From: justinmattock@gmail.com (Justin Mattock)
Date: Thu, 4 Dec 2008 12:50:45 -0800
Subject: [refpolicy] new svn refpolicy difficuties:
In-Reply-To: <dd18b0c30812031306v601fe9e4y5cf9a28b3a2d713c@mail.gmail.com>
References: <1228112352.3841.13.camel@unix> <1228223603.9691.19.camel@gorn>
	<1228233441.2973.17.camel@unix> <1228244012.9691.22.camel@gorn>
	<1228246875.2928.1.camel@unix> <1228310523.9691.387.camel@gorn>
	<dd18b0c30812030849j3db2bbei9f8a3fd506d4e793@mail.gmail.com>
	<1228336248.903.1.camel@gorn>
	<dd18b0c30812031306v601fe9e4y5cf9a28b3a2d713c@mail.gmail.com>
Message-ID: <dd18b0c30812041250k5e68342bu6778eb95f837826e@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Dec 3, 2008 at 1:06 PM, Justin Mattock <justinmattock@gmail.com> wrote:
> On Wed, Dec 3, 2008 at 12:30 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>> On Wed, 2008-12-03 at 08:49 -0800, Justin Mattock wrote:
>>> with the newrole mechanism, If
>>> I log in as sysadm_r, then change roles to
>>> user_r, I see the:
>>> allow newrole user_r process transition
>>> (but can never be put into the policy?)
>>> With the older policies I would
>>> initialialy login as syadm_r, then
>>> login to staff_t for starting the internet,
>>> then user_r for entertainment needs
>>> but with this new mechanism, seems to
>>> be something different!!
>>
>> I fixed a mistake in the role change constraint.  svn up and it should
>> work again.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>
> Cool thanks for looking into this,
> unfortunately I can't get this thing to compile
> to get to the point of changing roles.
> unless you're talking about:
> git clone http://oss.tresys.com/git/selinux.git
> then I can go ahead and do a git-pull
> and see If I get that annoying
> newrole *_t process transition thing..
> (In any case my head hurts,
> I need a beer) ;^)
>
> --
> Justin P. Mattock
>

O.K.
two things here:(or three)

A) I really don't know what I'm doing,
but am willing to try.

B) Thank you very much for the help,
and patience.

C) I finally figured it out,

The policy doesn't like sudo, or su
i.g. starting a terminal with nubuntu,
under .fluxbox/init I see
aterm -e sudo su
reason for the error when compiling.

If I start aterm, (normally)
the policy will compile, if I use
newrole -r user_r -- -c /usr/bin/firefox
in aterm I can change roles and use firefox.
(in full enforced mode)

wpa_supplicant seems a bit interesting
since I need to be root to run...
(probably need to have this run during boot)

the radio(bmpx)
seems to create sysadm_dbus_t
which tells me another sudo or su
scenario.

Is there a command to run an application
as root(i.g. wpa_supplicant, and dhclient)?

Anyways thanks again,


-- 
Justin P. Mattock