* how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-08 17:49 ` Justin P. Mattock 0 siblings, 0 replies; 10+ messages in thread From: Justin P. Mattock @ 2009-05-08 17:49 UTC (permalink / raw) To: SE-Linux, tresys with the latest policy: I'm wondering what would be the best way to allow gconf,evolution,nautilus,etc.. If I start any of these during boot I'll get system_dbus_t(which gets allowed) but if I start evolution, nautilus, etc.. normally once Ive booted up I get an error with checkpolicy.(due to arole_dbus_t instead of system_dbus_t) Should I try and compile these programs without orbit support(if possible), gconf support and dbus support? is there a boolean that I'm missing? Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-08 17:49 ` Justin P. Mattock 0 siblings, 0 replies; 10+ messages in thread From: Justin P. Mattock @ 2009-05-08 17:49 UTC (permalink / raw) To: refpolicy with the latest policy: I'm wondering what would be the best way to allow gconf,evolution,nautilus,etc.. If I start any of these during boot I'll get system_dbus_t(which gets allowed) but if I start evolution, nautilus, etc.. normally once Ive booted up I get an error with checkpolicy.(due to arole_dbus_t instead of system_dbus_t) Should I try and compile these programs without orbit support(if possible), gconf support and dbus support? is there a boolean that I'm missing? Justin P. Mattock ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies 2009-05-08 17:49 ` [refpolicy] " Justin P. Mattock @ 2009-05-11 12:48 ` Christopher J. PeBenito -1 siblings, 0 replies; 10+ messages in thread From: Christopher J. PeBenito @ 2009-05-11 12:48 UTC (permalink / raw) To: Justin P. Mattock; +Cc: SE-Linux, tresys On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > with the latest policy: > I'm wondering what would be the best way to > allow gconf,evolution,nautilus,etc.. > > If I start any of these during boot I'll > get system_dbus_t(which gets allowed) > but if I start evolution, nautilus, etc.. > normally once Ive booted up I get an error > with checkpolicy.(due to arole_dbus_t instead of > system_dbus_t) > > Should I try and compile these programs > without orbit support(if possible), gconf support > and dbus support? > > is there a boolean that I'm missing? Can you provide the exact error messages? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-11 12:48 ` Christopher J. PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Christopher J. PeBenito @ 2009-05-11 12:48 UTC (permalink / raw) To: refpolicy On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > with the latest policy: > I'm wondering what would be the best way to > allow gconf,evolution,nautilus,etc.. > > If I start any of these during boot I'll > get system_dbus_t(which gets allowed) > but if I start evolution, nautilus, etc.. > normally once Ive booted up I get an error > with checkpolicy.(due to arole_dbus_t instead of > system_dbus_t) > > Should I try and compile these programs > without orbit support(if possible), gconf support > and dbus support? > > is there a boolean that I'm missing? Can you provide the exact error messages? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies 2009-05-11 12:48 ` Christopher J. PeBenito @ 2009-05-11 14:51 ` Justin Mattock -1 siblings, 0 replies; 10+ messages in thread From: Justin Mattock @ 2009-05-11 14:51 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SE-Linux, tresys On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito <cpebenito@tresys.com> wrote: > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: >> with the latest policy: >> I'm wondering what would be the best way to >> allow gconf,evolution,nautilus,etc.. >> >> If I start any of these during boot I'll >> get system_dbus_t(which gets allowed) >> but if I start evolution, nautilus, etc.. >> normally once Ive booted up I get an error >> with checkpolicy.(due to arole_dbus_t instead of >> system_dbus_t) >> >> Should I try and compile these programs >> without orbit support(if possible), gconf support >> and dbus support? >> >> is there a boolean that I'm missing? > > Can you provide the exact error messages? > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > If I start the system, and gather avc's for(example) gnom-volume-control (some of them below, then write them into the policy) allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; allow user_dbusd_t gconf_etc_t:dir { search getattr }; allow user_dbusd_t gconf_home_t:dir { write search read remove_name open getattr add_name }; allow user_dbusd_t gconf_home_t:file { rename setattr read create write getattr unlink open append }; allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; allow user_dbusd_t mozilla_t:unix_stream_socket connectto; allow user_dbusd_t self:process getsched; the error is this: m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D self_contained_policy policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/misc_patterns.