From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 23 Aug 2016 15:58:46 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <1471956294.17467.4.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> Message-ID: <1471960726.30659.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 23/08/2016 at 14.44 +0200, Guido Trentalancia wrote: > Hello Christopher ! > > Thanks for providing your valuable feedback. > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > Update for the gnome module: > > > > > > - target the dconf daemon, the gsettings user application, the > > > ? gnome-settings-daemon and the at-spi daemon with all the > > > ? needed domain transitions; > > > - a new gstreamer_orcexec_t type and file context is introduced > > > ? to support the OIL Runtime Compiler (ORC) optimized code > > > ? execution (used for example by pulseaudio); > > > - add support for more permissions needed in gconfd_t and gnome > > > ? keyring domains; > > > - add support for chat over dbus in the gconfd domain and in the > > > ? new domains (dconf, gsettings, etc); > > > - add support for a few needed fs and kernel permissions. > > > - add support for reading the colord related files in the home > > > ? directories (such as the ICC EDID profiles): requires the > > > ? recent colord patch; > > > - add support for for reading the colord related files in the > > > home > > > ? directories in the common user domain template; > > > - add support for a new mime_info_t type to be used in the home > > > ? directories; > > > - includes minor modifications to the consolekit, dbus and > > > ? policykit modules to support the new targeted gnome daemons > > > ? and applications; > > > - modifies the pulseaudio module to introduce new interfaces to > > > ? read and write pulseaudio tmpfs files and to use the pulseaudio > > > ? file descriptor; > > > - provides better module encapsulation (i.e. dbus module). > > > > > > The support for Gnome2/ORBit-2 (version 2) has been dropped. > > > > > > This patch depends on the recent colord patch. > > > > > > Recent changes to the pulseaudio module depends on this patch ! [...] > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if > > > 2016-08-06 21:27:11.354094337 +0200 > > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if > > > 2 > > > 016-08-22 21:24:49.634876147 +0200 > > > @@ -43,14 +43,39 @@ interface(`gnome_role',` > > > ?template(`gnome_role_template',` > > > ? gen_require(` > > > ? attribute gnomedomain, gkeyringd_domain; > > > + attribute_role dconf_roles; > > > + attribute_role at_spi_roles; > > > ? attribute_role gconfd_roles; > > > - type gkeyringd_exec_t, gnome_keyring_home_t, > > > gnome_keyring_tmp_t; > > > + attribute_role gnome_settings_roles; > > > + attribute_role gnome_settings_daemon_roles; > > > > Are all of these role attributes really necessary???Typically these > > are? > > only needed when there are long chains of transitions where the > > original? > > domain doesn't have any relation to latter domains.??For example: > > > > user_t ->??domain1_t -> domain2_t > > > > In this case, there is no link in the sources between user_t and? > > domain2_t, but domain2_t needs to be allowed user_r.??Domain1_t's? > > interfaces can collect up all the roles that run domain1 in a role? > > attribute, and then use that attribute when running domain2. > > I will remove the roles which are not needed. I have tested the above and the conclusion is that only the dconf attribute can be removed without breaking the functionality. Regards, Guido