From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Feb 2011 09:27:29 -0500
Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown
 the	system
In-Reply-To: <1297836707.3205.53.camel@tesla.lan>
References: <1297836707.3205.53.camel@tesla.lan>
Message-ID: <4D651951.1030100@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:11, Guido Trentalancia wrote:
> This patch adds some permissions needed to shutdown the system
> using the graphical interface.
> 
> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> --- refpolicy-git-02022011/policy/modules/services/consolekit.te	2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te	2011-01-26 01:40:05.845983864 +0100
> @@ -118,6 +118,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	shutdown_getattr_exec_files(consolekit_t)
> +')
> +
> +optional_policy(`
>  	udev_domtrans(consolekit_t)
>  	udev_read_db(consolekit_t)
>  	udev_signal(consolekit_t)

How does this allow shutdown of the system?  It only allows a getattr on
the shutdown command.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com