* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template @ 2013-09-20 7:49 Dominick Grift 2013-09-20 7:58 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2013-09-20 7:49 UTC (permalink / raw) To: refpolicy Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b4a691d..8cd6269 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -942,11 +942,11 @@ ') optional_policy(` - gnome_role_template($1, $1_r, $1_t) - ') - - optional_policy(` wm_role_template($1, $1_r, $1_t) + + optional_policy(` + gnome_role_template($1, $1_r, $1_t) + ') ') ') ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template 2013-09-20 7:49 [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template Dominick Grift @ 2013-09-20 7:58 ` Dominick Grift 2013-09-23 19:10 ` Christopher J. PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2013-09-20 7:58 UTC (permalink / raw) To: refpolicy On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote: > Signed-off-by: Dominick Grift <dominick.grift@gmail.com> This is kind of nasty but this is basically needed for restricted xwindows users (Fedora probably only targeted to xguest) in an MLS environment. The problem here is that we, and fedora, currently run gnome-shell in the window manager domain for restricted xwindows users (xguest). To be honest, i don't believe this is sufficient anyways. Although it might just be enough for xguest We should probably have thought about this much earlier > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index b4a691d..8cd6269 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -942,11 +942,11 @@ > ') > > optional_policy(` > - gnome_role_template($1, $1_r, $1_t) > - ') > - > - optional_policy(` > wm_role_template($1, $1_r, $1_t) > + > + optional_policy(` > + gnome_role_template($1, $1_r, $1_t) > + ') > ') > ') > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template 2013-09-20 7:58 ` Dominick Grift @ 2013-09-23 19:10 ` Christopher J. PeBenito 2013-09-24 12:51 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Christopher J. PeBenito @ 2013-09-23 19:10 UTC (permalink / raw) To: refpolicy On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote: > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote: >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > > This is kind of nasty but this is basically needed for restricted > xwindows users (Fedora probably only targeted to xguest) in an MLS > environment. > > The problem here is that we, and fedora, currently run gnome-shell in > the window manager domain for restricted xwindows users (xguest). > > To be honest, i don't believe this is sufficient anyways. Although it > might just be enough for xguest > > We should probably have thought about this much earlier So if that's the case, shouldn't it instead be changed to the below? optional_policy(` gnome_role_template($1, $1_r, $1_t) wm_role_template($1, $1_r, $1_t) ') If I understand you correctly, if you have wm and no gnome, it breaks. >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >> index b4a691d..8cd6269 100644 >> --- a/policy/modules/system/userdomain.if >> +++ b/policy/modules/system/userdomain.if >> @@ -942,11 +942,11 @@ >> ') >> >> optional_policy(` >> - gnome_role_template($1, $1_r, $1_t) >> - ') >> - >> - optional_policy(` >> wm_role_template($1, $1_r, $1_t) >> + >> + optional_policy(` >> + gnome_role_template($1, $1_r, $1_t) >> + ') >> ') >> ') -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template 2013-09-23 19:10 ` Christopher J. PeBenito @ 2013-09-24 12:51 ` Dominick Grift 2013-09-24 13:14 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Dominick Grift @ 2013-09-24 12:51 UTC (permalink / raw) To: refpolicy On Mon, 2013-09-23 at 15:10 -0400, Christopher J. PeBenito wrote: > On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote: > > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote: > >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > > > > This is kind of nasty but this is basically needed for restricted > > xwindows users (Fedora probably only targeted to xguest) in an MLS > > environment. > > > > The problem here is that we, and fedora, currently run gnome-shell in > > the window manager domain for restricted xwindows users (xguest). > > > > To be honest, i don't believe this is sufficient anyways. Although it > > might just be enough for xguest > > > > We should probably have thought about this much earlier > > So if that's the case, shouldn't it