From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 06 Sep 2016 14:26:28 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <20160901042035.GA23615@meriadoc.perfinion.com> <1472722380.6210.17.camel@trentalancia.net> <20160901115329.GA9845@meriadoc.perfinion.com> <1472732930.30863.18.camel@trentalancia.net> <20160901140602.GA2268@meriadoc.perfinion.com> <1472740839.17989.11.camel@trentalancia.net> <20160901152110.GA13593@meriadoc.perfinion.com> <1472909664.1560.6.camel@trentalancia.net> Message-ID: <1473164788.23595.11.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Jason. On Tue, 06/09/2016 at 17.18 +0800, Jason Zaman wrote: > > On Thu, 01/09/2016 at 23.21 +0800, Jason Zaman wrote: > > > Why cant you just prefix the atspi domains too? > > > type_transition staff_atspi_t dbusd_exec_t:process staff_dbusd_t; > > > type_transition user_atspi_t dbusd_exec_t:process user_dbusd_t; > > > > The latter (prefixing the other domains, such as at_spi, that at > some > > point need to transition back to the user domain) solved the > problem > > that I was experiencing ! > > > > Brilliant idea... Thanks very much for your advice !! > > > > Unfortunately, I don't know if I can really update this patch for > the > > mailing list and resubmit it, because there are very strict > > requirements on its length. > > > > It's a shame, but I cannot split it in several parts because this > patch > > is made of highly interdependent bits... > Great that it works! Yes, thanks very much to your advice ! > Can you rebase the patch on master then send me the file directly > (not to the list since it's big). Then I can take a look and comment. I am still completing it. There are still bits that are getting changed and improved every now and then while it gets tested better. > If this works well for dbus session programs we probably want to make > a few templates to handle the common stuff first. Then we can do the > specific patches separately for atspi and the other programs > afterwards. It's a big change but I'm sure we can figure out a good > way to organise it. I really hope it will get committed. > I use xfce so will check if there are more things that use dbus so we > can make the templates good for everything at the same time. There is only one strange thing happening: when I start gnome-terminal from the gnome-shell menu (it executes /usr/bin/gnome-terminal, which then executes /usr/libexec/gnome-terminal-server), it runs in the $1_dbusd_t domain. Other applications when are started from the gnome-shell menu do not end up running in the $1_dbusd_t domain but in the user domain, as desirable. It am not sure why the above is happening. I can get it to transition from $1_dbusd_t to $1_t, which sorts things out, but it would be better if it was running in gnome_terminal_t and gnome_terminal_server_t respectively. Best regards, Guido