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf Creating mcs policy.conf cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > policy.conf Compiling mcs policy.22 /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 /usr/bin/checkpolicy: loading policy configuration from policy.conf policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is not within scope' at token ';' on line 2597865: allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; checkpolicy: error(s) encountered while parsing configuration make: *** [policy.22] Error 1 It's the whole dbus sends and receive info from the home directory then create a directory in /tmp (orbit) transaction that is happening. I can try and start these programs during init, (since system_dbusd_t seems to only be allowed) but running evolution as root just seems a bit too much, as well as any other app that just needs to be ran normally. -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-11 14:51 ` Justin Mattock 0 siblings, 0 replies; 10+ messages in thread From: Justin Mattock @ 2009-05-11 14:51 UTC (permalink / raw) To: refpolicy On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito <cpebenito@tresys.com> wrote: > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: >> with the latest policy: >> I'm wondering what would be the best way to >> allow gconf,evolution,nautilus,etc.. >> >> If I start any of these during boot I'll >> get system_dbus_t(which gets allowed) >> but if I start evolution, nautilus, etc.. >> normally once Ive booted up I get an error >> with checkpolicy.(due to arole_dbus_t instead of >> system_dbus_t) >> >> Should I try and compile these programs >> without orbit support(if possible), gconf support >> and dbus support? >> >> is there a boolean that I'm missing? > > Can you provide the exact error messages? > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > If I start the system, and gather avc's for(example) gnom-volume-control (some of them below, then write them into the policy) allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; allow user_dbusd_t gconf_etc_t:dir { search getattr }; allow user_dbusd_t gconf_home_t:dir { write search read remove_name open getattr add_name }; allow user_dbusd_t gconf_home_t:file { rename setattr read create write getattr unlink open append }; allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; allow user_dbusd_t mozilla_t:unix_stream_socket connectto; allow user_dbusd_t self:process getsched; the error is this: m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D self_contained_policy policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/misc_patterns.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf Creating mcs policy.conf cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > policy.conf Compiling mcs policy.22 /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 /usr/bin/checkpolicy: loading policy configuration from policy.conf policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is not within scope' at token ';' on line 2597865: allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; checkpolicy: error(s) encountered while parsing configuration make: *** [policy.22] Error 1 It's the whole dbus sends and receive info from the home directory then create a directory in /tmp (orbit) transaction that is happening. I can try and start these programs during init, (since system_dbusd_t seems to only be allowed) but running evolution as root just seems a bit too much, as well as any other app that just needs to be ran normally. -- Justin P. Mattock ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies 2009-05-11 14:51 ` Justin Mattock @ 2009-05-11 18:58 ` Christopher J. PeBenito -1 siblings, 0 replies; 10+ messages in thread From: Christopher J. PeBenito @ 2009-05-11 18:58 UTC (permalink / raw) To: Justin Mattock; +Cc: SE-Linux, tresys On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote: > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > >> with the latest policy: > >> I'm wondering what would be the best way to > >> allow gconf,evolution,nautilus,etc.. > >> > >> If I start any of these during boot I'll > >> get system_dbus_t(which gets allowed) > >> but if I start evolution, nautilus, etc.. > >> normally once Ive booted up I get an error > >> with checkpolicy.(due to arole_dbus_t instead of > >> system_dbus_t) > >> > >> Should I try and compile these programs > >> without orbit support(if possible), gconf support > >> and dbus support? > >> > >> is there a boolean that I'm missing? > > > > Can you provide the exact error messages? > > > If I start the system, and gather avc's > for(example) gnom-volume-control > (some of them below, then write them into the policy) > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > allow user_dbusd_t gconf_etc_t:dir { search getattr }; > allow user_dbusd_t gconf_home_t:dir { write search read remove_name > open getattr add_name }; > allow user_dbusd_t gconf_home_t:file { rename setattr read create > write getattr unlink open append }; > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; > allow user_dbusd_t mozilla_t:unix_stream_socket connectto; > allow user_dbusd_t self:process getsched; > > the error is this: > > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D > self_contained_policy policy/support/file_patterns.spt > policy/support/ipc_patterns.spt policy/support/loadable_module.spt > policy/support/misc_macros.spt policy/support/misc_patterns.spt > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt > tmp/generated_definitions.conf policy/global_booleans > policy/global_tunables > tmp/global_bools.conf > Creating mcs policy.conf > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > > policy.conf > Compiling mcs policy.22 > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is > not within scope' at token ';' on line 2597865: > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > checkpolicy: error(s) encountered while parsing configuration > make: *** [policy.22] Error 1 user_dbusd_t is optionally declared, and the invocation is in policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk). You would have to put rules in that optional, otherwise the rule is out of scope. