All of lore.kernel.org
 help / color / mirror / Atom feed
From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module
Date: Thu, 04 Oct 2012 10:53:24 -0400	[thread overview]
Message-ID: <506DA2E4.1080004@redhat.com> (raw)
In-Reply-To: <1349348491.22995.43.camel@d30.localdomain>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2012 07:01 AM, Dominick Grift wrote:
> 
> 
> On Wed, 2012-10-03 at 20:16 +0200, Sven Vermeulen wrote:
> 
>> In the XDG policy we use in Gentoo, we have xdg_cache_home_t, 
>> xdg_config_home_t, xdg_data_home_t and xdg_runtime_home_t (for 
>> /run/user/USER stuff). It also supports file transitions for applications
>> that make specific locations therein (like ~/.config/chromium,
>> ~/.config/epdfview, ...) as to isolate (confine) the applications more.
> 
> The $XDG_RUNTIME_DIR is indeed something we need to discus in my view
> 
> Fedora currently labels /run/user type user_tmp_t
> 
> This is probably the easiest solution but not the prettiest.
> 
> The /run/user/UID directory has various content that use to go into either
> $TMP or $HOME
> 
> It can be considered the pid dir for users.
> 
> Problem with Fedora's solution, i think, is that she just added a file 
> context spec for and did not take care of the type transition. Instead 
> relying on systemd to use setfscreate or reset the file context to what is
> specified.
> 
> In that light i do not really like that /run/user ( root owned ) as well as
> /run/user/UID (user owned) are labeled user_tmp_t.
> 
> I think i would rather prefer something similar to how we deal with user 
> home dirs.
> 
> /home (home_root_t) /home/USER (user_home_dir_t)
> 
> /run/user (home_root_t) /run/user/UID (user_home_dir_t)
> 
> In the current gnome patch however i have totally neglected 
> XDG_RUNTIME_DIR. Bear in mind that not every system has that variable set
> and that various programs and libraries fall back to either $TMP or 
> $HOME(/\.cache)?
> 
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
That is fine, and something we can try out in Fedora 19.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBtouQACgkQrlYvE4MpobP5NQCg0Y+HozBVrdJUutYC75M+xq0S
ydwAoItB+ikzRMx9KSsqfvJDVPPgyBWR
=qHwT
-----END PGP SIGNATURE-----

  reply	other threads:[~2012-10-04 14:53 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-03 15:12 [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module Dominick Grift
2012-10-03 15:28 ` Dominick Grift
2012-10-03 15:52 ` Dominick Grift
2012-10-03 18:16 ` Sven Vermeulen
2012-10-03 22:05   ` Daniel J Walsh
2012-10-04 11:01   ` Dominick Grift
2012-10-04 14:53     ` Daniel J Walsh [this message]
2012-10-04 15:24       ` Dominick Grift
2012-10-04 17:19         ` Daniel J Walsh
2012-10-04 17:39           ` Dominick Grift
2012-10-04 17:46             ` Dominick Grift
2012-10-04 19:04               ` Daniel J Walsh
2012-10-04 19:30                 ` Dominick Grift
2012-10-04 21:14                   ` Dominick Grift
2012-10-09 13:42                     ` Christopher J. PeBenito
2012-10-09 13:44         ` Christopher J. PeBenito
2012-10-09 13:52           ` Dominick Grift
2012-10-09 14:02             ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=506DA2E4.1080004@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.