From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 15 Aug 2016 15:55:28 +0200 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <20160815031953.GA22106@meriadoc.perfinion.com> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> <20160815031953.GA22106@meriadoc.perfinion.com> Message-ID: <1471269328.18030.13.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Jason. Thanks for getting back on this. On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote: > On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote: > > On 08/14/16 15:48, Guido Trentalancia wrote: > > > Hello Chris. > > > > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote: > > > > On 08/14/16 15:09, Guido Trentalancia wrote: > > > > > Update for the xserver module: > > > > > > > > > > - updated the file contexts for the Xsession script; > > > > > - created an interface for chatting over dbus with > > > > > ? xdm (currently used by the userdomain module in > > > > > ? the common user template); > > > > > - added permission to chat over dbus with colord. > > > > > > > > Merged, though I moved the interface up. > > > > > > Excellent. > > What distro (or version of distro) are you on? It's not a distribution, but rather just Linux and GNU stuff built from scratch. It's not Linuxfromscratch, as I do not follow their way of building stuff, but similar to it. It's as close as possible to the original source code (i.e. patches kept to the minimum and configure options closest to the default). > > > This is what is missing now: > > > > > > - the gnome module: this is very important, I am now improving it > > > as > > > suggested by Dominick Grift; > > > - the dbus patch for binary execution (otherwise it refuses to > > > start); > > I have the same file on gentoo and dbus all starts fine. In general > things marked bin_t are not terrible so I'm not hugely against adding > the perm. Is this for a new version of dbus or something? I am always using the latest version of everything, so it's latest dbus. Please note that there should be references of this in the source code... Did you get a chance to look there ? Might be the following: dbus/dbus-transport-unix.c:??c = dbus_connection_open ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error); Also, many .service files have the following: Exec=/bin/false > I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the > code its calling that and that would give more insight to why. See above. > /bin/false is frequently used in /etc/passwd so it might be something > to > do with that? I don't think so. It's used in /etc/passwd to deny a login for virtual users (such as daemons). > > > - the new fc_sort patch if you like the idea of installing it > > > system- > > > wide to avoid execution permission problems (e.g. in /usr/src); > > sysadm_t has full permissions in to src_t already? otherwise > compiling It's a bug in the git module then. It should create files in /usr/src with automatic transition to the src_t type. > the kernel wouldnt work either since it has many scripts it needs to > run > too. > How are you installing the sources? in general the package manager > should be force-resetting the labels on the files as it merges them > into > the main FS. > > > > - a patch to make use of the new module_load permission to load > > > kernel > > > module (problem of the appropriate location for > > > modules_object_t). > > I got a report on gentoo about things failing on kernel 4.7. I think > this one is requried to fix it. See above, we need to tackle the git module with a simple fix. > > > > > > It's all about patches that are being reviewed, there are no > > > other > > > patches... Apart from the lvm module that was left out for some reason. > > In the future I'd ask that you post related patches as a series, so > > we? > > can see that patches are related. > > Seconded, this makes it easier to follow. > $ git format-patch origin/master..mybranch > $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch > the --compose switch will open an editor so you can write a short > message > about the series and then all the other patches are replies to that.? > > -- Jason Thanks Jason, I'll give it a try... Regards, Guido