From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-953961-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6CEC9139694
	for <garchives@archives.gentoo.org>; Mon,  5 Jun 2017 17:25:37 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0F4ADE0E72;
	Mon,  5 Jun 2017 17:25:08 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id D3207E0E72
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Jun 2017 17:25:07 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6694734171D
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Jun 2017 17:25:06 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 3928B7479
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Jun 2017 17:25:03 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1496682978.e2346cfeb76c46e1dbf2afc99f792f053693c899.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/dbus.fc policy/modules/contrib/dbus.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: e2346cfeb76c46e1dbf2afc99f792f053693c899
X-VCS-Branch: master
Date: Mon,  5 Jun 2017 17:25:03 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 7caa2052-5c99-45f5-a966-d6a9a4df5d44
X-Archives-Hash: fb8dd56bc801db943eaacaa5cb257701

commit:     e2346cfeb76c46e1dbf2afc99f792f053693c899
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu May 25 11:23:26 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun  5 17:16:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2346cfe

dbus: let session bus daemon manage user runtime dirs

Let the session dbus process manage user runtime directories (with
its own file type).

This is the fifth version (v5) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements,
although unfortunately this new version needs to revert one of the
suggested amendments because it was misleading.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>

 policy/modules/contrib/dbus.fc | 2 ++
 policy/modules/contrib/dbus.te | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c2a15358..eba45221 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)?				gen_context(system_u:object_r:session_dbusd_home_t,s0)
 
 /run/dbus(/.*)?					gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 /run/messagebus\.pid			--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus			-s	gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)?		gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
 
 /usr/bin/dbus-daemon(-1)?		--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index ca39fb6b..007de863 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
 
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -210,6 +213,11 @@ manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
 
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)