From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 03 Sep 2016 15:34:24 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <20160901152110.GA13593@meriadoc.perfinion.com> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <20160901042035.GA23615@meriadoc.perfinion.com> <1472722380.6210.17.camel@trentalancia.net> <20160901115329.GA9845@meriadoc.perfinion.com> <1472732930.30863.18.camel@trentalancia.net> <20160901140602.GA2268@meriadoc.perfinion.com> <1472740839.17989.11.camel@trentalancia.net> <20160901152110.GA13593@meriadoc.perfinion.com> Message-ID: <1472909664.1560.6.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Jason. I have an update about the advice that you kindly provided... On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > On Thu, Sep 01, 2016 at 04:40:39PM +0200, Guido Trentalancia via > refpolicy wrote: > > > > On Thu, 01/09/2016 at 22.06 +0800, Jason Zaman wrote: > > > > > > On Thu, Sep 01, 2016 at 02:28:50PM +0200, Guido Trentalancia > > > wrote: > > Who said that ? At-spi starts with Gnome from the xdg autostart > > directory by default. > > What happens if you start dbus-daemon --session from xdg autostart > too? > > > > > > > > > > > > > > > > > > > > > > > > > > > If you want to help implementing a patch, we need to > > > > > > identify > > > > > > the > > > > > > code > > > > > > where such policy is actually enforced, so that there we > > > > > > can > > > > > > track > > > > > > the > > > > > > calling user domain to choose the right type transition. > > > > > > > > > > We need to take a step back, there are too many issues mixed > > > > > together > > > > > with this patch. fixing the policy to allow conflicting types > > > > > sounds > > > > > like the wrong solution to whatever the problem is. > > > > > > > > At the moment, I still believe that is the optimal solution: > > > > allowing > > > > conflicts in the policy and resolving them at runtime by > > > > exploiting > > > > the > > > > knowledge of the user and role parts of the context. > > > > The above is what is needed to achieve an optimal solution to the > > problem that I encountered while developing this gnome patch. > > Again ... *what problem*? show me the error messages you get without > this patch applied. You keep saying that what you have done is > optimal > to solve the problem but you have not explained what the problem is. > > Do you need atspi to be able to exec dbus-daemon? What happens if you > start dbus-daemon before atspi? > > Why cant you just prefix the atspi domains too? > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; The latter (prefixing the other domains, such as at_spi, that at some point need to transition back to the user domain) solved the problem that I was experiencing ! Brilliant idea... Thanks very much for your advice !! Unfortunately, I don't know if I can really update this patch for the mailing list and resubmit it, because there are very strict requirements on its length. It's a shame, but I cannot split it in several parts because this patch is made of highly interdependent bits... Best regards, Guido