Summary: | SELinux rules for dbus and gconf | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jason Zaman <perfinion> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r3 | ||
Package list: | Runtime testing required: | --- | |
Attachments: | gconf dbus policy addition |
Description
Jason Zaman
2014-05-17 16:43:21 UTC
I managed to track down the denials. May 20 18:02:46 pippin dbus[2244]: avc: denied { send_msg } for msgtype=method_call interface=org.gnome.GConf.Server member=GetDefaultDatabase dest=org.gnome.GConf spid=3717 tpid=2454 scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:gconfd_t tclass=dbus May 20 18:04:57 pippin dbus[2244]: avc: denied { send_msg } for msgtype=method_return dest=:1.67 spid=2454 tpid=3760 scontext=staff_u:staff_r:gconfd_t tcontext=staff_u:staff_r:staff_t tclass=dbus I am attaching a patch to the gnome policy which adds "gnome_dbus_chat_gconfd" and "gnome_dbus_chat_all_gconfd" which fixes the problem Created attachment 377290 [details, diff]
gconf dbus policy addition
adds two interfaces to the gnome policy
I would use the gnome_dbus_chat_gconfd interface, but with the content you provided for the gnome_dbus_chat_all_gconfd interface. My reasoning for it is that - the *_gconfd_t types are aliases for gconfd_t - an "all_gconfd" would imply (to me) that *_gconfd_t domains have a common attribute (like "gconfd_domain") that would be used instead (In reply to Sven Vermeulen from comment #3) > I would use the gnome_dbus_chat_gconfd interface, but with the content you > provided for the gnome_dbus_chat_all_gconfd interface. thats fine with me, having two interfaces seemed a bit superfluous anyway. > My reasoning for it is that > - the *_gconfd_t types are aliases for gconfd_t > - an "all_gconfd" would imply (to me) that *_gconfd_t domains have a common > attribute (like "gconfd_domain") that would be used instead its called gconfd_t. the relevant part of the policy is: type gconfd_t, gnomedomain; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; Is in the live repo, will be part of rev 3 r3 is in tree, ~arch r3 is stabilized |