* [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them
@ 2011-02-16 6:00 Guido Trentalancia
2011-02-16 20:51 ` Sven Vermeulen
0 siblings, 1 reply; 4+ messages in thread
From: Guido Trentalancia @ 2011-02-16 6:00 UTC (permalink / raw)
To: refpolicy
This patch labels HOME_DIR/\.config as gnome_home_t and then
allows policykit to read such kind of files.
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/apps/gnome.fc refpolicy-git-02022011-test-apply2/policy/modules/apps/gnome.fc
--- refpolicy-git-02022011-test-apply/policy/modules/apps/gnome.fc 2011-01-08 19:07:21.179731404 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/apps/gnome.fc 2011-02-07 00:54:30.568909514 +0100
@@ -1,4 +1,4 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te 2011-01-08 19:07:21.281747514 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 00:55:34.133380018 +0100
@@ -69,6 +69,10 @@ miscfiles_read_localization(policykit_t)
userdom_read_all_users_state(policykit_t)
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
########################################
#
# polkit_auth local policy
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them
2011-02-16 6:00 [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them Guido Trentalancia
@ 2011-02-16 20:51 ` Sven Vermeulen
2011-02-16 20:56 ` Daniel J Walsh
2011-02-16 21:28 ` Guido Trentalancia
0 siblings, 2 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-02-16 20:51 UTC (permalink / raw)
To: refpolicy
On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
> This patch labels HOME_DIR/\.config as gnome_home_t and then
> allows policykit to read such kind of files.
Afaik, this location is used by much more than gnome applications. I don't
have GNOME installed but it is still there for things like XFCE4, epdfview,
zathura etc.
The .config location seems to be part of the XDG Base Directory
Specification (I believe dgrift once referred me to this), independent of
GNOME.
Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
offered in an XDG-specific set of interfaces for all applications adhering
to this specification (rather than using gnome_* interfaces even though they
are not GNOME related).
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them
2011-02-16 20:51 ` Sven Vermeulen
@ 2011-02-16 20:56 ` Daniel J Walsh
2011-02-16 21:28 ` Guido Trentalancia
1 sibling, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2011-02-16 20:56 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/16/2011 03:51 PM, Sven Vermeulen wrote:
> On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
>> This patch labels HOME_DIR/\.config as gnome_home_t and then
>> allows policykit to read such kind of files.
>
> Afaik, this location is used by much more than gnome applications. I don't
> have GNOME installed but it is still there for things like XFCE4, epdfview,
> zathura etc.
>
> The .config location seems to be part of the XDG Base Directory
> Specification (I believe dgrift once referred me to this), independent of
> GNOME.
>
> Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
> xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
> offered in an XDG-specific set of interfaces for all applications adhering
> to this specification (rather than using gnome_* interfaces even though they
> are not GNOME related).
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
In Fedora is it labeled config_home_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1cOgsACgkQrlYvE4MpobPJPwCeOw8BhykJy/zAfl3Q78ouTGpS
62IAoLG5KXmV3KCQEdNMdmKAB/m3aQaO
=Szh7
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them
2011-02-16 20:51 ` Sven Vermeulen
2011-02-16 20:56 ` Daniel J Walsh
@ 2011-02-16 21:28 ` Guido Trentalancia
1 sibling, 0 replies; 4+ messages in thread
From: Guido Trentalancia @ 2011-02-16 21:28 UTC (permalink / raw)
To: refpolicy
Hello Sven,
thanks for your comments.
Yes, in practice, anything other than generic user_home_t is fine.
So, for example, user_xdg_config_t could be used and perhaps the naming
is more appropriate (as formally it's XDG shared with Gnome), but there
is a lack of interfaces for that (i.e. the equivalent of
gnome_read_config()).
Feel free to provide an alternative patch in place of [5/34] that I
proposed.
The important is that .config is not labeled generically and that
policykit can read its content (I believe it only needs to
read .config/user-dirs.*) !
Regards,
Guido
On Wed, 16/02/2011 at 21.51 +0100, Sven Vermeulen wrote:
> On Wed, Feb 16, 2011 at 07:00:59AM +0100, Guido Trentalancia wrote:
> > This patch labels HOME_DIR/\.config as gnome_home_t and then
> > allows policykit to read such kind of files.
>
> Afaik, this location is used by much more than gnome applications. I don't
> have GNOME installed but it is still there for things like XFCE4, epdfview,
> zathura etc.
>
> The .config location seems to be part of the XDG Base Directory
> Specification (I believe dgrift once referred me to this), independent of
> GNOME.
>
> Perhaps it is more wise to call it user_config_t or user_xdg_config_t (and
> xdg_config_t for /etc/xdg etc.)? That way, the necessary privileges can be
> offered in an XDG-specific set of interfaces for all applications adhering
> to this specification (rather than using gnome_* interfaces even though they
> are not GNOME related).
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-02-16 21:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-16 6:00 [refpolicy] [PATCH 5/34]: patch to label XDG config files and allow policykit to use them Guido Trentalancia
2011-02-16 20:51 ` Sven Vermeulen
2011-02-16 20:56 ` Daniel J Walsh
2011-02-16 21:28 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.