* how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-08 17:49 ` Justin P. Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2009-05-08 17:49 UTC (permalink / raw)
To: SE-Linux, tresys
with the latest policy:
I'm wondering what would be the best way to
allow gconf,evolution,nautilus,etc..
If I start any of these during boot I'll
get system_dbus_t(which gets allowed)
but if I start evolution, nautilus, etc..
normally once Ive booted up I get an error
with checkpolicy.(due to arole_dbus_t instead of
system_dbus_t)
Should I try and compile these programs
without orbit support(if possible), gconf support
and dbus support?
is there a boolean that I'm missing?
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-08 17:49 ` Justin P. Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2009-05-08 17:49 UTC (permalink / raw)
To: refpolicy
with the latest policy:
I'm wondering what would be the best way to
allow gconf,evolution,nautilus,etc..
If I start any of these during boot I'll
get system_dbus_t(which gets allowed)
but if I start evolution, nautilus, etc..
normally once Ive booted up I get an error
with checkpolicy.(due to arole_dbus_t instead of
system_dbus_t)
Should I try and compile these programs
without orbit support(if possible), gconf support
and dbus support?
is there a boolean that I'm missing?
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
2009-05-08 17:49 ` [refpolicy] " Justin P. Mattock
@ 2009-05-11 12:48 ` Christopher J. PeBenito
-1 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-05-11 12:48 UTC (permalink / raw)
To: Justin P. Mattock; +Cc: SE-Linux, tresys
On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> with the latest policy:
> I'm wondering what would be the best way to
> allow gconf,evolution,nautilus,etc..
>
> If I start any of these during boot I'll
> get system_dbus_t(which gets allowed)
> but if I start evolution, nautilus, etc..
> normally once Ive booted up I get an error
> with checkpolicy.(due to arole_dbus_t instead of
> system_dbus_t)
>
> Should I try and compile these programs
> without orbit support(if possible), gconf support
> and dbus support?
>
> is there a boolean that I'm missing?
Can you provide the exact error messages?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-11 12:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-05-11 12:48 UTC (permalink / raw)
To: refpolicy
On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> with the latest policy:
> I'm wondering what would be the best way to
> allow gconf,evolution,nautilus,etc..
>
> If I start any of these during boot I'll
> get system_dbus_t(which gets allowed)
> but if I start evolution, nautilus, etc..
> normally once Ive booted up I get an error
> with checkpolicy.(due to arole_dbus_t instead of
> system_dbus_t)
>
> Should I try and compile these programs
> without orbit support(if possible), gconf support
> and dbus support?
>
> is there a boolean that I'm missing?
Can you provide the exact error messages?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
2009-05-11 12:48 ` Christopher J. PeBenito
@ 2009-05-11 14:51 ` Justin Mattock
-1 siblings, 0 replies; 10+ messages in thread
From: Justin Mattock @ 2009-05-11 14:51 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SE-Linux, tresys
On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
>> with the latest policy:
>> I'm wondering what would be the best way to
>> allow gconf,evolution,nautilus,etc..
>>
>> If I start any of these during boot I'll
>> get system_dbus_t(which gets allowed)
>> but if I start evolution, nautilus, etc..
>> normally once Ive booted up I get an error
>> with checkpolicy.(due to arole_dbus_t instead of
>> system_dbus_t)
>>
>> Should I try and compile these programs
>> without orbit support(if possible), gconf support
>> and dbus support?
>>
>> is there a boolean that I'm missing?
>
> Can you provide the exact error messages?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
If I start the system, and gather avc's
for(example) gnom-volume-control
(some of them below, then write them into the policy)
allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
allow user_dbusd_t gconf_etc_t:dir { search getattr };
allow user_dbusd_t gconf_home_t:dir { write search read remove_name
open getattr add_name };
allow user_dbusd_t gconf_home_t:file { rename setattr read create
write getattr unlink open append };
allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
allow user_dbusd_t self:process getsched;
the error is this:
m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
self_contained_policy policy/support/file_patterns.spt
policy/support/ipc_patterns.spt policy/support/loadable_module.spt
policy/support/misc_macros.spt policy/support/misc_patterns.spt
policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
tmp/generated_definitions.conf policy/global_booleans
policy/global_tunables > tmp/global_bools.conf
Creating mcs policy.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
policy.conf
Compiling mcs policy.22
/usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
not within scope' at token ';' on line 2597865:
allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.22] Error 1
It's the whole dbus sends and receive info from the home directory then
create a directory in /tmp (orbit) transaction
that is happening.
