From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 24 Aug 2016 23:55:33 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> Message-ID: <1472075733.19800.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. I have more detailed information about this problem... On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: > On 08/23/16 08:44, Guido Trentalancia wrote: > > > > Hello Christopher ! > > > > Thanks for providing your valuable feedback. > > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > + type dconf_t, dconf_exec_t, dconf_home_t; > > > > + type at_spi_t, at_spi_exec_t; > > > > ? type gconfd_t, gconfd_exec_t, gconf_tmp_t; > > > > ? type gconf_home_t; > > > > + type gnome_settings_t, gnome_settings_exec_t; > > > > + type gnome_settings_daemon_t, > > > > gnome_settings_daemon_exec_t; > > > > + type gnome_settings_schemas_t; > > > > + type gkeyringd_exec_t, gnome_keyring_home_t, > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > + type mime_info_t; > > > > + type user_dbusd_t; > > > > > > This dbus type cannot be referenced directly in this module. > > > > If $1_dbusd_t is used to get the role/type prefix from the caller, > > then > > it doesn't compile for some reason which is not yet clear to me. > > > > Any idea ? > > The $1_dbusd_t rules need to be contained in the dbus module, not > the? > gnome module.??Beyond that, it's tough to say what the problem is,? > without knowing the error messages. Suppose to have the following additional dbus interface: ####################################### ## ## Make a domain transition from a ## given source domain to the ## DBUS session bus domain using ## the DBUS executable file type. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Domain allowed access. ## ## # interface(`dbus_domain_transition_session_bus',` gen_require(` type dbusd_exec_t; type $1_dbusd_t; ') allow $2 dbusd_exec_t:file exec_file_perms; domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) ') and suppose that it is called by the following statement: dbus_domain_transition_session_bus($1, at_spi_t) where $1 = "user". During policy load, the following error is generated: Conflicting type rules Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil Failed to generate binary /usr/sbin/semodule: Failed! make: *** [Rules.modular:58: load] Error 1 The temporary file is deleted automatically and cannot be inspected. I hope it is clear now... Do you have an idea ? It's the only thing missing before all the dbus rules are moved from the gnome to the dbus module and I can create a new version of this important patch. Regards, Guido