From: dac.override@gmail.com (Dominick Grift) Date: Mon, 15 Aug 2016 16:28:25 +0200 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <1471269328.18030.13.camel@trentalancia.net> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> <20160815031953.GA22106@meriadoc.perfinion.com> <1471269328.18030.13.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/15/2016 03:55 PM, Guido Trentalancia wrote: > Hello Jason. > > Thanks for getting back on this. > > On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote: >> On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote: >>> On 08/14/16 15:48, Guido Trentalancia wrote: >>>> Hello Chris. >>>> >>>> On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote: >>>>> On 08/14/16 15:09, Guido Trentalancia wrote: >>>>>> Update for the xserver module: >>>>>> >>>>>> - updated the file contexts for the Xsession script; >>>>>> - created an interface for chatting over dbus with >>>>>> xdm (currently used by the userdomain module in >>>>>> the common user template); >>>>>> - added permission to chat over dbus with colord. >>>>> >>>>> Merged, though I moved the interface up. >>>> >>>> Excellent. >> >> What distro (or version of distro) are you on? > > It's not a distribution, but rather just Linux and GNU stuff built from > scratch. It's not Linuxfromscratch, as I do not follow their way of > building stuff, but similar to it. > > It's as close as possible to the original source code (i.e. patches > kept to the minimum and configure options closest to the default). > >>>> This is what is missing now: >>>> >>>> - the gnome module: this is very important, I am now improving it >>>> as >>>> suggested by Dominick Grift; >>>> - the dbus patch for binary execution (otherwise it refuses to >>>> start); >> >> I have the same file on gentoo and dbus all starts fine. In general >> things marked bin_t are not terrible so I'm not hugely against adding >> the perm. Is this for a new version of dbus or something? > > I am always using the latest version of everything, so it's latest > dbus. > > Please note that there should be references of this in the source > code... Did you get a chance to look there ? > > Might be the following: > > dbus/dbus-transport-unix.c: c = dbus_connection_open > ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error); > For the record: just because i advice against this that means just that, not much. I am just rambling, saying what is on my mind. It is up to others to decide what is right and what is wrong for them. I am fine with things either way. I just like to talk about this stuff and share some of my experiences. > Also, many .service files have the following: > > Exec=/bin/false > >> I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the >> code its calling that and that would give more insight to why. > > See above. > >> /bin/false is frequently used in /etc/passwd so it might be something >> to >> do with that? > > I don't think so. It's used in /etc/passwd to deny a login for virtual > users (such as daemons). > >>>> - the new fc_sort patch if you like the idea of installing it >>>> system- >>>> wide to avoid execution permission problems (e.g. in /usr/src); >> >> sysadm_t has full permissions in to src_t already? otherwise >> compiling > > It's a bug in the git module then. It should create files in /usr/src > with automatic transition to the src_t type. > >> the kernel wouldnt work either since it has many scripts it needs to >> run >> too. >> How are you installing the sources? in general the package manager >> should be force-resetting the labels on the files as it merges them >> into >> the main FS. >> >>>> - a patch to make use of the new module_load permission to load >>>> kernel >>>> module (problem of the appropriate location for >>>> modules_object_t). >> >> I got a report on gentoo about things failing on kernel 4.7. I think >> this one is requried to fix it. > > See above, we need to tackle the git module with a simple fix. > >>>> >>>> It's all about patches that are being reviewed, there are no >>>> other >>>> patches... > > Apart from the lvm module that was left out for some reason. > >>> In the future I'd ask that you post related patches as a series, so >>> we >>> can see that patches are related. >> >> Seconded, this makes it easier to follow. >> $ git format-patch origin/master..mybranch >> $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch >> the --compose switch will open an editor so you can write a short >> message >> about the series and then all the other patches are replies to that. >> >> -- Jason > > Thanks Jason, I'll give it a try... > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160815/fd880523/attachment.bin