I can try and start these programs during init,
(since system_dbusd_t seems to only be allowed)
but running evolution as root just seems a bit
too much, as well as any other app that just needs to be
ran normally.
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-11 14:51 ` Justin Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin Mattock @ 2009-05-11 14:51 UTC (permalink / raw)
To: refpolicy
On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
>> with the latest policy:
>> I'm wondering what would be the best way to
>> allow gconf,evolution,nautilus,etc..
>>
>> If I start any of these during boot I'll
>> get system_dbus_t(which gets allowed)
>> but if I start evolution, nautilus, etc..
>> normally once Ive booted up I get an error
>> with checkpolicy.(due to arole_dbus_t instead of
>> system_dbus_t)
>>
>> Should I try and compile these programs
>> without orbit support(if possible), gconf support
>> and dbus support?
>>
>> is there a boolean that I'm missing?
>
> Can you provide the exact error messages?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
If I start the system, and gather avc's
for(example) gnom-volume-control
(some of them below, then write them into the policy)
allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
allow user_dbusd_t gconf_etc_t:dir { search getattr };
allow user_dbusd_t gconf_home_t:dir { write search read remove_name
open getattr add_name };
allow user_dbusd_t gconf_home_t:file { rename setattr read create
write getattr unlink open append };
allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
allow user_dbusd_t self:process getsched;
the error is this:
m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
self_contained_policy policy/support/file_patterns.spt
policy/support/ipc_patterns.spt policy/support/loadable_module.spt
policy/support/misc_macros.spt policy/support/misc_patterns.spt
policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
tmp/generated_definitions.conf policy/global_booleans
policy/global_tunables > tmp/global_bools.conf
Creating mcs policy.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
policy.conf
Compiling mcs policy.22
/usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
not within scope' at token ';' on line 2597865:
allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.22] Error 1
It's the whole dbus sends and receive info from the home directory then
create a directory in /tmp (orbit) transaction
that is happening.
I can try and start these programs during init,
(since system_dbusd_t seems to only be allowed)
but running evolution as root just seems a bit
too much, as well as any other app that just needs to be
ran normally.
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
2009-05-11 14:51 ` Justin Mattock
@ 2009-05-11 18:58 ` Christopher J. PeBenito
-1 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-05-11 18:58 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux, tresys
On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote:
> On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> >> with the latest policy:
> >> I'm wondering what would be the best way to
> >> allow gconf,evolution,nautilus,etc..
> >>
> >> If I start any of these during boot I'll
> >> get system_dbus_t(which gets allowed)
> >> but if I start evolution, nautilus, etc..
> >> normally once Ive booted up I get an error
> >> with checkpolicy.(due to arole_dbus_t instead of
> >> system_dbus_t)
> >>
> >> Should I try and compile these programs
> >> without orbit support(if possible), gconf support
> >> and dbus support?
> >>
> >> is there a boolean that I'm missing?
> >
> > Can you provide the exact error messages?
> >
> If I start the system, and gather avc's
> for(example) gnom-volume-control
> (some of them below, then write them into the policy)
>
> allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> allow user_dbusd_t gconf_etc_t:dir { search getattr };
> allow user_dbusd_t gconf_home_t:dir { write search read remove_name
> open getattr add_name };
> allow user_dbusd_t gconf_home_t:file { rename setattr read create
> write getattr unlink open append };
> allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
> allow user_dbusd_t self:process getsched;
>
> the error is this:
>
> m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
> mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
> self_contained_policy policy/support/file_patterns.spt
> policy/support/ipc_patterns.spt policy/support/loadable_module.spt
> policy/support/misc_macros.spt policy/support/misc_patterns.spt
> policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
> tmp/generated_definitions.conf policy/global_booleans
> policy/global_tunables > tmp/global_bools.conf
> Creating mcs policy.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
> policy.conf
> Compiling mcs policy.22
> /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
> not within scope' at token ';' on line 2597865:
>
> allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.22] Error 1
user_dbusd_t is optionally declared, and the invocation is in
policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk).
