From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 752501381F3 for ; Mon, 23 Sep 2013 06:29:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54C48E09BF; Mon, 23 Sep 2013 06:29:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D28BBE09B7 for ; Mon, 23 Sep 2013 06:29:29 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E5B4D33ED44 for ; Mon, 23 Sep 2013 06:29:28 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 6D14CE546B for ; Mon, 23 Sep 2013 06:29:26 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917650.6e23089d1f62f91276576f9038553bba5dd232bd.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gnome.if policy/modules/contrib/wm.if policy/modules/contrib/wm.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 6e23089d1f62f91276576f9038553bba5dd232bd X-VCS-Branch: merge Date: Mon, 23 Sep 2013 06:29:26 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f7961d67-8291-477e-a76f-af5608ba4f71 X-Archives-Hash: 5ad3cfe26fcfbfdb15b07461a99f5031 Message-ID: <20130923062926.0D0aopSYs14HZF7JGSamUaExSi4xug6m2B0Q5xrm2x8@z> commit: 6e23089d1f62f91276576f9038553bba5dd232bd Author: Dominick Grift gmail com> AuthorDate: Thu Sep 19 17:59:43 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:27:30 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6e23089d Hit by a nasty optional policy nesting issue Basically gnome keyring daemon depends on a window manager, and window managers depend on dbus Thus for restricted xwindows users, the gnome_per_role_template optional policy needs to be nested in the wm_per_role_template optional policy, which needs to be nested in the dbus_per_role_template optional policy I tried to get dbus out of the equation but was not able to Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/gnome.if | 4 +++- policy/modules/contrib/wm.if | 12 +++++++----- policy/modules/contrib/wm.te | 4 ---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if index d03fd43..ab09d61 100644 --- a/policy/modules/contrib/gnome.if +++ b/policy/modules/contrib/gnome.if @@ -111,7 +111,9 @@ template(`gnome_role_template',` optional_policy(` dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) - gnome_dbus_chat_gkeyringd($1, $3) + optional_policy(` + gnome_dbus_chat_gkeyringd($1, $3) + ') ') ') diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if index 25b702d..fbd84ba 100644 --- a/policy/modules/contrib/wm.if +++ b/policy/modules/contrib/wm.if @@ -68,6 +68,9 @@ template(`wm_role_template',` auth_use_nsswitch($1_wm_t) + xserver_role($2, $1_wm_t) + xserver_manage_core_devices($1_wm_t) + optional_policy(` dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -77,13 +80,12 @@ template(`wm_role_template',` ') ') - optional_policy(` - pulseaudio_run($1_wm_t, $2) - ') + # optional_policy(` + # gnome_stream_connect_gkeyringd($1, $1_wm_t) + # ') optional_policy(` - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) + pulseaudio_run($1_wm_t, $2) ') ') diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te index 0f5148e..ffe166f 100644 --- a/policy/modules/contrib/wm.te +++ b/policy/modules/contrib/wm.te @@ -57,10 +57,6 @@ optional_policy(` ') optional_policy(` - gnome_stream_connect_gkeyringd(wm_domain) -') - -optional_policy(` networkmanager_dbus_chat(wm_domain) ')