[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Jason Zaman]

Hi all,

I submitted patches to add USERID and USERNAME to genhomedircon[1] and
am now trying to fix refpol to work with it.

What labels do we want for things in /run/user?
Currently refpol has the following which seems pretty weird:
/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
It was originally added from fedora but fedora has since dropped that.

fedora now has:
/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)

The problem with that fcontext is that users have write perms towards
user_tmp_t so they would be able to do other things in /run/user/
instead of only within /run/user/%{USERID}/.

I think we should have some kind of _root_t and _home_t like how things
are for /home and /home/USERNAME

In gentoo we have an xdg module which adds xdg_runtime_home_t which we
have for the user's dir. I was thinking to add an xdg_runtime_dir_t or
_root_t. then things would get search perms towards that root dir and
get normal write perms within the actual runtime dir. Only
logind/consolekit would need to manage xdg_runtime_dir_t.

If we send (parts of?) the xdg module upstream from gentoo, would it be
accepted? and if not, I want to at least fix the label for /run/user/
(xdg_runtime_dir_t or whatever is decided) in refpol and then I can
carry the xdg_runtime_home_t part in gentoo only.

Regards,
Jason

[1]: https://marc.info/?l=selinux&m=146013183309131&w=2

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Christopher J. PeBenito]

On 4/11/2016 1:11 PM, Jason Zaman wrote:
> Hi all,
> 
> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
> am now trying to fix refpol to work with it.
> 
> What labels do we want for things in /run/user?
> Currently refpol has the following which seems pretty weird:
> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> It was originally added from fedora but fedora has since dropped that.
> 
> fedora now has:
> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
> 
> The problem with that fcontext is that users have write perms towards
> user_tmp_t so they would be able to do other things in /run/user/
> instead of only within /run/user/%{USERID}/.
> 
> I think we should have some kind of _root_t and _home_t like how things
> are for /home and /home/USERNAME

This makes sense.


> In gentoo we have an xdg module which adds xdg_runtime_home_t which we
> have for the user's dir. I was thinking to add an xdg_runtime_dir_t or
> _root_t. then things would get search perms towards that root dir and
> get normal write perms within the actual runtime dir. Only
> logind/consolekit would need to manage xdg_runtime_dir_t.
> 
> If we send (parts of?) the xdg module upstream from gentoo, would it be
> accepted? and if not, I want to at least fix the label for /run/user/
> (xdg_runtime_dir_t or whatever is decided) in refpol and then I can
> carry the xdg_runtime_home_t part in gentoo only.

Which group (if any) specified how /run/user/UID should be used? XDG?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Jason Zaman]

On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
> On 4/11/2016 1:11 PM, Jason Zaman wrote:
> > Hi all,
> > 
> > I submitted patches to add USERID and USERNAME to genhomedircon[1] and
> > am now trying to fix refpol to work with it.
> > 
> > What labels do we want for things in /run/user?
> > Currently refpol has the following which seems pretty weird:
> > /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> > It was originally added from fedora but fedora has since dropped that.
> > 
> > fedora now has:
> > /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
> > 
> > The problem with that fcontext is that users have write perms towards
> > user_tmp_t so they would be able to do other things in /run/user/
> > instead of only within /run/user/%{USERID}/.
> > 
> > I think we should have some kind of _root_t and _home_t like how things
> > are for /home and /home/USERNAME
> 
> This makes sense.

so this?
/var/run/user system_u:object_r:xdg_runtime_root_t:s0
/var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0

Once the patches get merged in to the userspace tools I will start
preparing patches for this.

> > In gentoo we have an xdg module which adds xdg_runtime_home_t which we
> > have for the user's dir. I was thinking to add an xdg_runtime_dir_t or
> > _root_t. then things would get search perms towards that root dir and
> > get normal write perms within the actual runtime dir. Only
> > logind/consolekit would need to manage xdg_runtime_dir_t.
> > 
> > If we send (parts of?) the xdg module upstream from gentoo, would it be
> > accepted? and if not, I want to at least fix the label for /run/user/
> > (xdg_runtime_dir_t or whatever is decided) in refpol and then I can
> > carry the xdg_runtime_home_t part in gentoo only.
> 
> Which group (if any) specified how /run/user/UID should be used? XDG?

https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

I think systemd started it, but ConsoleKit2 supports it too and it is
officially a freedesktop/XDG spec.

