[refpolicy] latest policy succesfull works on open suse 11.2

From: justinmattock@gmail.com (Justin P. Mattock)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] latest policy succesfull works on open suse 11.2
Date: Tue, 09 Mar 2010 15:34:27 -0800	[thread overview]
Message-ID: <1268177667.3603.15.camel@linux-qbdl.site> (raw)
In-Reply-To: <4B96B7E5.9040709@redhat.com>

On Tue, 2010-03-09 at 16:04 -0500, Daniel J Walsh wrote:
> On 03/09/2010 02:45 PM, Justin P. Mattock wrote:
> > This post is to let you guys know that the latest refpolicy from
> > git successfully works on open suse 11.2.
> > (full enforcement).
> >
> > right now I'm able to login(am seeing an ICE denial
> > but probably just need to find/and allow it)
> > with gdm etc..
> > able to stream music with banshee,
> > evolution works good,
> > pidgin works good,
> > firefox works as well as streaming movies.
> > totem streams video/dvd's.
> >
> >
> > overall I owe you guys a great big thanks
> > for this(now I don't have to build my own
> > operating system to follow the policy).
> >
> > good job SELinux peoples!!
> >
> > Justin P. Mattock
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >    
> If the ICE denial is caused by initrc_tmp_t label on /tmp/.ICE-unix
> 
> I am seeing the same.  Although I have not been able to figure out what 
> is creating the directory.

o.k. I ended up using semodule -DB
to acquire the remaining avc's(even though some people
disagree with this).

one thing I'm noticing is the system wont reboot
when clicking on the reboot gui menu.
(still not sure if it does at the moment(will try later)).

so after opening the policy with make enableaudit
I instead of rebooting just logged out of the session, then
logged back in.:
(which generated these allow rules):

module Zelevmod 1.0;

require {
	type staff_t;
	type staff_dbusd_t;
	type home_root_t;
	type user_home_dir_t;
	type file_t;
	type getty_t;
	type etc_runtime_t;
	type fusefs_t;
	type chkpwd_t;
	type xdm_t;
	type irqbalance_t;
	type tmp_t;
	type cupsd_t;
	type root_t;
	type xdm_tmp_t;
	type tmpfs_t;
	type etc_t;
	type usb_device_t;
	class unix_stream_socket connectto;
	class chr_file { read open };
	class capability { chown setgid };
	class file { rename unlink append setattr };
	class filesystem unmount;
	class sock_file { write getattr unlink };
	class dir { remove_name search getattr mounton };
}

#============= chkpwd_t ==============
allow chkpwd_t home_root_t:dir search;
allow chkpwd_t self:capability setgid;
allow chkpwd_t tmpfs_t:dir search;
allow chkpwd_t tmpfs_t:sock_file write;
allow chkpwd_t user_home_dir_t:dir search;
allow chkpwd_t xdm_t:unix_stream_socket connectto;
allow chkpwd_t xdm_tmp_t:dir search;
allow chkpwd_t xdm_tmp_t:sock_file { write getattr };

#============= getty_t ==============
allow getty_t cupsd_t:dir getattr;
allow getty_t irqbalance_t:dir getattr;

#============= staff_dbusd_t ==============
allow staff_dbusd_t etc_runtime_t:file unlink;
allow staff_dbusd_t etc_t:file { rename setattr append };
allow staff_dbusd_t file_t:dir remove_name;
allow staff_dbusd_t file_t:sock_file unlink;
allow staff_dbusd_t fusefs_t:filesystem unmount;
allow staff_dbusd_t root_t:dir mounton;
allow staff_dbusd_t self:capability chown;
allow staff_dbusd_t tmp_t:dir mounton;

#============= staff_t ==============
allow staff_t file_t:file unlink;
allow staff_t usb_device_t:chr_file { read open };
allow staff_t xdm_tmp_t:sock_file unlink;

I'm thinking either bonobo-activation-server, the screen lock thing,
or something with clk(I can unload these modules,and gather the avc's
if need be).

but I'm not seeing the ICE message now. 

Justin P. Mattock