From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 23 Jun 2012 11:12:09 +0200 Subject: [refpolicy] [PATCH]: missing file context for system-tools-backends (gnome) In-Reply-To: <1340441995.2934.5.camel@vortex> References: <1340226181.23287.2.camel@vortex> <1340268079.9690.35.camel@x220.mydomain.internal> <1340300284.2992.9.camel@vortex> <1340301537.9690.45.camel@x220.mydomain.internal> <1340441995.2934.5.camel@vortex> Message-ID: <1340442729.1572.7.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-06-23 at 10:59 +0200, Guido Trentalancia wrote: > > And by the way, since you were asking, comecmd_exec_bin is needed when > the backends are executed, for example, by gnome-system-tools (since the > script had been labelled as a generic binary executable to avoid > creating a new module built for the purpose). > > Not everybody might want system_dbusd_t to execute binaries, so that's > the reason for the boolean. > > Regards, > > Guido > I am still trying to make sense out of all this, but: I guess we should make system-tools-backends a dbus_system_domain() i.e. make system_dbusd_t domain transition to a private domain type for system-tools-backends when its executable files get executed. That way we don't have to allow systemd_dbusd_t to run generic binaries.