From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 01 Sep 2016 18:18:05 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <20160901152110.GA13593@meriadoc.perfinion.com> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <20160901042035.GA23615@meriadoc.perfinion.com> <1472722380.6210.17.camel@trentalancia.net> <20160901115329.GA9845@meriadoc.perfinion.com> <1472732930.30863.18.camel@trentalancia.net> <20160901140602.GA2268@meriadoc.perfinion.com> <1472740839.17989.11.camel@trentalancia.net> <20160901152110.GA13593@meriadoc.perfinion.com> Message-ID: <1472746685.17989.17.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? The DBUS session daemon is not designed to be started from xdg autostart. There must be multiple instances of it. > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is As already explained, without the patch applied, Gnome doesn't start, pulseaudio doesn't work fine, there are permissions granted that are not strictly needed and however it is not confined properly (there are Gnome processes running in the user domain, which instead should run in their own domain). > optimal > to solve the problem but you have not explained what the problem is. I have no other ways of explaining it. The others have understood the problem, perhaps you can read their replies to get more insight... > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > > Why cant you just prefix the atspi domains too? > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > -- Jason Guido