From: justinmattock@gmail.com (Justin P. Mattock) Date: Tue, 02 Dec 2008 07:57:21 -0800 Subject: [refpolicy] new svn refpolicy difficuties: In-Reply-To: <1228223603.9691.19.camel@gorn> References: <1228112352.3841.13.camel@unix> <1228223603.9691.19.camel@gorn> Message-ID: <1228233441.2973.17.camel@unix> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2008-12-02 at 08:13 -0500, Christopher J. PeBenito wrote: > On Sun, 2008-11-30 at 22:19 -0800, Justin P. Mattock wrote: > > With the latest refpolicy, I'm > > able to have all of the allow rules > > during the boot process applied to the policy, > > but as soon as I add any of the allow rules > > after startx, with any role I'm denied > > with building the policy i.g. > > > > :ERROR 'type staff_dbusd_t is not within scope' at token ';' on line > > 2581459: > > > > I think this has to do with my policy/users > > file.(where can I find info on setting a prefix?) > > I suspect it is actually related to this: > > http://marc.info/?l=selinux&m=122477138927253&w=2 > > What changes have you made (if any) to the policy? Also the > policy/modules.conf and build.conf? > This is the same issue from a few weeks ago (just never got around to working it); as for changes to the modules.conf, I sent you that a few weeks ago, which basically has nothing modified (my goal is to keep the policy as generic as possible no tweaking of any kind); I do modify the build.conf and policy/users. as for the users I set gen_user(user,system_u, sysadm_r staff_r user_r, s0, s0 -mls_systemhigh, mcs_allcats) and the build.conf I change the policy number setting debian, monolithic=y deny unkown=y not much stuff.. Overall, I'm not sure but after reading the users file it say's Note: Identities without a prefix wil not be listed in the users_extra file used by genhomedircon. (BTW there a typo in there "will") This here tells me that If I don't have this set correctly(prefix), I won't be able to build the policy accordingly with my user name and roles? hence the always an error during compiling when I add something like staff_dbus_t. If I have this correct will staff_dbus_t change to staff_t? or something to satisfy the compiling of the policy... As for the post I'll have to read that and see if it is what I was going through. regards; -- Justin P. Mattock