From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Feb 2011 09:25:22 -0500
Subject: [refpolicy] [PATCH 10/34]: patch to list/read consolekit pid
 files
In-Reply-To: <1297836521.3205.46.camel@tesla.lan>
References: <1297836521.3205.46.camel@tesla.lan>
Message-ID: <4D6518D2.5050804@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:08, Guido Trentalancia wrote:
> This patch adds a new interface to the consolekit module so that
> pid files can be listed. It then uses such interface so that
> consolekit pid files can be listed and read by both dbus and policykit.
> 
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if
> --- refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if	2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if	2011-02-07 01:37:43.085350703 +0100
> @@ -79,6 +79,24 @@ interface(`consolekit_manage_log',`
>  
>  ########################################
>  ## <summary>
> +##      List consolekit PID files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`consolekit_list_pid_files',`
> +	gen_require(`
> +		type consolekit_var_run_t;
> +	')
> +
> +	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read consolekit PID files.
>  ## </summary>
>  ## <param name="domain">
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 01:14:05.487312743 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 01:38:44.965333102 +0100
> @@ -141,6 +141,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	consolekit_list_pid_files(system_dbusd_t)
> +	consolekit_read_pid_files(system_dbusd_t)
> +')
> +
> +optional_policy(`
>  	cpufreqselector_dbus_chat(system_dbusd_t)
>  ')
>  
> diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
> --- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te	2011-02-07 01:01:15.075210887 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te	2011-02-07 01:40:21.323469411 +0100
> @@ -70,6 +70,11 @@ miscfiles_read_localization(policykit_t)
>  userdom_read_all_users_state(policykit_t)
>  
>  optional_policy(`
> +	consolekit_list_pid_files(policykit_t)
> +	consolekit_read_pid_files(policykit_t)
> +')
> +
> +optional_policy(`
>  	gnome_read_config(policykit_t)
>  ')

I think it would be fine just to add the list permission to the
read_pid_files interface.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com