[refpolicy] new svn refpolicy difficuties:
justinmattock at gmail.com
Thu Dec 4 14:50:45 CST 2008
On Wed, Dec 3, 2008 at 1:06 PM, Justin Mattock <justinmattock at gmail.com> wrote:
> On Wed, Dec 3, 2008 at 12:30 PM, Christopher J. PeBenito
> <cpebenito at tresys.com> wrote:
>> On Wed, 2008-12-03 at 08:49 -0800, Justin Mattock wrote:
>>> with the newrole mechanism, If
>>> I log in as sysadm_r, then change roles to
>>> user_r, I see the:
>>> allow newrole user_r process transition
>>> (but can never be put into the policy?)
>>> With the older policies I would
>>> initialialy login as syadm_r, then
>>> login to staff_t for starting the internet,
>>> then user_r for entertainment needs
>>> but with this new mechanism, seems to
>>> be something different!!
>> I fixed a mistake in the role change constraint. svn up and it should
>> work again.
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
> Cool thanks for looking into this,
> unfortunately I can't get this thing to compile
> to get to the point of changing roles.
> unless you're talking about:
> git clone http://oss.tresys.com/git/selinux.git
> then I can go ahead and do a git-pull
> and see If I get that annoying
> newrole *_t process transition thing..
> (In any case my head hurts,
> I need a beer) ;^)
> Justin P. Mattock
two things here:(or three)
A) I really don't know what I'm doing,
but am willing to try.
B) Thank you very much for the help,
C) I finally figured it out,
The policy doesn't like sudo, or su
i.g. starting a terminal with nubuntu,
under .fluxbox/init I see
aterm -e sudo su
reason for the error when compiling.
If I start aterm, (normally)
the policy will compile, if I use
newrole -r user_r -- -c /usr/bin/firefox
in aterm I can change roles and use firefox.
(in full enforced mode)
wpa_supplicant seems a bit interesting
since I need to be root to run...
(probably need to have this run during boot)
seems to create sysadm_dbus_t
which tells me another sudo or su
Is there a command to run an application
as root(i.g. wpa_supplicant, and dhclient)?
Anyways thanks again,
Justin P. Mattock
More information about the refpolicy