This patch adds some permissions needed to shutdown the system
using the graphical interface.
diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
--- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
@@ -118,6 +118,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_getattr_exec_files(consolekit_t)
+')
+
+optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
udev_signal(consolekit_t)
On 02/16/11 01:11, Guido Trentalancia wrote:
> This patch adds some permissions needed to shutdown the system
> using the graphical interface.
>
> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> @@ -118,6 +118,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + shutdown_getattr_exec_files(consolekit_t)
> +')
> +
> +optional_policy(`
> udev_domtrans(consolekit_t)
> udev_read_db(consolekit_t)
> udev_signal(consolekit_t)
How does this allow shutdown of the system? It only allows a getattr on
the shutdown command.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:11, Guido Trentalancia wrote:
> > This patch adds some permissions needed to shutdown the system
> > using the graphical interface.
> >
> > diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> > --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> > +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> > @@ -118,6 +118,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + shutdown_getattr_exec_files(consolekit_t)
> > +')
> > +
> > +optional_policy(`
> > udev_domtrans(consolekit_t)
> > udev_read_db(consolekit_t)
> > udev_signal(consolekit_t)
>
> How does this allow shutdown of the system? It only allows a getattr on
> the shutdown command.
Yes, in fact the system shutdown functionality (from Gnome) apparently
is not working fine. It's not completing the job.
But there are no other AVC denials apart from that. So perhaps something
is broken in Gnome or Consolekit, I didn't manage to investigate further
so far (until I get further AVCs it's difficult to say that it's related
to the policy).
Regards,
Guido
On Wed, 23/02/2011 at 19.57 +0100, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> > On 02/16/11 01:11, Guido Trentalancia wrote:
> > > This patch adds some permissions needed to shutdown the system
> > > using the graphical interface.
> > >
> > > diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> > > --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> > > +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> > > @@ -118,6 +118,10 @@ optional_policy(`
> > > ')
> > >
> > > optional_policy(`
> > > + shutdown_getattr_exec_files(consolekit_t)
> > > +')
> > > +
> > > +optional_policy(`
> > > udev_domtrans(consolekit_t)
> > > udev_read_db(consolekit_t)
> > > udev_signal(consolekit_t)
> >
> > How does this allow shutdown of the system? It only allows a getattr on
> > the shutdown command.
>
> Yes, in fact the system shutdown functionality (from Gnome) apparently
> is not working fine. It's not completing the job.
>
> But there are no other AVC denials apart from that. So perhaps something
> is broken in Gnome or Consolekit, I didn't manage to investigate further
> so far (until I get further AVCs it's difficult to say that it's related
> to the policy).
Some more insight on this. It's trying to shutdown through a script
called ck-system-restart (it belongs to ConsoleKit). Such script is
labeled bin_t (located at /usr/lib/ConsoleKit/scripts) and it is just
calling /sbin/shutdown. All of this could be initiated for example by
gnome-panel (the other possibility would be from gdm when nobody is
logged in or the session is locked).
Shall I prepend an strace to shutdown in that script ?
Regards,
Guido
On 02/23/11 13:57, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:11, Guido Trentalancia wrote:
>>> This patch adds some permissions needed to shutdown the system
>>> using the graphical interface.
>>>
>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
>>> @@ -118,6 +118,10 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + shutdown_getattr_exec_files(consolekit_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> udev_domtrans(consolekit_t)
>>> udev_read_db(consolekit_t)
>>> udev_signal(consolekit_t)
>>
>> How does this allow shutdown of the system? It only allows a getattr on
>> the shutdown command.
>
> Yes, in fact the system shutdown functionality (from Gnome) apparently
> is not working fine. It's not completing the job.
>
> But there are no other AVC denials apart from that. So perhaps something
> is broken in Gnome or Consolekit, I didn't manage to investigate further
> so far (until I get further AVCs it's difficult to say that it's related
> to the policy).
There may be things that are dontaudited that need to be allowed.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote:
> On 02/23/11 13:57, Guido Trentalancia wrote:
> > On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:11, Guido Trentalancia wrote:
> >>> This patch adds some permissions needed to shutdown the system
> >>> using the graphical interface.
