From: martin@martinorr.name (Martin Orr) Date: Tue, 16 Dec 2008 17:42:45 +0000 Subject: [refpolicy] ConsoleKit rules Message-ID: <4947E895.7040402@martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I need quite a few rules to make ConsoleKit work. Best wishes, Martin Index: policy/modules/services/consolekit.te =================================================================== --- policy/modules/services/consolekit.te.orig +++ policy/modules/services/consolekit.te @@ -10,6 +10,9 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) +type consolekit_var_log_t; +logging_log_file(consolekit_var_log_t) + type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -24,12 +27,17 @@ allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(consolekit_t, consolekit_var_log_t, consolekit_var_log_t) +logging_log_filetrans(consolekit_t, consolekit_var_log_t, file) + +manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) +files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) dev_read_urand(consolekit_t) dev_read_sysfs(consolekit_t) @@ -43,8 +51,11 @@ fs_list_inotifyfs(consolekit_t) +logging_send_syslog_msg(consolekit_t) + term_use_all_terms(consolekit_t) +auth_manage_pam_console_data(consolekit_t) auth_use_nsswitch(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -62,5 +73,6 @@ optional_policy(` xserver_read_user_xauth(consolekit_t) + xserver_rw_xdm_tmp_files(consolekit_t) xserver_stream_connect(consolekit_t) ') Index: policy/modules/services/consolekit.fc =================================================================== --- policy/modules/services/consolekit.fc.orig +++ policy/modules/services/consolekit.fc @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_log_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) Index: policy/modules/kernel/corecommands.fc =================================================================== --- policy/modules/kernel/corecommands.fc.orig +++ policy/modules/kernel/corecommands.fc @@ -148,8 +148,7 @@ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ConsoleKit(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) -- Martin Orr