From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 23 Feb 2011 19:57:06 +0100
Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown
 the	system
In-Reply-To: <4D651951.1030100@tresys.com>
References: <1297836707.3205.53.camel@tesla.lan> <4D651951.1030100@tresys.com>
Message-ID: <1298487426.29671.26.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:11, Guido Trentalancia wrote:
> > This patch adds some permissions needed to shutdown the system
> > using the graphical interface.
> > 
> > diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> > --- refpolicy-git-02022011/policy/modules/services/consolekit.te	2011-01-08 19:07:21.232739776 +0100
> > +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te	2011-01-26 01:40:05.845983864 +0100
> > @@ -118,6 +118,10 @@ optional_policy(`
> >  ')
> >  
> >  optional_policy(`
> > +	shutdown_getattr_exec_files(consolekit_t)
> > +')
> > +
> > +optional_policy(`
> >  	udev_domtrans(consolekit_t)
> >  	udev_read_db(consolekit_t)
> >  	udev_signal(consolekit_t)
> 
> How does this allow shutdown of the system?  It only allows a getattr on
> the shutdown command.

Yes, in fact the system shutdown functionality (from Gnome) apparently
is not working fine. It's not completing the job.

But there are no other AVC denials apart from that. So perhaps something
is broken in Gnome or Consolekit, I didn't manage to investigate further
so far (until I get further AVCs it's difficult to say that it's related
to the policy).

Regards,

Guido