> >>>
> >>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> >>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> >>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> >>> @@ -118,6 +118,10 @@ optional_policy(`
> >>> ')
> >>>
> >>> optional_policy(`
> >>> + shutdown_getattr_exec_files(consolekit_t)
> >>> +')
> >>> +
> >>> +optional_policy(`
> >>> udev_domtrans(consolekit_t)
> >>> udev_read_db(consolekit_t)
> >>> udev_signal(consolekit_t)
> >>
> >> How does this allow shutdown of the system? It only allows a getattr on
> >> the shutdown command.
> >
> > Yes, in fact the system shutdown functionality (from Gnome) apparently
> > is not working fine. It's not completing the job.
> >
> > But there are no other AVC denials apart from that. So perhaps something
> > is broken in Gnome or Consolekit, I didn't manage to investigate further
> > so far (until I get further AVCs it's difficult to say that it's related
> > to the policy).
>
> There may be things that are dontaudited that need to be allowed.
I bet so. But is there any way to disable the effect of dontaudit ?
Something such as a boolean that will treat dontaudit as allow or
otherwise just ignore it so that the AVCs show up ?
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2011 02:40 PM, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote:
>> On 02/23/11 13:57, Guido Trentalancia wrote:
>>> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:11, Guido Trentalancia wrote:
>>>>> This patch adds some permissions needed to shutdown the system
>>>>> using the graphical interface.
>>>>>
>>>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
>>>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
>>>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
>>>>> @@ -118,6 +118,10 @@ optional_policy(`
>>>>> ')
>>>>>
>>>>> optional_policy(`
>>>>> + shutdown_getattr_exec_files(consolekit_t)
>>>>> +')
>>>>> +
>>>>> +optional_policy(`
>>>>> udev_domtrans(consolekit_t)
>>>>> udev_read_db(consolekit_t)
>>>>> udev_signal(consolekit_t)
>>>>
>>>> How does this allow shutdown of the system? It only allows a getattr on
>>>> the shutdown command.
>>>
>>> Yes, in fact the system shutdown functionality (from Gnome) apparently
>>> is not working fine. It's not completing the job.
>>>
>>> But there are no other AVC denials apart from that. So perhaps something
>>> is broken in Gnome or Consolekit, I didn't manage to investigate further
>>> so far (until I get further AVCs it's difficult to say that it's related
>>> to the policy).
>>
>> There may be things that are dontaudited that need to be allowed.
>
> I bet so. But is there any way to disable the effect of dontaudit ?
> Something such as a boolean that will treat dontaudit as allow or
> otherwise just ignore it so that the AVCs show up ?
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
semodule -DB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1tTyoACgkQrlYvE4MpobPNeQCgqqNH3F46s3Scz66nVxS26Htp
0+kAnRXL9hHVTuGAJKvhAuDPv2TPDAws
=iJfy
-----END PGP SIGNATURE-----
On Tue, 01/03/2011 at 14.55 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/01/2011 02:40 PM, Guido Trentalancia wrote:
> > On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote:
> >> On 02/23/11 13:57, Guido Trentalancia wrote:
> >>> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> >>>> On 02/16/11 01:11, Guido Trentalancia wrote:
> >>>>> This patch adds some permissions needed to shutdown the system
> >>>>> using the graphical interface.
> >>>>>
> >>>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> >>>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> >>>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> >>>>> @@ -118,6 +118,10 @@ optional_policy(`
> >>>>> ')
> >>>>>
> >>>>> optional_policy(`
> >>>>> + shutdown_getattr_exec_files(consolekit_t)
> >>>>> +')
> >>>>> +
> >>>>> +optional_policy(`
> >>>>> udev_domtrans(consolekit_t)
> >>>>> udev_read_db(consolekit_t)
> >>>>> udev_signal(consolekit_t)
> >>>>
> >>>> How does this allow shutdown of the system? It only allows a getattr on
> >>>> the shutdown command.
> >>>
> >>> Yes, in fact the system shutdown functionality (from Gnome) apparently
> >>> is not working fine. It's not completing the job.
> >>>
> >>> But there are no other AVC denials apart from that. So perhaps something
> >>> is broken in Gnome or Consolekit, I didn't manage to investigate further
> >>> so far (until I get further AVCs it's difficult to say that it's related
> >>> to the policy).
> >>
> >> There may be things that are dontaudited that need to be allowed.
> >
> > I bet so. But is there any way to disable the effect of dontaudit ?
> > Something such as a boolean that will treat dontaudit as allow or
> > otherwise just ignore it so that the AVCs show up ?
> >
> > Regards,
> >
> > Guido
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> semodule -DB
Excellent Dan, thanks for the tip !
Regards,
Guido