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-11 18:58 ` Christopher J. PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Christopher J. PeBenito @ 2009-05-11 18:58 UTC (permalink / raw) To: refpolicy On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote: > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > >> with the latest policy: > >> I'm wondering what would be the best way to > >> allow gconf,evolution,nautilus,etc.. > >> > >> If I start any of these during boot I'll > >> get system_dbus_t(which gets allowed) > >> but if I start evolution, nautilus, etc.. > >> normally once Ive booted up I get an error > >> with checkpolicy.(due to arole_dbus_t instead of > >> system_dbus_t) > >> > >> Should I try and compile these programs > >> without orbit support(if possible), gconf support > >> and dbus support? > >> > >> is there a boolean that I'm missing? > > > > Can you provide the exact error messages? > > > If I start the system, and gather avc's > for(example) gnom-volume-control > (some of them below, then write them into the policy) > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > allow user_dbusd_t gconf_etc_t:dir { search getattr }; > allow user_dbusd_t gconf_home_t:dir { write search read remove_name > open getattr add_name }; > allow user_dbusd_t gconf_home_t:file { rename setattr read create > write getattr unlink open append }; > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; > allow user_dbusd_t mozilla_t:unix_stream_socket connectto; > allow user_dbusd_t self:process getsched; > > the error is this: > > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D > self_contained_policy policy/support/file_patterns.spt > policy/support/ipc_patterns.spt policy/support/loadable_module.spt > policy/support/misc_macros.spt policy/support/misc_patterns.spt > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt > tmp/generated_definitions.conf policy/global_booleans > policy/global_tunables > tmp/global_bools.conf > Creating mcs policy.conf > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > > policy.conf > Compiling mcs policy.22 > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is > not within scope' at token ';' on line 2597865: > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > checkpolicy: error(s) encountered while parsing configuration > make: *** [policy.22] Error 1 user_dbusd_t is optionally declared, and the invocation is in policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk). You would have to put rules in that optional, otherwise the rule is out of scope. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies 2009-05-11 18:58 ` Christopher J. PeBenito @ 2009-05-11 19:26 ` Justin P. Mattock -1 siblings, 0 replies; 10+ messages in thread From: Justin P. Mattock @ 2009-05-11 19:26 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SE-Linux, tresys On Mon, 2009-05-11 at 14:58 -0400, Christopher J. PeBenito wrote: > On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote: > > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito > > <cpebenito@tresys.com> wrote: > > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > > >> with the latest policy: > > >> I'm wondering what would be the best way to > > >> allow gconf,evolution,nautilus,etc.. > > >> > > >> If I start any of these during boot I'll > > >> get system_dbus_t(which gets allowed) > > >> but if I start evolution, nautilus, etc.. > > >> normally once Ive booted up I get an error > > >> with checkpolicy.(due to arole_dbus_t instead of > > >> system_dbus_t) > > >> > > >> Should I try and compile these programs > > >> without orbit support(if possible), gconf support > > >> and dbus support? > > >> > > >> is there a boolean that I'm missing? > > > > > > Can you provide the exact error messages? > > > > > If I start the system, and gather avc's > > for(example) gnom-volume-control > > (some of them below, then write them into the policy) > > > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > > allow user_dbusd_t gconf_etc_t:dir { search getattr }; > > allow user_dbusd_t gconf_home_t:dir { write search read remove_name > > open getattr add_name }; > > allow user_dbusd_t gconf_home_t:file { rename setattr read create > > write getattr unlink open append }; > > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; > > allow user_dbusd_t mozilla_t:unix_stream_socket connectto; > > allow user_dbusd_t self:process getsched; > > > > the error is this: > > > > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D > > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D > > self_contained_policy