@swift: This is somewhat related to the gnome_xdg_ patch discussed over IRC earlier but you wanted a record of it, gconf is part of gnome and used to store settings, it looks like applications can not talk to the server over dbus but the policy does not allow it. $ gconftool-2 -g /apps Failed to get value for `/apps': Configuration server couldn't be contacted: D-BUS error: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.85" (uid=1000 pid=11876 comm="gconftool-2 -g /apps ") interface="org.gnome.GConf.Server" member="GetDefaultDatabase" error name="(unset)" requested_reply="0" destination="org.gnome.GConf" (uid=1000 pid=10906 comm="/usr/libexec/gconfd-2 ") $ ls -laZ /usr/bin/gconftool-2 -rwxr-xr-x. 1 root root staff_u:object_r:bin_t 67504 May 6 09:51 /usr/bin/gconftool-2* $ ls -laZ /usr/libexec/gconfd-2 -rwxr-xr-x. 1 root root staff_u:object_r:gconfd_exec_t 51176 May 6 09:51 /usr/libexec/gconfd-2* $ id -Z staff_u:staff_r:staff_t $ ps -efZ | grep gconf staff_u:staff_r:gconfd_t jason 10906 1 0 May16 ? 00:00:00 /usr/libexec/gconfd-2 -- Jason Reproducible: Always
I managed to track down the denials. May 20 18:02:46 pippin dbus[2244]: avc: denied { send_msg } for msgtype=method_call interface=org.gnome.GConf.Server member=GetDefaultDatabase dest=org.gnome.GConf spid=3717 tpid=2454 scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:gconfd_t tclass=dbus May 20 18:04:57 pippin dbus[2244]: avc: denied { send_msg } for msgtype=method_return dest=:1.67 spid=2454 tpid=3760 scontext=staff_u:staff_r:gconfd_t tcontext=staff_u:staff_r:staff_t tclass=dbus I am attaching a patch to the gnome policy which adds "gnome_dbus_chat_gconfd" and "gnome_dbus_chat_all_gconfd" which fixes the problem
Created attachment 377290 [details, diff] gconf dbus policy addition adds two interfaces to the gnome policy
I would use the gnome_dbus_chat_gconfd interface, but with the content you provided for the gnome_dbus_chat_all_gconfd interface. My reasoning for it is that - the *_gconfd_t types are aliases for gconfd_t - an "all_gconfd" would imply (to me) that *_gconfd_t domains have a common attribute (like "gconfd_domain") that would be used instead
(In reply to Sven Vermeulen from comment #3) > I would use the gnome_dbus_chat_gconfd interface, but with the content you > provided for the gnome_dbus_chat_all_gconfd interface. thats fine with me, having two interfaces seemed a bit superfluous anyway. > My reasoning for it is that > - the *_gconfd_t types are aliases for gconfd_t > - an "all_gconfd" would imply (to me) that *_gconfd_t domains have a common > attribute (like "gconfd_domain") that would be used instead its called gconfd_t. the relevant part of the policy is: type gconfd_t, gnomedomain; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
Is in the live repo, will be part of rev 3
r3 is in tree, ~arch
r3 is stabilized