instead be changed to the below? > > optional_policy(` > gnome_role_template($1, $1_r, $1_t) > wm_role_template($1, $1_r, $1_t) > ') > > If I understand you correctly, if you have wm and no gnome, it breaks. For some reason that wont work, its strange but if i try the above then the wm role template does not work but the gnome role template does ( i tried in monolithic policy ) e.g. there wont be any xguest_wm_t type but there will be a xguest_gkeyringd_t type wm_role_template really needs to be nested as optional policy under gnome_role_template as shown below You dont have to take my word for it, you can just try it out and see what happens This dependency stuff is really blowing my mind sometimes > > >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > >> index b4a691d..8cd6269 100644 > >> --- a/policy/modules/system/userdomain.if > >> +++ b/policy/modules/system/userdomain.if > >> @@ -942,11 +942,11 @@ > >> ') > >> > >> optional_policy(` > >> - gnome_role_template($1, $1_r, $1_t) > >> - ') > >> - > >> - optional_policy(` > >> wm_role_template($1, $1_r, $1_t) > >> + > >> + optional_policy(` > >> + gnome_role_template($1, $1_r, $1_t) > >> + ') > >> ') > >> ') > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template 2013-09-24 12:51 ` Dominick Grift @ 2013-09-24 13:14 ` Dominick Grift 0 siblings, 0 replies; 5+ messages in thread From: Dominick Grift @ 2013-09-24 13:14 UTC (permalink / raw) To: refpolicy On Tue, 2013-09-24 at 14:51 +0200, Dominick Grift wrote: > On Mon, 2013-09-23 at 15:10 -0400, Christopher J. PeBenito wrote: > > On Fri 20 Sep 2013 03:58:59 AM EDT, Dominick Grift wrote: > > > On Fri, 2013-09-20 at 09:49 +0200, Dominick Grift wrote: > > >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > > > > > > This is kind of nasty but this is basically needed for restricted > > > xwindows users (Fedora probably only targeted to xguest) in an MLS > > > environment. > > > > > > The problem here is that we, and fedora, currently run gnome-shell in > > > the window manager domain for restricted xwindows users (xguest). > > > > > > To be honest, i don't believe this is sufficient anyways. Although it > > > might just be enough for xguest > > > > > > We should probably have thought about this much earlier > > > > So if that's the case, shouldn't it instead be changed to the below? > > > > optional_policy(` > > gnome_role_template($1, $1_r, $1_t) > > wm_role_template($1, $1_r, $1_t) > > ') > > > > If I understand you correctly, if you have wm and no gnome, it breaks. > > For some reason that wont work, its strange but if i try the above then > the wm role template does not work but the gnome role template does ( i > tried in monolithic policy ) > > e.g. there wont be any xguest_wm_t type but there will be a > xguest_gkeyringd_t type > > wm_role_template really needs to be nested as optional policy under > gnome_role_template as shown below > > You dont have to take my word for it, you can just try it out and see > what happens > > This dependency stuff is really blowing my mind sometimes > Scratch the above, i think it does work actually i had the rule from contrib that i use to verify whether it works commented out (pending adoption of this patch ) but the xguest_wm_t type was there so yes it works thats the only sensible outcome so i will just go ahead and send you a patch with your requested change > > > > >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > >> index b4a691d..8cd6269 100644 > > >> --- a/policy/modules/system/userdomain.if > > >> +++ b/policy/modules/system/userdomain.if > > >> @@ -942,11 +942,11 @@ > > >> ') > > >> > > >> optional_policy(` > > >> - gnome_role_template($1, $1_r, $1_t) > > >> - ') > > >> - > > >> - optional_policy(` > > >> wm_role_template($1, $1_r, $1_t) > > >> + > > >> + optional_policy(` > > >> + gnome_role_template($1, $1_r, $1_t) > > >> + ') > > >> ') > > >> ') > > > > -- > > Chris PeBenito > > Tresys Technology, LLC > > www.tresys.com | oss.tresys.com > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-24 13:14 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-09-20 7:49 [refpolicy] [PATCH] For restricted_xwindows_user, the gnome_role_template depends on the wm_role_template, which depends on the dbus_role_template Dominick Grift 2013-09-20 7:58 ` Dominick Grift 2013-09-23 19:10 ` Christopher J. PeBenito 2013-09-24 12:51 ` Dominick Grift 2013-09-24 13:14 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.