On Wed, Feb 27, 2019 at 03:02:06PM +0100, Petr Lautrbach wrote: > > Nicolas Iooss <nicolas.iooss@xxxxxxx> writes: > > > Hello, > > > > Currently, gui/Makefile installs three .desktop files: > > * /usr/share/system-config-selinux/selinux-polgengui.desktop > > (with > > "Exec=/usr/bin/selinux-polgengui") > > * /usr/share/system-config-selinux/sepolicy.desktop (with > > "Exec=/usr/bin/sepolicy gui") > > * /usr/share/system-config-selinux/system-config-selinux.desktop > > (with > > Exec=/usr/bin/system-config-selinux) > > > > There are several issues about them: > > * The first one does not work because "make install" does not > > create > > /usr/bin/selinux-polgengui. It creates > > /usr/share/system-config-selinux/polgengui.py instead. > > * The first two ones do not work on Arch Linux because the > > commands > > they use need to be run as root in order to load. > > * None of them are seen by GNOME or XFCE, which look for > > .desktop > > files in /usr/share/applications/. This has been reported for > > Arch > > Linux on https://github.com/archlinuxhardened/selinux/issues/20. > > > > Are these files used by other distributions? Would it break > > things if > > these files are moved to /usr/share/applications/ > > This is from Fedora policycoreutils.spec: > > --- > ln -sf /usr/share/system-config-selinux/polgengui.py > %{buildroot}%{_bindir}/selinux-polgengui > > desktop-file-install --dir %{buildroot}%{_datadir}/applications > --add-category Settings \ > %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop > > desktop-file-install --dir %{buildroot}%{_datadir}/applications > --add-category Settings \ > %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop > > desktop-file-install --dir %{buildroot}%{_datadir}/applications \ > %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop > > rm -f > %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop > rm -f > %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop > rm -f > %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop > --- > > It's been like that for more than 6 years already. > > Given that it addresses almost all the described problems I can > say that > your proposed changes won't break anything in Fedora. I haven't even packaged the gui on Gentoo, so its definitely not a regression here :) > > > and if pkexec is > > introduced in order to run commands as root (ie. > > selinux-polgengui.desktop is changed to "Exec=/usr/bin/pkexec > > /usr/share/system-config-selinux/polgengui.py" and > > sepolicy.desktop to > > "Exec=/usr/bin/pkexec /usr/bin/sepolicy gui")? > > > > /usr/share/system-config-selinux/polgengui.py works without root > on > Fedora. > > sepolicy gui asks for privileges on "Action: > org.selinux.customized" which is decorated by > @slip.dbus.polkit.require_auth so I'm not sure if pkexec is really > needed. If it works without thats obviously the best. But also I seem to recall pkexec had issues on my machine. It might need policy updates? Not that I'd be opposed if you added pkexec since its not used here at all right now so if I added the gui I'd just fix pkexec first. -- Jason > > > Nicolas >
