---
:100644 100644 ac70bc0... 7d2f797... M policy/modules/apps/screen.if
policy/modules/apps/screen.if | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index ac70bc0..7d2f797 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -45,6 +45,7 @@ template(`screen_role_template',`
allow $1_screen_t self:capability { setuid setgid fsetid };
allow $1_screen_t self:process signal_perms;
+ allow $1_screen_t self:fifo_file rw_fifo_file_perms;
allow $1_screen_t self:tcp_socket create_stream_socket_perms;
allow $1_screen_t self:udp_socket create_socket_perms;
# Internal screen networking
@@ -117,6 +118,7 @@ template(`screen_role_template',`
fs_search_auto_mountpoints($1_screen_t)
fs_getattr_xattr_fs($1_screen_t)
+ auth_domtrans_chk_passwd($1_screen_t)
auth_use_nsswitch($1_screen_t)
auth_dontaudit_read_shadow($1_screen_t)
auth_dontaudit_exec_utempter($1_screen_t)
@@ -146,4 +148,8 @@ template(`screen_role_template',`
fs_list_nfs($1_screen_t)
fs_read_nfs_symlinks($1_screen_t)
')
+
+ optional_policy(`
+ dbus_system_bus_client($1_screen_t)
+ ')
')
--
1.6.5.rc2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091022/b77a5084/attachment.bin
On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote:
> @@ -146,4 +148,8 @@ template(`screen_role_template',`
> fs_list_nfs($1_screen_t)
> fs_read_nfs_symlinks($1_screen_t)
> ')
> +
> + optional_policy(`
> + dbus_system_bus_client($1_screen_t)
> + ')
Is this an unrelated change?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Thu, Oct 22, 2009 at 09:53:01AM -0400, Christopher J. PeBenito wrote:
> On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote:
> > @@ -146,4 +148,8 @@ template(`screen_role_template',`
> > fs_list_nfs($1_screen_t)
> > fs_read_nfs_symlinks($1_screen_t)
> > ')
> > +
> > + optional_policy(`
> > + dbus_system_bus_client($1_screen_t)
> > + ')
>
> Is this an unrelated change?
No it is related:
allow dgrift_screen_t chkpwd_exec_t:file { read execute open execute_no_trans };
allow dgrift_screen_t self:capability { audit_write dac_override };
allow dgrift_screen_t self:fifo_file { write read ioctl };
allow dgrift_screen_t self:netlink_audit_socket { nlmsg_relay write create read };
allow dgrift_screen_t system_dbusd_t:unix_stream_socket connectto;
allow dgrift_screen_t system_dbusd_var_run_t:sock_file write;
This is all related to screen-locking
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091022/0705dba1/attachment.bin
On Thu, 2009-10-22 at 15:56 +0200, Dominick Grift wrote:
> On Thu, Oct 22, 2009 at 09:53:01AM -0400, Christopher J. PeBenito wrote:
> > On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote:
> > > @@ -146,4 +148,8 @@ template(`screen_role_template',`
> > > fs_list_nfs($1_screen_t)
> > > fs_read_nfs_symlinks($1_screen_t)
> > > ')
> > > +
> > > + optional_policy(`
> > > + dbus_system_bus_client($1_screen_t)
> > > + ')
> >
> > Is this an unrelated change?
>
> No it is related:
>
> allow dgrift_screen_t chkpwd_exec_t:file { read execute open execute_no_trans };
> allow dgrift_screen_t self:capability { audit_write dac_override };
> allow dgrift_screen_t self:fifo_file { write read ioctl };
> allow dgrift_screen_t self:netlink_audit_socket { nlmsg_relay write create read };
> allow dgrift_screen_t system_dbusd_t:unix_stream_socket connectto;
> allow dgrift_screen_t system_dbusd_var_run_t:sock_file write;
>
> This is all related to screen-locking
If dbus is required for screen locking, then the other rules should go
in the dbus optional, along with a comment about screen locking.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Thu, Oct 22, 2009 at 10:05:13AM -0400, Christopher J. PeBenito wrote:
> On Thu, 2009-10-22 at 15:56 +0200, Dominick Grift wrote:
> > On Thu, Oct 22, 2009 at 09:53:01AM -0400, Christopher J. PeBenito wrote:
> > > On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote:
> > > > @@ -146,4 +148,8 @@ template(`screen_role_template',`
> > > > fs_list_nfs($1_screen_t)
> > > > fs_read_nfs_symlinks($1_screen_t)
> > > > ')
> > > > +
> > > > + optional_policy(`
> > > > + dbus_system_bus_client($1_screen_t)
> > > > + ')
> > >
> > > Is this an unrelated change?
> >
> > No it is related:
> >
> > allow dgrift_screen_t chkpwd_exec_t:file { read execute open execute_no_trans };
> > allow dgrift_screen_t self:capability { audit_write dac_override };
> > allow dgrift_screen_t self:fifo_file { write read ioctl };
> > allow dgrift_screen_t self:netlink_audit_socket { nlmsg_relay write create read };
> > allow dgrift_screen_t system_dbusd_t:unix_stream_socket connectto;
> > allow dgrift_screen_t system_dbusd_var_run_t:sock_file write;
> >
> > This is all related to screen-locking
>
> If dbus is required for screen locking, then the other rules should go
> in the dbus optional, along with a comment about screen locking.
My mistake its actually chkpasswd that want the dbus. so if you merge the other two hunks it will work.
i double checked it
it only needs:
allow $1_screen_t self:fifo_file rw_fifo_file_perms;
auth_domtrans_chk_passwd($1_screen_t)
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091022/f4d4f3e0/attachment.bin