[refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template
@ 2013-09-20  7:49 Dominick Grift
  2013-09-20  7:58 ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-20  7:49 UTC (permalink / raw)
  To: refpolicy


Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b4a691d..8cd6269 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -942,11 +942,11 @@
 		')
 
 		optional_policy(`
-			gnome_role_template($1, $1_r, $1_t)
-		')
-
-		optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
+
+			optional_policy(`
+				gnome_role_template($1, $1_r, $1_t)
+			')
 		')
 	')
 

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template
  2013-09-20  7:49 [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template Dominick Grift
@ 2013-09-20  7:58 ` Dominick Grift
  2013-09-23 19:10   ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-20  7:58 UTC (permalink / raw)
  To: refpolicy

On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

This is kind of nasty but this is basically needed for restricted
xwindows users (Fedora probably only targeted to xguest) in an MLS
environment.

The problem here is that we, and fedora, currently run gnome-shell in
the window manager domain for restricted xwindows users (xguest).

To be honest, i don't believe this is sufficient anyways. Although it
might just be enough for xguest

We should probably have thought about this much earlier

> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b4a691d..8cd6269 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -942,11 +942,11 @@
>  		')
>  
>  		optional_policy(`
> -			gnome_role_template($1, $1_r, $1_t)
> -		')
> -
> -		optional_policy(`
>  			wm_role_template($1, $1_r, $1_t)
> +
> +			optional_policy(`
> +				gnome_role_template($1, $1_r, $1_t)
> +			')
>  		')
>  	')
>  

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template
  2013-09-20  7:58 ` Dominick Grift
@ 2013-09-23 19:10   ` Christopher J. PeBenito
  2013-09-24 12:51     ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-09-23 19:10 UTC (permalink / raw)
  To: refpolicy

On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote:
> On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>
> This is kind of nasty but this is basically needed for restricted
> xwindows users (Fedora probably only targeted to xguest) in an MLS
> environment.
>
> The problem here is that we, and fedora, currently run gnome-shell in
> the window manager domain for restricted xwindows users (xguest).
>
> To be honest, i don't believe this is sufficient anyways. Although it
> might just be enough for xguest
>
> We should probably have thought about this much earlier

So if that's the case, shouldn't it instead be changed to the below?

optional_policy(`
   gnome_role_template($1, $1_r, $1_t)
   wm_role_template($1, $1_r, $1_t)
')

If I understand you correctly, if you have wm and no gnome, it breaks.

>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>> index b4a691d..8cd6269 100644
>> --- a/policy/modules/system/userdomain.if
>> +++ b/policy/modules/system/userdomain.if
>> @@ -942,11 +942,11 @@
>>  		')
>>
>>  		optional_policy(`
>> -			gnome_role_template($1, $1_r, $1_t)
>> -		')
>> -
>> -		optional_policy(`
>>  			wm_role_template($1, $1_r, $1_t)
>> +
>> +			optional_policy(`
>> +				gnome_role_template($1, $1_r, $1_t)
>> +			')
>>  		')
>>  	')

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template
  2013-09-23 19:10   ` Christopher J. PeBenito
@ 2013-09-24 12:51     ` Dominick Grift
  2013-09-24 13:14       ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-24 12:51 UTC (permalink / raw)
  To: refpolicy

On Mon, 2013-09-23 at 15:10 -0400, Christopher J. PeBenito wrote:
> On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote:
> > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote:
> >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> >
> > This is kind of nasty but this is basically needed for restricted
> > xwindows users (Fedora probably only targeted to xguest) in an MLS
> > environment.
> >
> > The problem here is that we, and fedora, currently run gnome-shell in
> > the window manager domain for restricted xwindows users (xguest).
> >
> > To be honest, i don't believe this is sufficient anyways. Although it
> > might just be enough for xguest
> >
> > We should probably have thought about this much earlier
> 
> So if that's the case, shouldn't it instead be changed to the below?
> 
> optional_policy(`
>    gnome_role_template($1, $1_r, $1_t)
>    wm_role_template($1, $1_r, $1_t)
> ')
> 
> If I understand you correctly, if you have wm and no gnome, it breaks.

