From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 01 Sep 2016 21:30:25 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <20160901152110.GA13593@meriadoc.perfinion.com> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <20160901042035.GA23615@meriadoc.perfinion.com> <1472722380.6210.17.camel@trentalancia.net> <20160901115329.GA9845@meriadoc.perfinion.com> <1472732930.30863.18.camel@trentalancia.net> <20160901140602.GA2268@meriadoc.perfinion.com> <1472740839.17989.11.camel@trentalancia.net> <20160901152110.GA13593@meriadoc.perfinion.com> Message-ID: <1472758225.10496.18.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Jason, I'll try another time to answer your question... On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? > > > > > > > > > > > > > > > > > > > > > > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is > optimal > to solve the problem but you have not explained what the problem is. The main problem that the patch was trying to sort out is to allow Gnome to run with the Reference Policy and to confine it better (for a full description, please refer to the latest version of the patch). In this case, there isn't just one specific error message. There is a series of permissions denied in the log files and the desktop won't start (as in not passing the xdm login screen, for example) or it won't function properly. While developing the above mentioned patch, I came across a problem with the policy: conflicting type rules. The specific error message in this case is "Conflicting type rules" when loading the policy (it compiles fine). You can reproduce it by applying the patch and then changing the "user_dbusd_t" type that I have used initially to the prefixed type "$1_dbusd_t". To solve the latter problem, I believe that the optimal solution is not to change the policy further, but to: - change the existing source code so that it adds the conflicting type rules without generating an error; - resolve the conflict at runtime by exploiting the knowledge of the user and role parts of the context. I was asking other people what they think of such proposed solution and, provided that it sounds feasible to them, if they have specific ideas on its implementation. I hope it does make sense now... > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > Why cant you just prefix the atspi domains too? I don't know if prefixing the other domains works. However, if you post a revised patch, I can test it and let you know. At the moment, I have removed the prefixed types and I am working with static types prefixed by the keyword "session". It works, but it surely isn't what I would call optimal. > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; Regards, Guido