From: jason@perfinion.com (Jason Zaman) Date: Mon, 15 Aug 2016 11:19:53 +0800 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> Message-ID: <20160815031953.GA22106@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote: > On 08/14/16 15:48, Guido Trentalancia wrote: > > Hello Chris. > > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote: > >> On 08/14/16 15:09, Guido Trentalancia wrote: > >>> Update for the xserver module: > >>> > >>> - updated the file contexts for the Xsession script; > >>> - created an interface for chatting over dbus with > >>> xdm (currently used by the userdomain module in > >>> the common user template); > >>> - added permission to chat over dbus with colord. > >> > >> Merged, though I moved the interface up. > > > > Excellent. What distro (or version of distro) are you on? > > This is what is missing now: > > > > - the gnome module: this is very important, I am now improving it as > > suggested by Dominick Grift; > > - the dbus patch for binary execution (otherwise it refuses to start); I have the same file on gentoo and dbus all starts fine. In general things marked bin_t are not terrible so I'm not hugely against adding the perm. Is this for a new version of dbus or something? I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the code its calling that and that would give more insight to why. /bin/false is frequently used in /etc/passwd so it might be something to do with that? > > - the new fc_sort patch if you like the idea of installing it system- > > wide to avoid execution permission problems (e.g. in /usr/src); sysadm_t has full permissions in to src_t already? otherwise compiling the kernel wouldnt work either since it has many scripts it needs to run too. How are you installing the sources? in general the package manager should be force-resetting the labels on the files as it merges them into the main FS. > > - a patch to make use of the new module_load permission to load kernel > > module (problem of the appropriate location for modules_object_t). I got a report on gentoo about things failing on kernel 4.7. I think this one is requried to fix it. > > > > It's all about patches that are being reviewed, there are no other > > patches... > > In the future I'd ask that you post related patches as a series, so we > can see that patches are related. Seconded, this makes it easier to follow. $ git format-patch origin/master..mybranch $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch the --compose switch will open an editor so you can write a short message about the series and then all the other patches are replies to that. -- Jason > I've pushed all of the merged changes, plus my modifications. Please > rebase any remaining patches. > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy