From: jason@perfinion.com (Jason Zaman) Date: Thu, 1 Sep 2016 23:21:10 +0800 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <1472740839.17989.11.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <20160901042035.GA23615@meriadoc.perfinion.com> <1472722380.6210.17.camel@trentalancia.net> <20160901115329.GA9845@meriadoc.perfinion.com> <1472732930.30863.18.camel@trentalancia.net> <20160901140602.GA2268@meriadoc.perfinion.com> <1472740839.17989.11.camel@trentalancia.net> Message-ID: <20160901152110.GA13593@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via refpolicy wrote: > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia wrote: > Who said that ? At-spi starts with Gnome from the xdg autostart > directory by default. What happens if you start dbus-daemon --session from xdg autostart too? > > > > > If you want to help implementing a patch, we need to identify > > > > > the > > > > > code > > > > > where such policy is actually enforced, so that there we can > > > > > track > > > > > the > > > > > calling user domain to choose the right type transition. > > > > > > > > We need to take a step back, there are too many issues mixed > > > > together > > > > with this patch. fixing the policy to allow conflicting types > > > > sounds > > > > like the wrong solution to whatever the problem is. > > > > > > At the moment, I still believe that is the optimal solution: > > > allowing > > > conflicts in the policy and resolving them at runtime by exploiting > > > the > > > knowledge of the user and role parts of the context. > > The above is what is needed to achieve an optimal solution to the > problem that I encountered while developing this gnome patch. Again ... *what problem*? show me the error messages you get without this patch applied. You keep saying that what you have done is optimal to solve the problem but you have not explained what the problem is. Do you need atspi to be able to exec dbus-daemon? What happens if you start dbus-daemon before atspi? Why cant you just prefix the atspi domains too? type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; -- Jason