-- Jason

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Christopher J. PeBenito]

On 4/12/2016 1:02 PM, Jason Zaman wrote:
> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
>>> Hi all,
>>>
>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
>>> am now trying to fix refpol to work with it.
>>>
>>> What labels do we want for things in /run/user?
>>> Currently refpol has the following which seems pretty weird:
>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
>>> It was originally added from fedora but fedora has since dropped that.
>>>
>>> fedora now has:
>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
>>>
>>> The problem with that fcontext is that users have write perms towards
>>> user_tmp_t so they would be able to do other things in /run/user/
>>> instead of only within /run/user/%{USERID}/.
>>>
>>> I think we should have some kind of _root_t and _home_t like how things
>>> are for /home and /home/USERNAME
>>
>> This makes sense.
> 
> so this?
> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
> 
> Once the patches get merged in to the userspace tools I will start
> preparing patches for this.
> 
[...]
>> Which group (if any) specified how /run/user/UID should be used? XDG?
> 
> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
> 
> I think systemd started it, but ConsoleKit2 supports it too and it is
> officially a freedesktop/XDG spec.

I think it makes more sense for these not to be XDG-named types, since
XDG isn't the only one that uses it.  Perhaps something like
user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
user_tmp_t (I'm open to other suggestions).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Miroslav Grepl]

On 04/12/2016 07:57 PM, Christopher J. PeBenito wrote:
> On 4/12/2016 1:02 PM, Jason Zaman wrote:
>> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
>>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
>>>> Hi all,
>>>>
>>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
>>>> am now trying to fix refpol to work with it.
>>>>
>>>> What labels do we want for things in /run/user?
>>>> Currently refpol has the following which seems pretty weird:
>>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
>>>> It was originally added from fedora but fedora has since dropped that.
>>>>
>>>> fedora now has:
>>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
>>>>
>>>> The problem with that fcontext is that users have write perms towards
>>>> user_tmp_t so they would be able to do other things in /run/user/
>>>> instead of only within /run/user/%{USERID}/.
>>>>
>>>> I think we should have some kind of _root_t and _home_t like how things
>>>> are for /home and /home/USERNAME
>>>
>>> This makes sense.
>>
>> so this?
>> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
>> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
>>
>> Once the patches get merged in to the userspace tools I will start
>> preparing patches for this.
>>
> [...]
>>> Which group (if any) specified how /run/user/UID should be used? XDG?
>>
>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>
>> I think systemd started it, but ConsoleKit2 supports it too and it is
>> officially a freedesktop/XDG spec.
> 
> I think it makes more sense for these not to be XDG-named types, since
> XDG isn't the only one that uses it.  Perhaps something like
> user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
> user_tmp_t (I'm open to other suggestions).
> 

Ok, this is again https://github.com/systemd/systemd/issues/257.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Christopher J. PeBenito]

On 4/13/2016 12:18 PM, Miroslav Grepl wrote:
> On 04/12/2016 07:57 PM, Christopher J. PeBenito wrote:
>> On 4/12/2016 1:02 PM, Jason Zaman wrote:
>>> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
>>>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
>>>>> Hi all,
>>>>>
>>>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
>>>>> am now trying to fix refpol to work with it.
>>>>>
>>>>> What labels do we want for things in /run/user?
>>>>> Currently refpol has the following which seems pretty weird:
>>>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
>>>>> It was originally added from fedora but fedora has since dropped that.
>>>>>
>>>>> fedora now has:
>>>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
>>>>>
>>>>> The problem with that fcontext is that users have write perms towards
>>>>> user_tmp_t so they would be able to do other things in /run/user/
>>>>> instead of only within /run/user/%{USERID}/.
>>>>>
>>>>> I think we should have some kind of _root_t and _home_t like how things
>>>>> are for /home and /home/USERNAME
>>>>
>>>> This makes sense.
>>>
>>> so this?
>>> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
>>> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
>>>
>>> Once the patches get merged in to the userspace tools I will start
>>> preparing patches for this.
>>>
>> [...]
>>>> Which group (if any) specified how /run/user/UID should be used? XDG?
>>>
>>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>>
>>> I think systemd started it, but ConsoleKit2 supports it too and it is
>>> officially a freedesktop/XDG spec.
>>
>> I think it makes more sense for these not to be XDG-named types, since
>> XDG isn't the only one that uses it.  Perhaps something like
>> user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
>> user_tmp_t (I'm open to other suggestions).
>>
> 
> Ok, this is again https://github.com/systemd/systemd/issues/257.

