[refpolicy] [PATCH]: missing file context for system-tools-backends (gnome)

[guido@trentalancia.com (Guido Trentalancia)]

Hello Dominick.

On Sat, 2012-06-23 at 12:19 +0200, Dominick Grift wrote:
> On Sat, 2012-06-23 at 11:52 +0200, Guido Trentalancia wrote:
> 
> > Consider gnome-system-tools is a GUI that is meant to configure network,
> > system users, shared filesystems or folders and system time. That is why
> > we would need a boolean as a lot of people would probably like to
> > disable such administrative functionality in the policy (it is still
> > possible to have the boolean default to true, as in the latest
> > modification sketch that I posted, for a more usable generic system).
> > 
> > Can you sketch a few lines of policy modifications for the domain
> > transition that you are talking about ? I guess you want to define a new
> > domain, therefore create a new module for system-tools-backends ? And
> > then allow a domain transition from dbus.te to such domain. And perhaps
> > finally label the system-tools-backends perl script with its
> > own ?_exec_t type instead of the generic binary which is more risky ?
> 
> I still can't imagine how this works but:
> 
> something like:
> 
> type stb_t;
> type stb_exec_t;
> dbus_system_domain(stb_t, stb_exec_t)
> role system_r types stb_t;
> 
> and then label the stb executable file(s) type stb_exec_t.
> 
> That should tell selinux to perform a domain transition from
> system_busd_t to stb_t on running files with type stb_exec_t.

Yes, more or less what I was imagining.

I would need to test it first and then eventually submit another patch
when possible.

It takes just a little bit more but at least we can get rid of the risky
corecmd_* permissions.

> You can also find me on irc.freenode.org at #selinux or #fedora-selinux

My involvement at the moment is just as a sort of part-time hobbist and
there is a lot more policy and stuff that I'd like to work on, but
unfortunately work constrains do not always allow me to do that.

So, I bet further involvement with other online resources such as irc is
impossible as the list is already considered as heavy load for me at the
moment !

Consider I am also hitting a bug in libsepol when trying to build the
latest policy, so there is a lot of things to sort out and time is very
scarce...

And in reply to what Daniel added, I think Fedora has its own system
configuration tools (for example the system-config-*), so that's
probably the reason why they decided to drop gnome-system-tools and
system-backends-tools if as you say it is not possible to find them
anymore in the latest repository...

Thanks a lot for your comments though !

Regards,

Guido