Received: by 2002:a17:90b:8d0:0:0:0:0 with SMTP id ds16csp391371pjb; Wed, 22 Jul 2020 02:34:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwV8mcoFwX5mQizAZl1SmyLqxFlhw1K4OB41d/sMDSQq/kN05WGyLfuqqY5fc60RLsQn1p8 X-Received: by 2002:aa7:db57:: with SMTP id n23mr29454131edt.235.1595410486627; Wed, 22 Jul 2020 02:34:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595410486; cv=none; d=google.com; s=arc-20160816; b=adirOLzPEyjbadhO85iA0ZHOqz8QCCbWj8BB/Q14K0Ee3WdhwnRaCrJhWlSuJVH7WA Qm9R1RwKojHUHbWNxxjcV1F9NixP5MEcY81emBFLKrbE9dd62+zP4iYUcZyAo/D+IIVs 7OuWsLOfmkFWhm7MLEktaLg0VK0QlNwjyDlqx1lILYwcthWEMdOp2f0UFG8T1bgUn8bv 8ZC72aOBMqdXEUu3S8PMw/uBDjv1ugCuY+YoN3KEWsc4/h+xbhnOhETshI4cNCiNUYD/ 5MkswhL74XiN7Ig7NxTKq/oTKDjn60HWkLjkjcOGfIsNLJYmu6/oZhM5YiljOCp7FVkS xymw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:to:subject; bh=Fj22erHStQuhuhzBRCesE0aMWhMCQLSrL/pJQdirmhE=; b=VEZE4C1CO3ejfa8DJs/6Gt2rh8cX6w380fDIUStA0yAEqhVZPX4dpMO/G1gVpnFwwZ O1pFt626WY52PKlH6yaKUAyUuigyG7cBWnXxOf0ABbHdaDZsBhAtMIaUkWSEfaewJqvz sbDgPQrHYxjRkYB0cYpIzsFH8vWUBIvVXfcGS82F+Qp+ReGL8ve09Y865q6rfZOgjV+c L//wFbHt1PJTi6MmcpTXA+bUrw3h9rZL1t1Lfb1ljzgGt0wAbOXK8X4at8nX+mhBevnb f3hR19z6QZ2KNfLZzUFN9dQhSAXhim4qD51b7uO+vsfgILxeHdNCzooIqzjSxwmY565O oP6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pj28si12223649ejb.330.2020.07.22.02.34.40; Wed, 22 Jul 2020 02:34:46 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731326AbgGVJdj convert rfc822-to-8bit (ORCPT + 15 others); Wed, 22 Jul 2020 05:33:39 -0400 Received: from ithil.bigon.be ([163.172.57.153]:52464 "EHLO ithil.bigon.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727819AbgGVJdj (ORCPT ); Wed, 22 Jul 2020 05:33:39 -0400 X-Greylist: delayed 504 seconds by postgrey-1.27 at vger.kernel.org; Wed, 22 Jul 2020 05:33:37 EDT Received: from localhost (localhost [IPv6:::1]) by ithil.bigon.be (Postfix) with ESMTP id B53641FDE4; Wed, 22 Jul 2020 11:25:10 +0200 (CEST) Received: from ithil.bigon.be ([IPv6:::1]) by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id DHbN-vgZYXyF; Wed, 22 Jul 2020 11:25:10 +0200 (CEST) Received: from [IPv6:2a02:a03f:65b8:4300:746b:cff:67dc:4fbd] (unknown [IPv6:2a02:a03f:65b8:4300:746b:cff:67dc:4fbd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bigon@bigon.be) by ithil.bigon.be (Postfix) with ESMTPSA; Wed, 22 Jul 2020 11:25:10 +0200 (CEST) Subject: Re: [PATCH] Also label polkit-agent-helper-1 when installed directly in /usr/libexec To: bauen1 , selinux-refpolicy@vger.kernel.org References: <20200722085908.57820-1-bigon@debian.org> From: Laurent Bigonville Autocrypt: addr=bigon@debian.org; keydata= mQINBEt3P9IBEAC883icAuxmVt4deGPxDeiEV2cT4pw4uXibIeZ1XNSrwrWcAgsK/o61nZWT hxIpTFe2c3/B+ijBdEHXqV9lZMsIgiAyExfkwM4DCamEtXoC3Cec9BlGuIJ/Eti8bb/wsvOt SQiQC7X/j51ExB7ag+f/9LINLcNgn1PP4kqAAo+d1zgEXyQLJmqqxaYwuwyJausPUu3UuSUH