From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 24 Aug 2016 18:10:22 -0400
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <1472075733.19800.4.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
Message-ID: <cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/24/16 17:55, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have more detailed information about this problem...
>
> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>
>>> Hello Christopher !
>>>
>>> Thanks for providing your valuable feedback.
>>>
>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>
>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>
>>>>>
>>>>> +		type dconf_t, dconf_exec_t, dconf_home_t;
>>>>> +		type at_spi_t, at_spi_exec_t;
>>>>>  		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>  		type gconf_home_t;
>>>>> +		type gnome_settings_t, gnome_settings_exec_t;
>>>>> +		type gnome_settings_daemon_t,
>>>>> gnome_settings_daemon_exec_t;
>>>>> +		type gnome_settings_schemas_t;
>>>>> +		type gkeyringd_exec_t, gnome_keyring_home_t,
>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>> +		type mime_info_t;
>>>>> +		type user_dbusd_t;
>>>>
>>>> This dbus type cannot be referenced directly in this module.
>>>
>>> If $1_dbusd_t is used to get the role/type prefix from the caller,
>>> then
>>> it doesn't compile for some reason which is not yet clear to me.
>>>
>>> Any idea ?
>>
>> The $1_dbusd_t rules need to be contained in the dbus module, not
>> the
>> gnome module.  Beyond that, it's tough to say what the problem is,
>> without knowing the error messages.
>
> Suppose to have the following additional dbus interface:
>
> #######################################
> ## <summary>
> ##      Make a domain transition from a
> ##      given source domain to the
> ##      DBUS session bus domain using
> ##      the DBUS executable file type.
> ## </summary>
> ## <param name="role_prefix">
> ##      <summary>
> ##      The prefix of the user role (e.g., user
> ##      is the prefix for user_r).
> ##      </summary>
> ## </param>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`dbus_domain_transition_session_bus',`
>         gen_require(`
>                 type dbusd_exec_t;
>                 type $1_dbusd_t;
>         ')
>
>         allow $2 dbusd_exec_t:file exec_file_perms;
>         domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> ')
>
> and suppose that it is called by the following statement:
>
> dbus_domain_transition_session_bus($1, at_spi_t)
>
> where $1 = "user".
>
> During policy load, the following error is generated:
>
> Conflicting type rules
> Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> Failed to generate binary
> /usr/sbin/semodule:  Failed!
> make: *** [Rules.modular:58: load] Error 1
>
> The temporary file is deleted automatically and cannot be inspected.
>
> I hope it is clear now...
>
> Do you have an idea ? It's the only thing missing before all the dbus
> rules are moved from the gnome to the dbus module and I can create a
> new version of this important patch.

It's not so helpful unfortunately.  My guess is that it is a conflicting 
type_transition.  Unfortunately the compiler error message isn't helpful.

-- 
Chris PeBenito