[refpolicy] [PATCH 13/34]: patch to allow networkmanager dbus chat

Christopher J. PeBenito cpebenito at tresys.com
Mon Mar 14 07:44:56 CDT 2011 

On 3/10/2011 4:53 PM, Guido Trentalancia wrote:
> On Mon, 07/03/2011 at 14.37 -0500, Christopher J. PeBenito wrote:
>> On 03/07/11 12:09, Guido Trentalancia wrote:
>>> On Mon, 07/03/2011 at 08.56 -0500, Christopher J. PeBenito wrote:
>>>> On 02/23/11 13:50, Guido Trentalancia wrote:
>>>>> Hello Christopher !
>>>>>
>>>>> On Wed, 23/02/2011 at 09.36 -0500, Christopher J. PeBenito wrote:
>>>>>> On 02/16/11 01:13, Guido Trentalancia wrote:
>>>>>>> This patch allows dbus chat between networkmanager and dbus and
>>>>>>> between networkmanager and xdm. It also adds a missing permission
>>>>>>> (sysnet_read_dhcpc_state) to the networkmanager module.
>> [cut]
>>>>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te
>>>>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te	2011-02-15 23:07:24.845137330 +0100
>>>>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te	2011-02-15 23:17:05.369699539 +0100
>>>>>>> @@ -548,6 +548,10 @@ optional_policy(`
>>>>>>>   ')
>>>>>>>
>>>>>>>   optional_policy(`
>>>>>>> +	networkmanager_dbus_chat(xdm_t)
>>>>>>> +')
>>>>> More or less I have reported back what was being requested (in the form
>>>>> of a patch).
>>>> It makes me wonder if everything is running in the right domain.
>>> That could be. But I have not been provided with a reference. So, can
>>> you provide a reference ps auxZ which then I will compare as soon as I
>>> can access the test system again ?
>>
>> It would be simpler if you could provide the ps output.  The only process that should be running in xdm_t should be xdm/gdm/kdm. If your nm-applet is running in xdm_t, it is wrong.  It should be running in the user's domain.
>
> Yes, I can now confirm. Everything past the X login runs in xdm_t
> because pam_selinux open is disabled for gdm. Enabling pam_selinux open
> for gdm leads to graphical login failures. I am trying to sort this out
> now. Is it a known issue ?
>
> Do you believe such a case (gdm not using pam_selinux) should be dropped
> and not considered as a possible scenario ?

The login application needs to set the right context for the user 
logging in.  A login app that does not do this is malfunctioning w.r.t. 
SELinux.  It is not a valid scenario in the policy.  I will remove the 
xdm_t dbus access that I added from your consolekit patch, and ignore 
the other patches that have additional xdm_t dbus permissions.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list