k6Gujhs3eB5lf5SNPR347JGLyv/L03EbwBgUxte4w0IkXfxxFSj93aOv69+mJNmPUgjNDn+A oYTLT5ddsls4iNzwd4zdqDJtCrNnlG7xXf1mkB+v4j96n00JTMYX2v+vN1TK2kAzo1WnMhhc WZv6f50uskCcdqzuNkSzEHBPoVZRX6FPtSfqbBcqRvyYwNn6Dv8V+k0LWLr6SJukl96a/C7u ZLOnIzie+B3/Oj+YQKJf7TLUJUi0tt6Z/LFZ4Qrwu2vJwprlhyKCsos2+rPs7BQHzg/JEROj j3wXkkILZSuBB+bFIIKJljVwIYM4Feqk0WDhiYbazRY7MWro7ZY8Pp4STjLgaWvJwaUnCrhh T4taVNl7ZxnohbFZhxgtgoK7XHijWbGJnG9Mkg5T4AnI0bQTkZfFR9gReKl2RPHLooHHILBg anj16MvZdebRP7S7JeAy/tpBTJ6chSu6dTevk7jGnxVT51YHHwARAQABtCVMYXVyZW50IEJp Z29udmlsbGUgPGJpZ29uQGRlYmlhbi5vcmc+iQJUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYC AwEAAh4BAheAFiEEfg7T0rNKA7FfnzEhx/f5Zg2CpoIFAl40LNcFCRw4BoUACgkQx/f5Zg2C poK/Ew/+JafweV7zVES4WqRKlhNp8rzEtGzZX1RL1fAEP8/SZFBUMvKgXjCvufdw3ODIdkOk +/PI/x3ikysYvnCxMHtsSqwT5nbKjPIDBxVFWtDJL0Jzl34XFgF7rrdIxKT7HCQqcyiUWVHA PxAFKVmDIf9j2FNC/dMjo4/5XGBHtIyfOC6HN1gwaxhyjFzREOnRIH6xsCd3yInpk0+MYOUz /abcpHIQlNfWi3ApqdTa86qEBMK5yuQfpFh9xdAqx1Nv1FlvM8Gfn4/8+o/z60eGJgY0jxHB eG4YHtbvtGje71mazLWhSCLN4LuSk8Ee2yoQM/VTPYQG9AmIn6UumvBecvNBbxB0SO+BkQ4D ++sBsn4Js6vacgk1DvSDWfTRIdKhfjbkRUe3ljFgav8iLQ/zLW+efQgv8sbR42UQ2e0p2y3M IODSThTUteN5j1gpTEw7HHxiLxKg4MlhUfYjhecK4MfbxWt7lt7AVenfldz1lp4o9Wc0WBes aRC2Nh5eQr5huOrpwysusOlQtwZVR6DXmXiknZb1xtRiKqjRnnLlxDtfQAyium5KSsvzo/At ZbKFUKixmqeFQ8Gd4jeF73R0Uu3nycE4nJD38AZLi5d8q5clXt+RylYJHh2X0eJyuTlTc9pE tg00ntB9jCDo1o1VUk9ReslfiokWqAAj5fH54QAAasC5AQ0ES3dALgEIAKlaXty71KRlZ6No UQd6GhmRM3jjLlxI4Kem0G04DTy2XiZSxY7uP8eapOCx5gCPqnU07uUrmWVwlKFvTlJbJxWU Mj96RUvMTikjAnlHkmDFToWttP1Re5XxUCYpcYK1/1IHLFFAip2vInl86zOsr4Gr/UkN282H oXQTHVL2+MY0i5kZAoRybxC8mX0S4aTzuRZSVb1ut/t4pqj1Zwk8/5xPYYITQEULM4ZqcHOL iQ5JcBM7jHUZQGgLT/2fLVmoUl/0lpt0kNcnLoXNn3KJQ14wu2p3AJV9eRV8vcEviHYaBx4A T5XULl15icDTlSKXQhX9A7zMmYiGBi4qNFPTwlcAEQEAAYkDWwQYAQgAJgIbAhYhBH4O09Kz SgOxX58xIcf3+WYNgqaCBQJeNC08BQkU7TqOASnAXSAEGQEIAAYFAkt3QC4ACgkQH8WJHrqw Q9XsBwf9HCBRg93F61pjS07ATWFUhgTr6GIldD2vZIQ3LYmiBOKJFa53MWgNudCrmDXZIaAX LYA2WvbpfX/OuCM2QfGr5vdY7uX7wbFi1Kf2fIN+pJC7YAQ+UsGsRG3hmqTbIx+ixGcho77S tfK2ewAlLP1J8wGMdP5bs8bSnldNloSh0DmO+mPU4HiOOrWTdK8tzYxUlMXCLdyBhAF8s5PW G62XLJ/+DVT9Nlu99VMppEAqZS7lVuvBVdbN76B+b0lS7pwb/jcPhfCLrhyUtuIuzSOUSOD3 U2JK0Y6wF1TuBEfHZ/uXZ0mFNkJPmV5w7Gjf3YvVgBmj0UXbnS5neeIfv30t9QkQx/f5Zg2C poKSqA//c1HlIrKLbR3nbFVpf2mPL+FepqkZC0OBbXMWgsF8qAL7Dxa7a6wZnzNHAqBaT79c gdFOW3UXbKzP3K04m/yCrV5UKC2l4gR/CApv/jvQqph5ez2s/8JAOM1S7IXkUIFPyuWB+Izm 96SHpKGU3L7cA69KM7HqbdV2xBN6WSThL83Aao7Wu1rcadV/W8tdokxV9pdnVpP8QDBMYKdr vGX3Ujw+nN7+qQ2ZYG0eMeSN9+V6V+4CBKCHw38wh+RVX9QSix8bi9F56Oo2XMLEaQXHhb2e pabgyMNyWfLIC88x5a+cgZMPuP8gZb+JSRim6kxFWlh2Pp0W4rcIkdlo8yTrVUc3eKGXFiMQ N9uGQlBnR9w3nXGrgkHoIxRwAoCllDDY2cMGJ0l01GMmZBl3E+wr61COcfa9uG0IXfHmk/Nn 2uJKdF42EQSiBS5m3mfCCv7btyxzoKNYrHNYdnb4R9ClO3+/pSZUKUcvFA0PAUlxh/Z++oNg ++X41g6kyEyQvAQWcwS05eoMB3X4DWuAKmiYrMyMBKWJrQVupBpN0xfKJZlvAU6CydWptbve JQxKJg8W9QL1XAWlDU/aVzJRH/e3XBlK74yIBfzkbApdbksXObJeoaRtQsakL4R+7pdAzLyl Chyj2AzxdZYU2nYNdBq7KOyPA7bZa0f//R+3nsc43JS5AQ0ES3dAPQEIAMM1PD83UDjyw7/8 myyYmki3IesmdZ0Ym8OHlSrlWqiVLf0Hxo11COMK0jAotflp8xi8JHl5SMSAQaV/AxwfMA+0 ulmVcyiINoKb8KlLF6FROV/LFar0W/zh01vPV5wstGwqh2ZtePUPlkF7EhBTaW15XaWMJ3Lw ZZDROCHUtaNWaYrip1hj39I5QWWudM74IbSElibwf0ZlJbFZ8j9ImNQElUUzn5TvR3mt8qXC +24UBbWtVYUQdjnVexXw11QTkZpUswE/WC9J/8Xfks/DbKXI4PrIHLmob3MWildHcvV1JqnN j0RSV93q8uKwXmgGIpyc771XNFwlUGY1ntGnjU0AEQEAAYkCPAQYAQgAJgIbDBYhBH4O09Kz SgOxX58xIcf3+WYNgqaCBQJeNC1JBQkU7TqMAAoJEMf3+WYNgqaCizQP/1QEMLURSYP3r+DG I2uhQgu0bduHAT2LAEGqr6RO/UzWseBNQLd5REYcgMZIBE2shJ28+0QFAbHo2m/fIObF9qTH KWqYhG4UBzYQw5f32J7R11A08jytfmL1womAiwXPlY4WzPGvllA/ahkRqWVBHq8Twky1EPIP yT02NGsZqGYJEgLvtPoslCMK7vWrCV+M0eUAlFav/JhIW0JP1j4+cfb0FPccL4R0nvcygYWj NrbfQsF3NU95/nT8UbuXkK/8GQQqdJiYTXSZCskf1miz6xuQEqNS2nc3wdKrRXnXGPV644LN Rxhw0Tp//HXgOhY1f/Gk8A1oKyE7GNgMiOq8gNc52A+FS0nUFzuqg3uApyYPkN8E+TuHnnvj XdeUI9jRJ2ksEdSQvg9YhRvmnzZVu8WOlBxx4smceU9EutauSc7QOLrTkzpMmgYR8p66RjY+ SnfyfhRG00GLR+60b7qbf51SQvSR4Kc/LUFH9CwiIOUNeBIyG0cCLvAoYmW5FyCDA4WIy4gb zKRcA6kz1T7y+noEHOTVQLv5l/Lva59IZNoW2mzE1Z6GlSP0OIPKlrWHYnAn6vvX/v6SNzwx Ooj6MSrnrWRajNI8T9o2e2JHwnksXPAvDJ/ceUOhTTsLFsmuoTikdblGJ0A60G+6ws04bD+9 LFU6hIZ9xxNM3jr8h0Ql Message-ID: Date: Wed, 22 Jul 2020 11:25:09 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Content-Language: en-US Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Le 22/07/20 à 11:15, bauen1 a écrit : > Thanks, > > See https://salsa.debian.org/utopia-team/polkit/-/commit/f6f99d85b2eb91bd03ca56d30837d7291711a0f8 for the change in the debian package. > > On 7/22/20 10:59 AM, Laurent Bigonville wrote: >> From: Laurent Bigonville >> >> Debian now installs that executable directly in /usr/libexec for the >> version 0.105 >> >> Signed-off-by: Laurent Bigonville >> --- >> policy/modules/services/policykit.fc | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc >> index e2782838..85814b95 100644 >> --- a/policy/modules/services/policykit.fc >> +++ b/policy/modules/services/policykit.fc >> @@ -11,6 +11,7 @@ >> # Systemd unit file >> /usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0) >> >> +/usr/libexec/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) > Since it is a debian only change, this should probably be wrapped in an ifdef distro_debian. In the past this was done like that, but at some point I've been told to not use distro conditionals anymore. I can add it if you really want, but in the last year(s) it was not done for the other file contexts that were added. > >> /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) >> /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) >> /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) >>