From: martin@martinorr.name (Martin Orr) Date: Mon, 17 Aug 2009 20:24:53 +0100 Subject: [refpolicy] policykit Debian paths and rules Message-ID: <4A89AE85.80905@martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The policykit binaries on Debian live in /usr/lib/policykit so add file contexts for that. Also a couple of policykit rules. Index: policy/modules/services/policykit.fc =================================================================== --- policy/modules/services/policykit.fc.orig +++ policy/modules/services/policykit.fc @@ -3,6 +3,11 @@ /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) /usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) Index: policy/modules/services/policykit.te =================================================================== --- policy/modules/services/policykit.te.orig +++ policy/modules/services/policykit.te @@ -92,6 +92,8 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) +kernel_read_system_state(policykit_auth_t) + files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) @@ -105,6 +107,7 @@ optional_policy(` dbus_session_bus_client(policykit_auth_t) + dbus_system_bus_client(policykit_auth_t) optional_policy(` consolekit_dbus_chat(policykit_auth_t) -- Martin Orr