From: jason@perfinion.com (Jason Zaman) Date: Mon, 15 Aug 2016 22:31:34 +0800 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <1471269328.18030.13.camel@trentalancia.net> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> <20160815031953.GA22106@meriadoc.perfinion.com> <1471269328.18030.13.camel@trentalancia.net> Message-ID: <20160815143134.GA9815@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Aug 15, 2016 at 03:55:28PM +0200, Guido Trentalancia wrote: > Hello Jason. > > Thanks for getting back on this. > > On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote: > > On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote: > > > On 08/14/16 15:48, Guido Trentalancia wrote: > > > > Hello Chris. > > > > > > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote: > > > > > On 08/14/16 15:09, Guido Trentalancia wrote: > > > > > > Update for the xserver module: > > > > > > > > > > > > - updated the file contexts for the Xsession script; > > > > > > - created an interface for chatting over dbus with > > > > > > ? xdm (currently used by the userdomain module in > > > > > > ? the common user template); > > > > > > - added permission to chat over dbus with colord. > > > > > > > > > > Merged, though I moved the interface up. > > > > > > > > Excellent. > > > > What distro (or version of distro) are you on? > > It's not a distribution, but rather just Linux and GNU stuff built from > scratch. It's not Linuxfromscratch, as I do not follow their way of > building stuff, but similar to it. > > It's as close as possible to the original source code (i.e. patches > kept to the minimum and configure options closest to the default). > > > > > This is what is missing now: > > > > > > > > - the gnome module: this is very important, I am now improving it > > > > as > > > > suggested by Dominick Grift; > > > > - the dbus patch for binary execution (otherwise it refuses to > > > > start); > > > > I have the same file on gentoo and dbus all starts fine. In general > > things marked bin_t are not terrible so I'm not hugely against adding > > the perm. Is this for a new version of dbus or something? > > I am always using the latest version of everything, so it's latest > dbus. Im on the latest release in their stable branch too so not sure why yours fails but mine doesnt. > > Please note that there should be references of this in the source > code... Did you get a chance to look there ? > > Might be the following: > > dbus/dbus-transport-unix.c:??c = dbus_connection_open > ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error); Could be this. Are you up for strace/gdb'ing to confirm? > > Also, many .service files have the following: > > Exec=/bin/false If this was it, it would fail as init_t or initrc_t. your dbus is failing later on so cant be something like this. > > I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in the > > code its calling that and that would give more insight to why. > > See above. > > > /bin/false is frequently used in /etc/passwd so it might be something > > to > > do with that? > > I don't think so. It's used in /etc/passwd to deny a login for virtual > users (such as daemons). > > > > > - the new fc_sort patch if you like the idea of installing it > > > > system- > > > > wide to avoid execution permission problems (e.g. in /usr/src); > > > > sysadm_t has full permissions in to src_t already? otherwise > > compiling > > It's a bug in the git module then. It should create files in /usr/src > with automatic transition to the src_t type. /usr/bin/git is bin_t, so it will run as sysadm_t. you mean you are doing: cd /usr/src/ git clone git://github.com/TresysTechnology/refpolicy.git and its failing? That definitely gets it all as src_t for me meriadoc src # id -Z staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 meriadoc src # ls -ldZ /usr/src/refpolicy/ drwxr-xr-x. 8 root root staff_u:object_r:src_t:s0 22 Aug 15 22:05 /usr/src/refpolicy// Everything under that dir is also src_t. There should be no problems. the git policy is for git daemon and gitweb. the main "git" binary is just bin_t. What label do you have on it after checking out? -- Jason > > > the kernel wouldnt work either since it has many scripts it needs to > > run > > too. > > How are you installing the sources? in general the package manager > > should be force-resetting the labels on the files as it merges them > > into > > the main FS. > > > > > > - a patch to make use of the new module_load permission to load > > > > kernel > > > > module (problem of the appropriate location for > > > > modules_object_t). > > > > I got a report on gentoo about things failing on kernel 4.7. I think > > this one is requried to fix it. > > See above, we need to tackle the git module with a simple fix. > > > > > > > > > It's all about patches that are being reviewed, there are no > > > > other > > > > patches... > > Apart from the lvm module that was left out for some reason. > > > > In the future I'd ask that you post related patches as a series, so > > > we? > > > can see that patches are related. > > > > Seconded, this makes it easier to follow. > > $ git format-patch origin/master..mybranch > > $ git send-email --to=refpolicy at oss.tresys.com --compose 000*.patch > > the --compose switch will open an editor so you can write a short > > message > > about the series and then all the other patches are replies to that.? > > > > -- Jason > > Thanks Jason, I'll give it a try... > > Regards, > > Guido