From: nicky726@gmail.com (Nicky 726) Date: Fri, 4 Sep 2009 16:52:37 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, > Date: Thu, 3 Sep 2009 22:36:17 +0200 > From: Dominick Grift > Subject: Re: [refpolicy] Basic policy for KDE and Konqueror > To: refpolicy at oss.tresys.com > Message-ID: <20090903203617.GA2709@notebook3.grift.internal> > Content-Type: text/plain; charset="us-ascii" > > On Thu, Sep 03, 2009 at 10:15:23PM +0200, Nicky726 wrote: >> Hello, >> >> I've been reviewing and testing my policy for Konqueror according to Dominick >> Grift's comments. Now I've got confused with the dbus affair: >> >> Dne St 12. srpna 2009 20:58:03 Dominick Grift napsal(a): >> > use proper dbus interfaces (not dbus unconfined) >> >> The thing is that Konqueror starts only with dbus_unconfined(). If I use >> dbus_system_bus_client() I got message, that Konqueror can't be registered >> with dbus, as there is already another one registered. If I use >> dbus_session_bus_client() I got absolutely no output. In both cases Konqueror >> won't start and no AVC denials are displayed. >> >> As I looked into Evolution and Mozilla policies sources, there are only this >> two interfaces used. Are there some other steps needed for it to work? Or is >> there some better suited interfaces? Do you have other suggestions? > dbus policy is a bit "underdeveloped". are you looking in the right places for avc denials? > > ausearch -m user_avc -ts today > grep -i dbus /var/log/messages > > dbus throws its denials all around the place. some stuff goes to audit.log other stuff goes to messages. > > can you show us your dbus related avc denials? >> >> Thanks for your time, >> Ondrej Vadinsky This is what I get from /var/log/messages: In the mean time: Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5) Sep 4 16:23:44 tsubaki dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=5)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 4 16:23:44 tsubaki dbus: Reloaded configuration Sep 4 16:23:44 tsubaki dbus: avc: received policyload notice (seqno=5) With no dbus interface called: Sep 4 16:23:59 tsubaki dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=2807 scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus With dbus_system_bus_client: Sep 4 16:45:35 tsubaki dbus: avc: denied { acquire_svc } for service=org.kde.konqueror-2869 spid=2869 scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus With dbus_session_bus_client: Sep 4 16:48:52 tsubaki dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=2897 scontext=unconfined_u:unconfined_r:konqueror_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus Thanks for your time, Ondrej Vadinsky -- "Don't it always seem to go That you don't know what you've got Till it's gone." ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (Joni Mitchell)