From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 24 Aug 2016 18:10:22 -0400 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <1472075733.19800.4.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> <1472075733.19800.4.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/24/16 17:55, Guido Trentalancia wrote: > Hello Christopher. > > I have more detailed information about this problem... > > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >> On 08/23/16 08:44, Guido Trentalancia wrote: >>> >>> Hello Christopher ! >>> >>> Thanks for providing your valuable feedback. >>> >>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>> >>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>> >>>>> >>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>> + type at_spi_t, at_spi_exec_t; >>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>> type gconf_home_t; >>>>> + type gnome_settings_t, gnome_settings_exec_t; >>>>> + type gnome_settings_daemon_t, >>>>> gnome_settings_daemon_exec_t; >>>>> + type gnome_settings_schemas_t; >>>>> + type gkeyringd_exec_t, gnome_keyring_home_t, >>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>> + type mime_info_t; >>>>> + type user_dbusd_t; >>>> >>>> This dbus type cannot be referenced directly in this module. >>> >>> If $1_dbusd_t is used to get the role/type prefix from the caller, >>> then >>> it doesn't compile for some reason which is not yet clear to me. >>> >>> Any idea ? >> >> The $1_dbusd_t rules need to be contained in the dbus module, not >> the >> gnome module. Beyond that, it's tough to say what the problem is, >> without knowing the error messages. > > Suppose to have the following additional dbus interface: > > ####################################### > ## > ## Make a domain transition from a > ## given source domain to the > ## DBUS session bus domain using > ## the DBUS executable file type. > ## > ## > ## > ## The prefix of the user role (e.g., user > ## is the prefix for user_r). > ## > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dbus_domain_transition_session_bus',` > gen_require(` > type dbusd_exec_t; > type $1_dbusd_t; > ') > > allow $2 dbusd_exec_t:file exec_file_perms; > domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > ') > > and suppose that it is called by the following statement: > > dbus_domain_transition_session_bus($1, at_spi_t) > > where $1 = "user". > > During policy load, the following error is generated: > > Conflicting type rules > Binary policy creation failed at line 29393 of /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > Failed to generate binary > /usr/sbin/semodule: Failed! > make: *** [Rules.modular:58: load] Error 1 > > The temporary file is deleted automatically and cannot be inspected. > > I hope it is clear now... > > Do you have an idea ? It's the only thing missing before all the dbus > rules are moved from the gnome to the dbus module and I can create a > new version of this important patch. It's not so helpful unfortunately. My guess is that it is a conflicting type_transition. Unfortunately the compiler error message isn't helpful. -- Chris PeBenito