For some reason that wont work, its strange but if i try the above then
the wm role template does not work but the gnome role template does ( i
tried in monolithic policy )

e.g. there wont be any xguest_wm_t type but there will be a
xguest_gkeyringd_t type

wm_role_template really needs to be nested as optional policy under
gnome_role_template as shown below

You dont have to take my word for it, you can just try it out and see
what happens

This dependency stuff is really blowing my mind sometimes


> 
> >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> >> index b4a691d..8cd6269 100644
> >> --- a/policy/modules/system/userdomain.if
> >> +++ b/policy/modules/system/userdomain.if
> >> @@ -942,11 +942,11 @@
> >>  		')
> >>
> >>  		optional_policy(`
> >> -			gnome_role_template($1, $1_r, $1_t)
> >> -		')
> >> -
> >> -		optional_policy(`
> >>  			wm_role_template($1, $1_r, $1_t)
> >> +
> >> +			optional_policy(`
> >> +				gnome_role_template($1, $1_r, $1_t)
> >> +			')
> >>  		')
> >>  	')
> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template
  2013-09-24 12:51     ` Dominick Grift
@ 2013-09-24 13:14       ` Dominick Grift
  0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-09-24 13:14 UTC (permalink / raw)
  To: refpolicy

On Tue, 2013-09-24 at 14:51 +0200, Dominick Grift wrote:
> On Mon, 2013-09-23 at 15:10 -0400, Christopher J. PeBenito wrote:
> > On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote:
> > > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote:
> > >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > >
> > > This is kind of nasty but this is basically needed for restricted
> > > xwindows users (Fedora probably only targeted to xguest) in an MLS
> > > environment.
> > >
> > > The problem here is that we, and fedora, currently run gnome-shell in
> > > the window manager domain for restricted xwindows users (xguest).
> > >
> > > To be honest, i don't believe this is sufficient anyways. Although it
> > > might just be enough for xguest
> > >
> > > We should probably have thought about this much earlier
> > 
> > So if that's the case, shouldn't it instead be changed to the below?
> > 
> > optional_policy(`
> >    gnome_role_template($1, $1_r, $1_t)
> >    wm_role_template($1, $1_r, $1_t)
> > ')
> > 
> > If I understand you correctly, if you have wm and no gnome, it breaks.
> 
> For some reason that wont work, its strange but if i try the above then
> the wm role template does not work but the gnome role template does ( i
> tried in monolithic policy )
> 
> e.g. there wont be any xguest_wm_t type but there will be a
> xguest_gkeyringd_t type
> 
> wm_role_template really needs to be nested as optional policy under
> gnome_role_template as shown below
> 
> You dont have to take my word for it, you can just try it out and see
> what happens
> 
> This dependency stuff is really blowing my mind sometimes
> 

Scratch the above, i think it does work actually

i had the rule from contrib that i use to verify whether it works
commented out (pending adoption of this patch ) but the xguest_wm_t type
was there so yes it works thats the only sensible outcome

so i will just go ahead and send you a patch with your requested change


> > 
> > >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > >> index b4a691d..8cd6269 100644
> > >> --- a/policy/modules/system/userdomain.if
> > >> +++ b/policy/modules/system/userdomain.if
> > >> @@ -942,11 +942,11 @@
> > >>  		')
> > >>
> > >>  		optional_policy(`
> > >> -			gnome_role_template($1, $1_r, $1_t)
> > >> -		')
> > >> -
> > >> -		optional_policy(`
> > >>  			wm_role_template($1, $1_r, $1_t)
> > >> +
> > >> +			optional_policy(`
> > >> +				gnome_role_template($1, $1_r, $1_t)
> > >> +			')
> > >>  		')
> > >>  	')
> > 
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > www.tresys.com | oss.tresys.com
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-09-24 13:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-20  7:49 [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template Dominick Grift
2013-09-20  7:58 ` Dominick Grift
2013-09-23 19:10   ` Christopher J. PeBenito
2013-09-24 12:51     ` Dominick Grift
2013-09-24 13:14       ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.