PATCH] Update the colord module

[Chris PeBenito]

On 08/14/16 00:16, Jason Zaman wrote:
> On Sat, Aug 13, 2016 at 10:23:38PM +0200, Dominick Grift wrote:
>> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
>>> Update the colord module:
>>>
>>> - add support for writing colord subdirectories of /usr/share;
>>> - add support for reading colord subdirectories of /home (e.g.
>>>   ICC profiles).
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/contrib/colord.fc |    5 +++++
>>>  policy/modules/contrib/colord.te |   13 +++++++++++++
>>>  2 files changed, 18 insertions(+)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
>>> 21:27:11.337094143 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
>>> 17:39:07.096980948 +0200
>>> @@ -1,3 +1,5 @@
>>> +HOME_DIR/\.local/share/icc(/.*)?
>>
>> I thought that by now reference policy implemented $XDG_DATA_DIR,
>> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config and
>> ~/.cache respectively?
>>
>> Am i mistaken? I would probably do that first
>
> Refpolicy does not. We do have them in gentoo but they didnt fit
> upstream. I moved the XDG_RUNTIME_DIR upstream as userdom_runtime_ but
> the others I have not.

I don't remember the exact changes or why I decided against it, so I'm 
open to revisiting this.  It sounds like we need to find a way to make 
it work.


> In gentoo we have templates to add specific types for ~/.config/name or
> ~/.cache/name. Should I send them upstream?
>
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/system/userdomain.if#n3793


-- 
Chris PeBenito

[refpolicy] [PATCH] Update the colord module

[Guido Trentalancia]

Hello Christopher.

I have noticed that the following colord patch is still pending,
although there are no amendments planned for it.

Also, the new gnome patch depends on changes introduced by this patch.

Best regards,

Guido

On Sat, 13/08/2016 at 22.39 +0200, Guido Trentalancia wrote:
> Hello Dominick.
> 
> > On the 13th August 2016 at 22.23 Dominick Grift <dac.override@gmail
> > .com>
> > wrote:
> > 
> > 
> > On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
> > > Update the colord module:
> > > 
> > > - add support for writing colord subdirectories of /usr/share;
> > > - add support for reading colord subdirectories of /home (e.g.
> > > ? ICC profiles).
> > > 
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > ---
> > > ?policy/modules/contrib/colord.fc |????5 +++++
> > > ?policy/modules/contrib/colord.te |???13 +++++++++++++
> > > ?2 files changed, 18 insertions(+)
> > > 
> > > --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	
> > > 2016-08-06
> > > 21:27:11.337094143 +0200
> > > +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	
> > > 2016-08-13
> > > 17:39:07.096980948 +0200
> > > @@ -1,3 +1,5 @@
> > > +HOME_DIR/\.local/share/icc(/.*)?
> > 
> > I thought that by now reference policy implemented $XDG_DATA_DIR,
> > $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config
> > and
> > ~/.cache respectively?
> 
> As already explained in a previous message, I think not all systems
> support the
> XDG variables. For example on my system they are not supported at all
> and I am
> fine with it.
> 
> Therefore, unless strictly necessary, I would prefer not to change
> this.
> 
> Do you have reasons to think that it is strictly necessary ?
> 
> Regards,
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 

This message contains confidential information intended only for the use
of the addressee(s). If you are not the intended recipient, please
contact the sender by return e-mail and destroy all copies of the
original message.

[refpolicy] [PATCH] Update the colord module

[Chris PeBenito]

On 08/20/16 10:53, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have noticed that the following colord patch is still pending,
> although there are no amendments planned for it.
>
> Also, the new gnome patch depends on changes introduced by this patch.

The answer was that I wanted to revisit the XDG changes.  Then we can 
decide what action to take.


> On Sat, 13/08/2016 at 22.39 +0200, Guido Trentalancia wrote:
>> Hello Dominick.
>>
>>> On the 13th August 2016 at 22.23 Dominick Grift <dac.override@gmail
>>> .com>
>>> wrote:
>>>
>>>
>>> On 08/13/2016 10:11 PM, Guido Trentalancia wrote:
>>>> Update the colord module:
>>>>
>>>> - add support for writing colord subdirectories of /usr/share;
>>>> - add support for reading colord subdirectories of /home (e.g.
>>>>   ICC profiles).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/contrib/colord.fc |    5 +++++
>>>>  policy/modules/contrib/colord.te |   13 +++++++++++++
>>>>  2 files changed, 18 insertions(+)
>>>>
>>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	
>>>> 2016-08-06
>>>> 21:27:11.337094143 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	
>>>> 2016-08-13
>>>> 17:39:07.096980948 +0200
>>>> @@ -1,3 +1,5 @@
>>>> +HOME_DIR/\.local/share/icc(/.*)?
>>>
>>> I thought that by now reference policy implemented $XDG_DATA_DIR,
>>> $XDG_CONFIG_DIR and $XDG_CACHE_DIR for ~/.local/share, ~/.config
>>> and
>>> ~/.cache respectively?
>>
>> As already explained in a previous message, I think not all systems
>> support the
>> XDG variables. For example on my system they are not supported at all
>> and I am
>> fine with it.
>>
>> Therefore, unless strictly necessary, I would prefer not to change
>> this.
>>
>> Do you have reasons to think that it is strictly necessary ?


-- 
Chris PeBenito