I don't see how this is related.  This isn't about systemd's behavior,
but simply choosing what are the correct .fc entries for this directory
structure.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Jason Zaman]

On Wed, Apr 13, 2016 at 01:01:35PM -0400, Christopher J. PeBenito wrote:
> On 4/13/2016 12:18 PM, Miroslav Grepl wrote:
> > On 04/12/2016 07:57 PM, Christopher J. PeBenito wrote:
> >> On 4/12/2016 1:02 PM, Jason Zaman wrote:
> >>> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
> >>>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
> >>>>> Hi all,
> >>>>>
> >>>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
> >>>>> am now trying to fix refpol to work with it.
> >>>>>
> >>>>> What labels do we want for things in /run/user?
> >>>>> Currently refpol has the following which seems pretty weird:
> >>>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> >>>>> It was originally added from fedora but fedora has since dropped that.
> >>>>>
> >>>>> fedora now has:
> >>>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
> >>>>>
> >>>>> The problem with that fcontext is that users have write perms towards
> >>>>> user_tmp_t so they would be able to do other things in /run/user/
> >>>>> instead of only within /run/user/%{USERID}/.
> >>>>>
> >>>>> I think we should have some kind of _root_t and _home_t like how things
> >>>>> are for /home and /home/USERNAME
> >>>>
> >>>> This makes sense.
> >>>
> >>> so this?
> >>> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
> >>> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
> >>>
> >>> Once the patches get merged in to the userspace tools I will start
> >>> preparing patches for this.
> >>>
> >> [...]
> >>>> Which group (if any) specified how /run/user/UID should be used? XDG?
> >>>
> >>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
> >>>
> >>> I think systemd started it, but ConsoleKit2 supports it too and it is
> >>> officially a freedesktop/XDG spec.
> >>
> >> I think it makes more sense for these not to be XDG-named types, since
> >> XDG isn't the only one that uses it.  Perhaps something like
> >> user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
> >> user_tmp_t (I'm open to other suggestions).
> >>
> > 
> > Ok, this is again https://github.com/systemd/systemd/issues/257.
> 
> I don't see how this is related.  This isn't about systemd's behavior,
> but simply choosing what are the correct .fc entries for this directory
> structure.

Yeah systemd looks up the fcontext from the policy. The reason for this
patch and the genhomedircon patches is so that we actually have a way to
label these subdirs correctly in the policy in the first place. Once
this is merged in systemd can be corrected if it needs to be. I am part
way through fixing up ConsoleKit2 to do the same thing.

-- Jason

[refpolicy] fcontexts for XDG_RUNTIME_DIR /run/user

[Miroslav Grepl]

On 04/13/2016 07:01 PM, Christopher J. PeBenito wrote:
> On 4/13/2016 12:18 PM, Miroslav Grepl wrote:
>> On 04/12/2016 07:57 PM, Christopher J. PeBenito wrote:
>>> On 4/12/2016 1:02 PM, Jason Zaman wrote:
>>>> On Tue, Apr 12, 2016 at 10:43:33AM -0400, Christopher J. PeBenito wrote:
>>>>> On 4/11/2016 1:11 PM, Jason Zaman wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I submitted patches to add USERID and USERNAME to genhomedircon[1] and
>>>>>> am now trying to fix refpol to work with it.
>>>>>>
>>>>>> What labels do we want for things in /run/user?
>>>>>> Currently refpol has the following which seems pretty weird:
>>>>>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
>>>>>> It was originally added from fedora but fedora has since dropped that.
>>>>>>
>>>>>> fedora now has:
>>>>>> /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
>>>>>>
>>>>>> The problem with that fcontext is that users have write perms towards
>>>>>> user_tmp_t so they would be able to do other things in /run/user/
>>>>>> instead of only within /run/user/%{USERID}/.
>>>>>>
>>>>>> I think we should have some kind of _root_t and _home_t like how things
>>>>>> are for /home and /home/USERNAME
>>>>>
>>>>> This makes sense.
>>>>
>>>> so this?
>>>> /var/run/user system_u:object_r:xdg_runtime_root_t:s0
>>>> /var/run/user/1000 staff_u:object_r:xdg_runtime_home_t:s0
>>>>
>>>> Once the patches get merged in to the userspace tools I will start
>>>> preparing patches for this.
>>>>
>>> [...]
>>>>> Which group (if any) specified how /run/user/UID should be used? XDG?
>>>>
>>>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>>>
>>>> I think systemd started it, but ConsoleKit2 supports it too and it is
>>>> officially a freedesktop/XDG spec.
>>>
>>> I think it makes more sense for these not to be XDG-named types, since
>>> XDG isn't the only one that uses it.  Perhaps something like
>>> user_runtime_root_t and user_runtime_t, or maybe user_runtime_t and
>>> user_tmp_t (I'm open to other suggestions).
>>>
>>
>> Ok, this is again https://github.com/systemd/systemd/issues/257.
> 
> I don't see how this is related.  This isn't about systemd's behavior,
> but simply choosing what are the correct .fc entries for this directory
> structure.
> 

Correct. My bad.


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.