From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 07 Mar 2011 18:09:56 +0100 Subject: [refpolicy] [PATCH 13/34]: patch to allow networkmanager dbus chat In-Reply-To: <4D74E408.2050501@tresys.com> References: <1297836836.3205.56.camel@tesla.lan> <4D651B7A.4010100@tresys.com> <1298487030.29671.20.camel@tesla.lan> <4D74E408.2050501@tresys.com> Message-ID: <1299517796.2978.41.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 07/03/2011 at 08.56 -0500, Christopher J. PeBenito wrote: > On 02/23/11 13:50, Guido Trentalancia wrote: > > Hello Christopher ! > > > > On Wed, 23/02/2011 at 09.36 -0500, Christopher J. PeBenito wrote: > >> On 02/16/11 01:13, Guido Trentalancia wrote: > >>> This patch allows dbus chat between networkmanager and dbus and > >>> between networkmanager and xdm. It also adds a missing permission > >>> (sysnet_read_dhcpc_state) to the networkmanager module. > >>> > >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/dbus.te refpolicy-git-15022011-new-modified/policy/modules/services/dbus.te > >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/dbus.te 2011-02-15 23:15:42.079074132 +0100 > >>> +++ refpolicy-git-15022011-new-modified/policy/modules/services/dbus.te 2011-02-15 23:17:05.366699083 +0100 > >>> @@ -156,6 +156,10 @@ optional_policy(` > >>> ') > >>> > >>> optional_policy(` > >>> + networkmanager_dbus_chat(system_dbusd_t) > >>> +') > >>> + > >>> +optional_policy(` > >>> policykit_dbus_chat(system_dbusd_t) > >>> policykit_domtrans_auth(system_dbusd_t) > >>> policykit_search_lib(system_dbusd_t) > >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/networkmanager.te refpolicy-git-15022011-new-modified/policy/modules/services/networkmanager.te > >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100 > >>> +++ refpolicy-git-15022011-new-modified/policy/modules/services/networkmanager.te 2011-02-15 23:17:58.800809233 +0100 > >>> @@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_ > >>> sysnet_domtrans_dhcpc(NetworkManager_t) > >>> sysnet_signal_dhcpc(NetworkManager_t) > >>> sysnet_read_dhcpc_pid(NetworkManager_t) > >>> +sysnet_read_dhcpc_state(NetworkManager_t) > >>> sysnet_delete_dhcpc_pid(NetworkManager_t) > >>> sysnet_search_dhcp_state(NetworkManager_t) > >>> # in /etc created by NetworkManager will be labelled net_conf_t. > >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te > >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te 2011-02-15 23:07:24.845137330 +0100 > >>> +++ refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te 2011-02-15 23:17:05.369699539 +0100 > >>> @@ -548,6 +548,10 @@ optional_policy(` > >>> ') > >>> > >>> optional_policy(` > >>> + networkmanager_dbus_chat(xdm_t) > >>> +') > >> > >> Is there something new with xdm? I'm concerned that more dbus > >> communications are added (this patch and others) with seemingly > >> unrelated services. > > > > What you mean exactly for "something new with xdm" ? Do you mean new > > features ? > > Yes. Then new features compared to which version ? I don't know the version you took as reference... The display manager version I used for testing was: gdm version 2.32.0 from gnome.org. > > And what do you mean for unrelated services exactly ? NetworkManager not > > being very much related to xdm ? > > Yes. Yes, that makes sense to me. But I don't know the details... > > Yes, it's not entirely clear to me > > either. But could be that due to the applet ? > > I assume you mean the one that runs in the gnome panel. If so, I > wouldn't think so, since that would be running in the user's domain. Yes that was what I meant for applet. > > More or less I have reported back what was being requested (in the form > > of a patch). > > It makes me wonder if everything is running in the right domain. That could be. But I have not been provided with a reference. So, can you provide a reference ps auxZ which then I will compare as soon as I can access the test system again ? Also, what do you think about the idea of providing a make target (say "make check") in refpolicy which runs some minimal checks on that for at least the core processes ? Regards, Guido