From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 15 Aug 2016 16:44:14 +0200 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <20160815143134.GA9815@meriadoc.perfinion.com> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> <20160815031953.GA22106@meriadoc.perfinion.com> <1471269328.18030.13.camel@trentalancia.net> <20160815143134.GA9815@meriadoc.perfinion.com> Message-ID: <1471272254.18030.17.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. On Mon, 15/08/2016 at 22.31 +0800, Jason Zaman wrote: > On Mon, Aug 15, 2016 at 03:55:28PM +0200, Guido Trentalancia wrote: > > Hello Jason. > > > > Thanks for getting back on this. > > > > On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote: > > > On Sun, Aug 14, 2016 at 04:10:39PM -0400, Chris PeBenito wrote: > > > > On 08/14/16 15:48, Guido Trentalancia wrote: > > > > > Hello Chris. > > > > > > > > > > On Sun, 14/08/2016 at 15.33 -0400, Chris PeBenito wrote: > > > > > > On 08/14/16 15:09, Guido Trentalancia wrote: > > > > > > > Update for the xserver module: > > > > > > > > > > > > > > - updated the file contexts for the Xsession script; > > > > > > > - created an interface for chatting over dbus with > > > > > > > ? xdm (currently used by the userdomain module in > > > > > > > ? the common user template); > > > > > > > - added permission to chat over dbus with colord. > > > > > > > > > > > > Merged, though I moved the interface up. > > > > > > > > > > Excellent. > > > > > > What distro (or version of distro) are you on? > > > > It's not a distribution, but rather just Linux and GNU stuff built > > from > > scratch. It's not Linuxfromscratch, as I do not follow their way of > > building stuff, but similar to it. > > > > It's as close as possible to the original source code (i.e. patches > > kept to the minimum and configure options closest to the default). > > > > > > > This is what is missing now: > > > > > > > > > > - the gnome module: this is very important, I am now > > > > > improving it > > > > > as > > > > > suggested by Dominick Grift; > > > > > - the dbus patch for binary execution (otherwise it refuses > > > > > to > > > > > start); > > > > > > I have the same file on gentoo and dbus all starts fine. In > > > general > > > things marked bin_t are not terrible so I'm not hugely against > > > adding > > > the perm. Is this for a new version of dbus or something? > > > > I am always using the latest version of everything, so it's latest > > dbus. > > Im on the latest release in their stable branch too so not sure why > yours fails but mine doesnt. > > > > Please note that there should be references of this in the source > > code... Did you get a chance to look there ? > > > > Might be the following: > > > > dbus/dbus-transport-unix.c:??c = dbus_connection_open > > ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error); > Could be this. Are you up for strace/gdb'ing to confirm?? Not now, as I am busy with building and testing gnome module which is more urgent. > > Also, many .service files have the following: > > > > Exec=/bin/false > If this was it, it would fail as init_t or initrc_t. your dbus is > failing later on so cant be something like this. > > > > I'm on sys-apps/dbus-1.10.8-r1. Ideally i'd like to see where in > > > the > > > code its calling that and that would give more insight to why. > > > > See above. > > > > > /bin/false is frequently used in /etc/passwd so it might be > > > something > > > to > > > do with that? > > > > I don't think so. It's used in /etc/passwd to deny a login for > > virtual > > users (such as daemons). > > > > > > > - the new fc_sort patch if you like the idea of installing it > > > > > system- > > > > > wide to avoid execution permission problems (e.g. in > > > > > /usr/src); > > > > > > sysadm_t has full permissions in to src_t already? otherwise > > > compiling > > > > It's a bug in the git module then. It should create files in > > /usr/src > > with automatic transition to the src_t type. > > /usr/bin/git is bin_t, so it will run as sysadm_t. > you mean you are doing: > cd /usr/src/ > git clone git://github.com/TresysTechnology/refpolicy.git > and its failing? Exactly. It gets usr_t instead of src_t. > That definitely gets it all as src_t for me > > meriadoc src # id -Z > staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 > meriadoc src # ls -ldZ /usr/src/refpolicy/ > drwxr-xr-x. 8 root root staff_u:object_r:src_t:s0 22 Aug 15 22:05 > /usr/src/refpolicy// > > Everything under that dir is also src_t. There should be no problems. > the git policy is for git daemon and gitweb. the main "git" binary is > just bin_t. What label do you have on it after checking out? git binary is bin_t. Regards, Guido