This patch adds a new interface to the consolekit module so that
pid files can be listed. It then uses such interface so that
consolekit pid files can be listed and read by both dbus and policykit.
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if
--- refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if 2011-02-07 01:37:43.085350703 +0100
@@ -79,6 +79,24 @@ interface(`consolekit_manage_log',`
########################################
## <summary>
+## List consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
## Read consolekit PID files.
## </summary>
## <param name="domain">
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 01:14:05.487312743 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 01:38:44.965333102 +0100
@@ -141,6 +141,11 @@ optional_policy(`
')
optional_policy(`
+ consolekit_list_pid_files(system_dbusd_t)
+ consolekit_read_pid_files(system_dbusd_t)
+')
+
+optional_policy(`
cpufreqselector_dbus_chat(system_dbusd_t)
')
diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
--- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te 2011-02-07 01:01:15.075210887 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 01:40:21.323469411 +0100
@@ -70,6 +70,11 @@ miscfiles_read_localization(policykit_t)
userdom_read_all_users_state(policykit_t)
optional_policy(`
+ consolekit_list_pid_files(policykit_t)
+ consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
gnome_read_config(policykit_t)
')
On 02/16/11 01:08, Guido Trentalancia wrote:
> This patch adds a new interface to the consolekit module so that
> pid files can be listed. It then uses such interface so that
> consolekit pid files can be listed and read by both dbus and policykit.
>
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if
> --- refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if 2011-02-07 01:37:43.085350703 +0100
> @@ -79,6 +79,24 @@ interface(`consolekit_manage_log',`
>
> ########################################
> ## <summary>
> +## List consolekit PID files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_list_pid_files',`
> + gen_require(`
> + type consolekit_var_run_t;
> + ')
> +
> + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read consolekit PID files.
> ## </summary>
> ## <param name="domain">
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 01:14:05.487312743 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 01:38:44.965333102 +0100
> @@ -141,6 +141,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_list_pid_files(system_dbusd_t)
> + consolekit_read_pid_files(system_dbusd_t)
> +')
> +
> +optional_policy(`
> cpufreqselector_dbus_chat(system_dbusd_t)
> ')
>
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
> --- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te 2011-02-07 01:01:15.075210887 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 01:40:21.323469411 +0100
> @@ -70,6 +70,11 @@ miscfiles_read_localization(policykit_t)
> userdom_read_all_users_state(policykit_t)
>
> optional_policy(`
> + consolekit_list_pid_files(policykit_t)
> + consolekit_read_pid_files(policykit_t)
> +')
> +
> +optional_policy(`
> gnome_read_config(policykit_t)
> ')
I think it would be fine just to add the list permission to the
read_pid_files interface.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 23/02/2011 at 09.25 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:08, Guido Trentalancia wrote:
> > This patch adds a new interface to the consolekit module so that
> > pid files can be listed. It then uses such interface so that
> > consolekit pid files can be listed and read by both dbus and policykit.
> >
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if 2011-02-07 01:37:43.085350703 +0100
> > @@ -79,6 +79,24 @@ interface(`consolekit_manage_log',`
> >
> > ########################################
> > ## <summary>
> > +## List consolekit PID files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`consolekit_list_pid_files',`
> > + gen_require(`
> > + type consolekit_var_run_t;
> > + ')
> > +
> > + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Read consolekit PID files.
> > ## </summary>
> > ## <param name="domain">
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te 2011-02-07 01:14:05.487312743 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te 2011-02-07 01:38:44.965333102 +0100
> > @@ -141,6 +141,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + consolekit_list_pid_files(system_dbusd_t)
> > + consolekit_read_pid_files(system_dbusd_t)
> > +')
> > +
> > +optional_policy(`
> > cpufreqselector_dbus_chat(system_dbusd_t)
> > ')
> >
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te 2011-02-07 01:01:15.075210887 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 01:40:21.323469411 +0100
> > @@ -70,6 +70,11 @@ miscfiles_read_localization(policykit_t)
> > userdom_read_all_users_state(policykit_t)
> >
> > optional_policy(`
> > + consolekit_list_pid_files(policykit_t)
> > + consolekit_read_pid_files(policykit_t)
> > +')
> > +
> > +optional_policy(`
> > gnome_read_config(policykit_t)
> > ')
>
> I think it would be fine just to add the list permission to the
> read_pid_files interface.
Do you mean list_dir_perms in read interface and remove list interface ?
That's fine to me. It would improve the style.
Regards,
Guido