From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 23 Sep 2013 15:10:47 -0400 Subject: [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template In-Reply-To: <1379663939.16771.66.camel@d30> References: <1379663393-30626-1-git-send-email-dominick.grift@gmail.com> <1379663939.16771.66.camel@d30> Message-ID: <52409237.7080000@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote: > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote: >> Signed-off-by: Dominick Grift > > This is kind of nasty but this is basically needed for restricted > xwindows users (Fedora probably only targeted to xguest) in an MLS > environment. > > The problem here is that we, and fedora, currently run gnome-shell in > the window manager domain for restricted xwindows users (xguest). > > To be honest, i don't believe this is sufficient anyways. Although it > might just be enough for xguest > > We should probably have thought about this much earlier So if that's the case, shouldn't it instead be changed to the below? optional_policy(` gnome_role_template($1, $1_r, $1_t) wm_role_template($1, $1_r, $1_t) ') If I understand you correctly, if you have wm and no gnome, it breaks. >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >> index b4a691d..8cd6269 100644 >> --- a/policy/modules/system/userdomain.if >> +++ b/policy/modules/system/userdomain.if >> @@ -942,11 +942,11 @@ >> ') >> >> optional_policy(` >> - gnome_role_template($1, $1_r, $1_t) >> - ') >> - >> - optional_policy(` >> wm_role_template($1, $1_r, $1_t) >> + >> + optional_policy(` >> + gnome_role_template($1, $1_r, $1_t) >> + ') >> ') >> ') -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com