You would have to put rules in that optional, otherwise the rule is out
of scope.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-11 18:58 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-05-11 18:58 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote:
> On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> >> with the latest policy:
> >> I'm wondering what would be the best way to
> >> allow gconf,evolution,nautilus,etc..
> >>
> >> If I start any of these during boot I'll
> >> get system_dbus_t(which gets allowed)
> >> but if I start evolution, nautilus, etc..
> >> normally once Ive booted up I get an error
> >> with checkpolicy.(due to arole_dbus_t instead of
> >> system_dbus_t)
> >>
> >> Should I try and compile these programs
> >> without orbit support(if possible), gconf support
> >> and dbus support?
> >>
> >> is there a boolean that I'm missing?
> >
> > Can you provide the exact error messages?
> >
> If I start the system, and gather avc's
> for(example) gnom-volume-control
> (some of them below, then write them into the policy)
>
> allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> allow user_dbusd_t gconf_etc_t:dir { search getattr };
> allow user_dbusd_t gconf_home_t:dir { write search read remove_name
> open getattr add_name };
> allow user_dbusd_t gconf_home_t:file { rename setattr read create
> write getattr unlink open append };
> allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
> allow user_dbusd_t self:process getsched;
>
> the error is this:
>
> m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
> mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
> self_contained_policy policy/support/file_patterns.spt
> policy/support/ipc_patterns.spt policy/support/loadable_module.spt
> policy/support/misc_macros.spt policy/support/misc_patterns.spt
> policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
> tmp/generated_definitions.conf policy/global_booleans
> policy/global_tunables > tmp/global_bools.conf
> Creating mcs policy.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
> policy.conf
> Compiling mcs policy.22
> /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
> not within scope' at token ';' on line 2597865:
>
> allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.22] Error 1
user_dbusd_t is optionally declared, and the invocation is in
policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk).
You would have to put rules in that optional, otherwise the rule is out
of scope.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
2009-05-11 18:58 ` Christopher J. PeBenito
@ 2009-05-11 19:26 ` Justin P. Mattock
-1 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2009-05-11 19:26 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SE-Linux, tresys
On Mon, 2009-05-11 at 14:58 -0400, Christopher J. PeBenito wrote:
> On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote:
> > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
> > <cpebenito@tresys.com> wrote:
> > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> > >> with the latest policy:
> > >> I'm wondering what would be the best way to
> > >> allow gconf,evolution,nautilus,etc..
> > >>
> > >> If I start any of these during boot I'll
> > >> get system_dbus_t(which gets allowed)
> > >> but if I start evolution, nautilus, etc..
> > >> normally once Ive booted up I get an error
> > >> with checkpolicy.(due to arole_dbus_t instead of
> > >> system_dbus_t)
> > >>
> > >> Should I try and compile these programs
> > >> without orbit support(if possible), gconf support
> > >> and dbus support?
> > >>
> > >> is there a boolean that I'm missing?
> > >
> > > Can you provide the exact error messages?
> > >
> > If I start the system, and gather avc's
> > for(example) gnom-volume-control
> > (some of them below, then write them into the policy)
> >
> > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> > allow user_dbusd_t gconf_etc_t:dir { search getattr };
> > allow user_dbusd_t gconf_home_t:dir { write search read remove_name
> > open getattr add_name };
> > allow user_dbusd_t gconf_home_t:file { rename setattr read create
> > write getattr unlink open append };
> > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> > allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
> > allow user_dbusd_t self:process getsched;
> >
> > the error is this:
> >
> > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
> > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
> > self_contained_policy policy/support/file_patterns.spt
> > policy/support/ipc_patterns.spt policy/support/loadable_module.spt
> > policy/support/misc_macros.spt policy/support/misc_patterns.spt
> > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
> > tmp/generated_definitions.conf policy/global_booleans
> > policy/global_tunables > tmp/global_bools.conf
> > Creating mcs policy.conf
> > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
> > policy.conf
> > Compiling mcs policy.22
> > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
> > /usr/bin/checkpolicy: loading policy configuration from policy.conf
> > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
> > not within scope' at token ';' on line 2597865:
> >
> > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> > checkpolicy: error(s) encountered while parsing configuration
> > make: *** [policy.22] Error 1
>
> user_dbusd_t is optionally declared, and the invocation is in
> policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk).
