From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 09 Mar 2011 10:49:11 +0100 Subject: [refpolicy] [PATCH 13/34]: patch to allow networkmanager dbus chat In-Reply-To: <1e2c5493-fd5d-4770-8bfe-fb0b0ad05234@email.android.com> References: <1297836836.3205.56.camel@tesla.lan> <4D651B7A.4010100@tresys.com> <1298487030.29671.20.camel@tesla.lan> <4D74E408.2050501@tresys.com> <1299517796.2978.41.camel@tesla.lan> <4D7533E5.9050806@tresys.com> <1299533995.2967.23.camel@tesla.lan> <1e2c5493-fd5d-4770-8bfe-fb0b0ad05234@email.android.com> Message-ID: <1299664151.1680.11.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Russell, thanks for your reply. On Wed, 09/03/2011 at 19.03 +1100, Russell Coker wrote: > > think my latest reply was not the proper answer to your question. > >What > >I meant for "everything is running as xdm_t" is that as a normal user > >if > >you type "id -Z" from the gnome-terminal, then you get xdm_t (which > >still looks suspicious to me). > > That usually means that you don't have PAM configured correctly. Probably your xdm is not compiled with SE support and you are not using pam_selinux.so . The first. It's a simple pam config without pam_selinux.so (for gdm). I think I had removed it temporarily because it was causing issues. > >It's just something very simple. A make target which runs ps axZ (as > >sysadm) and compares a few very basic things: > > > >- if init has properly transitioned to its context (apparently at the > >moment no one cares if it hasn't, which is quite worrying as everything > > I am working on test VMs for Debian now and plan to do such things. Excellent. What do you mean for VMs ? In any case if you have time to do it then please try to do something which applies to everybody and can then be customized for Debian if necessary. Christopher did not comment on this (yet)... > >By the way, Tresys' SMTP server is blocking some mail from dynamically > >allocated mobile Internet connections (using barracudanetworks.com). I > > You shoud configure your phone to send through a smart host. I am going to run such a server for SE testing, contact me off list for an account. Yes, of course if I change my SMTP server... But most people are not bothered of doing that. I think the idea behind stuff such as barracuda is good but unfortunately it does not be apply very well to the case of dynamically assigned addresses. I had to reply on the list in any case because of the other issues. Perhaps you can send me an account off-list... The same thing happened with your address Russell. Regards, Guido