policy/support/file_patterns.spt > > policy/support/ipc_patterns.spt policy/support/loadable_module.spt > > policy/support/misc_macros.spt policy/support/misc_patterns.spt > > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt > > tmp/generated_definitions.conf policy/global_booleans > > policy/global_tunables > tmp/global_bools.conf > > Creating mcs policy.conf > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > > > policy.conf > > Compiling mcs policy.22 > > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is > > not within scope' at token ';' on line 2597865: > > > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > > checkpolicy: error(s) encountered while parsing configuration > > make: *** [policy.22] Error 1 > > user_dbusd_t is optionally declared, and the invocation is in > policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk). > You would have to put rules in that optional, otherwise the rule is out > of scope. > Cool, I'll have a look. (sorry for bringing this up again, I've been going crazy with this for a while) As for the policy, been running it for a while (without any gnome support) but then decided to add some sugar and spice to the system. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] how to enable gconf(arole_dbus_t errors) and all of the gnome goodies @ 2009-05-11 19:26 ` Justin P. Mattock 0 siblings, 0 replies; 10+ messages in thread From: Justin P. Mattock @ 2009-05-11 19:26 UTC (permalink / raw) To: refpolicy On Mon, 2009-05-11 at 14:58 -0400, Christopher J. PeBenito wrote: > On Mon, 2009-05-11 at 07:51 -0700, Justin Mattock wrote: > > On Mon, May 11, 2009 at 5:48 AM, Christopher J. PeBenito > > <cpebenito@tresys.com> wrote: > > > On Fri, 2009-05-08 at 10:49 -0700, Justin P. Mattock wrote: > > >> with the latest policy: > > >> I'm wondering what would be the best way to > > >> allow gconf,evolution,nautilus,etc.. > > >> > > >> If I start any of these during boot I'll > > >> get system_dbus_t(which gets allowed) > > >> but if I start evolution, nautilus, etc.. > > >> normally once Ive booted up I get an error > > >> with checkpolicy.(due to arole_dbus_t instead of > > >> system_dbus_t) > > >> > > >> Should I try and compile these programs > > >> without orbit support(if possible), gconf support > > >> and dbus support? > > >> > > >> is there a boolean that I'm missing? > > > > > > Can you provide the exact error messages? > > > > > If I start the system, and gather avc's > > for(example) gnom-volume-control > > (some of them below, then write them into the policy) > > > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > > allow user_dbusd_t gconf_etc_t:dir { search getattr }; > > allow user_dbusd_t gconf_home_t:dir { write search read remove_name > > open getattr add_name }; > > allow user_dbusd_t gconf_home_t:file { rename setattr read create > > write getattr unlink open append }; > > allow user_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; > > allow user_dbusd_t mozilla_t:unix_stream_socket connectto; > > allow user_dbusd_t self:process getsched; > > > > the error is this: > > > > m4 -D enable_mcs -D distro_redhat -D mls_num_sens=16 -D > > mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -D > > self_contained_policy policy/support/file_patterns.spt > > policy/support/ipc_patterns.spt policy/support/loadable_module.spt > > policy/support/misc_macros.spt policy/support/misc_patterns.spt > > policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt > > tmp/generated_definitions.conf policy/global_booleans > > policy/global_tunables > tmp/global_bools.conf > > Creating mcs policy.conf > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > > > policy.conf > > Compiling mcs policy.22 > > /usr/bin/checkpolicy -M -c 22 -U deny policy.conf -o policy.22 > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > > policy/modules/services/xserver.te":1042:ERROR 'type user_dbusd_t is > > not within scope' at token ';' on line 2597865: > > > > allow user_dbusd_t default_t:chr_file { read write getattr open ioctl }; > > checkpolicy: error(s) encountered while parsing configuration > > make: *** [policy.22] Error 1 > > user_dbusd_t is optionally declared, and the invocation is in > policy/modules/roles/unprivuser.te line 37 (in current refpolicy trunk). > You would have to put rules in that optional, otherwise the rule is out > of scope. > Cool, I'll have a look. (sorry for bringing this up again, I've been going crazy with this for a while) As for the policy, been running it for a while (without any gnome support) but then decided to add some sugar and spice to the system. Justin P. Mattock ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2009-05-11 19:26 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-05-08 17:49 how to enable gconf(arole_dbus_t errors) and all of the gnome goodies Justin P. Mattock 2009-05-08 17:49 ` [refpolicy] " Justin P. Mattock 2009-05-11 12:48 ` Christopher J. PeBenito 2009-05-11 12:48 ` Christopher J. PeBenito 2009-05-11 14:51 ` Justin Mattock 2009-05-11 14:51 ` Justin Mattock 2009-05-11 18:58 ` Christopher J. PeBenito 2009-05-11 18:58 ` Christopher J. PeBenito 2009-05-11 19:26 ` Justin P. Mattock 2009-05-11 19:26 ` Justin P. Mattock
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.