> You would have to put rules in that optional, otherwise the rule is out
> of scope.
>
Cool, I'll have a look.
(sorry for bringing this up again,
I've been going crazy with this for a while)
As for the policy, been running it for a while
(without any gnome support) but then decided to
add some sugar and spice to the system.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies
@ 2009-05-11 19:26 ` Justin P. Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2009-05-11 19:26 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-05-11 at 14:58 -0400, Christopher J. PeBenito wrote:
> On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote:
> > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito
> > <cpebenito@tresys.com> wrote:
> > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote:
> > >> with the latest policy:
> > >> I'm wondering what would be the best way to
> > >> allow gconf,evolution,nautilus,etc..
> > >>
> > >> If I start any of these during boot I'll
> > >> get system_dbus_t(which gets allowed)
> > >> but if I start evolution, nautilus, etc..
> > >> normally once Ive booted up I get an error
> > >> with checkpolicy.(due to arole_dbus_t instead of
> > >> system_dbus_t)
> > >>
> > >> Should I try and compile these programs
> > >> without orbit support(if possible), gconf support
> > >> and dbus support?
> > >>
> > >> is there a boolean that I'm missing?
> > >
> > > Can you provide the exact error messages?
> > >
> > If I start the system, and gather avc's
> > for(example) gnom-volume-control
> > (some of them below, then write them into the policy)
> >
> > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> > allow user_dbusd_t gconf_etc_t:dir { search getattr };
> > allow user_dbusd_t gconf_home_t:dir { write search read remove_name
> > open getattr add_name };
> > allow user_dbusd_t gconf_home_t:file { rename setattr read create
> > write getattr unlink open append };
> > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> > allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
> > allow user_dbusd_t self:process getsched;
> >
> > the error is this:
> >
> > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D
> > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D
> > self_contained_policy policy/support/file_patterns.spt
> > policy/support/ipc_patterns.spt policy/support/loadable_module.spt
> > policy/support/misc_macros.spt policy/support/misc_patterns.spt
> > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
> > tmp/generated_definitions.conf policy/global_booleans
> > policy/global_tunables > tmp/global_bools.conf
> > Creating mcs policy.conf
> > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
> > policy.conf
> > Compiling mcs policy.22
> > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22
> > /usr/bin/checkpolicy: loading policy configuration from policy.conf
> > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is
> > not within scope' at token ';' on line 2597865:
> >
> > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl };
> > checkpolicy: error(s) encountered while parsing configuration
> > make: *** [policy.22] Error 1
>
> user_dbusd_t is optionally declared, and the invocation is in
> policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk).
> You would have to put rules in that optional, otherwise the rule is out
> of scope.
>
Cool, I'll have a look.
(sorry for bringing this up again,
I've been going crazy with this for a while)
As for the policy, been running it for a while
(without any gnome support) but then decided to
add some sugar and spice to the system.
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2009-05-11 19:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-08 17:49 how to enable gconf(arole_dbus_t errors) and all of the gnome goodies Justin P. Mattock
2009-05-08 17:49 ` [refpolicy] " Justin P. Mattock
2009-05-11 12:48 ` Christopher J. PeBenito
2009-05-11 12:48 ` Christopher J. PeBenito
2009-05-11 14:51 ` Justin Mattock
2009-05-11 14:51 ` Justin Mattock
2009-05-11 18:58 ` Christopher J. PeBenito
2009-05-11 18:58 ` Christopher J. PeBenito
2009-05-11 19:26 ` Justin P. Mattock
2009-05-11 19:26 ` Justin P. Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.