From: domg472@gmail.com (Dominick Grift) Date: Thu, 22 Oct 2009 16:13:59 +0200 Subject: [refpolicy] [ screen patch 1/1] Add screen-locking functionality. Signed-off-by: Dominick Grift In-Reply-To: <1256220316.28212.6.camel@gorn.columbia.tresys.com> References: <20091022091425.GA2632@notebook3.grift.internal> <1256219581.28212.5.camel@gorn.columbia.tresys.com> <20091022135635.GA3562@notebook3.grift.internal> <1256220316.28212.6.camel@gorn.columbia.tresys.com> Message-ID: <20091022141359.GA3965@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Oct 22, 2009 at 10:05:13AM -0400, Christopher J. PeBenito wrote: > On Thu, 2009-10-22 at 15:56 +0200, Dominick Grift wrote: > > On Thu, Oct 22, 2009 at 09:53:01AM -0400, Christopher J. PeBenito wrote: > > > On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote: > > > > @@ -146,4 +148,8 @@ template(`screen_role_template',` > > > > fs_list_nfs($1_screen_t) > > > > fs_read_nfs_symlinks($1_screen_t) > > > > ') > > > > + > > > > + optional_policy(` > > > > + dbus_system_bus_client($1_screen_t) > > > > + ') > > > > > > Is this an unrelated change? > > > > No it is related: > > > > allow dgrift_screen_t chkpwd_exec_t:file { read execute open execute_no_trans }; > > allow dgrift_screen_t self:capability { audit_write dac_override }; > > allow dgrift_screen_t self:fifo_file { write read ioctl }; > > allow dgrift_screen_t self:netlink_audit_socket { nlmsg_relay write create read }; > > allow dgrift_screen_t system_dbusd_t:unix_stream_socket connectto; > > allow dgrift_screen_t system_dbusd_var_run_t:sock_file write; > > > > This is all related to screen-locking > > If dbus is required for screen locking, then the other rules should go > in the dbus optional, along with a comment about screen locking. My mistake its actually chkpasswd that want the dbus. so if you merge the other two hunks it will work. i double checked it it only needs: allow $1_screen_t self:fifo_file rw_fifo_file_perms; auth_domtrans_chk_passwd($1_screen_t) > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091022/f4d4f3e0/attachment.bin