From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 16 Aug 2016 17:18:38 +0200 Subject: [refpolicy] [PATCH v3] Update the policy and file contexts for the xserver module In-Reply-To: <1471269328.18030.13.camel@trentalancia.net> References: <1471094827.21480.13.camel@trentalancia.net> <1471098223.21480.19.camel@trentalancia.net> <1471201796.27146.16.camel@trentalancia.net> <1471204109.27146.31.camel@trentalancia.net> <8dcff17b-30a2-03a7-2d9e-6def985b1c33@ieee.org> <20160815031953.GA22106@meriadoc.perfinion.com> <1471269328.18030.13.camel@trentalancia.net> Message-ID: <1471360718.3698.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Jason. I am finally back to your question... On Mon, 15/08/2016 at 15.55 +0200, Guido Trentalancia wrote: > Hello Jason. > > Thanks for getting back on this. > > On Mon, 15/08/2016 at 11.19 +0800, Jason Zaman wrote: [...] > > > > This is what is missing now: > > > > > > > > - the gnome module: this is very important, I am now improving > > > > it > > > > as > > > > suggested by Dominick Grift; > > > > - the dbus patch for binary execution (otherwise it refuses to > > > > start); > > > > I have the same file on gentoo and dbus all starts fine. In general > > things marked bin_t are not terrible so I'm not hugely against > > adding > > the perm. Is this for a new version of dbus or something? > > I am always using the latest version of everything, so it's latest > dbus. > > Please note that there should be references of this in the source > code... Did you get a chance to look there ? > > Might be the following: > > dbus/dbus-transport-unix.c:??c = dbus_connection_open > ("unixexec:argv0=false,argv1=foobar,path=/bin/false", &error); > > Also, many .service files have the following: > > Exec=/bin/false The matter is finally clarified. It's the latter (the Exec field in the service files) ! Try by yourself, it's extremely easy to reproduce, just create a service file with that field... Some service files that are executed through systemd use that Exec field, most probably because the Exec field is mandatory for dbus service files. I am now dropping that dbus patch, because corecmd_exec_bin() executes bin_t executable files BUT the resulting process runs in the system_dbusd_t ! Regards, Guido