From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 23 Feb 2011 20:23:45 +0100
Subject: [refpolicy] [PATCH 10/34]: patch to list/read consolekit pid
 files
In-Reply-To: <4D6518D2.5050804@tresys.com>
References: <1297836521.3205.46.camel@tesla.lan> <4D6518D2.5050804@tresys.com>
Message-ID: <1298489025.22930.10.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 23/02/2011 at 09.25 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:08, Guido Trentalancia wrote:
> > This patch adds a new interface to the consolekit module so that
> > pid files can be listed. It then uses such interface so that
> > consolekit pid files can be listed and read by both dbus and policykit.
> > 
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/consolekit.if	2011-01-08 19:07:21.232739776 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/consolekit.if	2011-02-07 01:37:43.085350703 +0100
> > @@ -79,6 +79,24 @@ interface(`consolekit_manage_log',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      List consolekit PID files.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`consolekit_list_pid_files',`
> > +	gen_require(`
> > +		type consolekit_var_run_t;
> > +	')
> > +
> > +	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Read consolekit PID files.
> >  ## </summary>
> >  ## <param name="domain">
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 01:14:05.487312743 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 01:38:44.965333102 +0100
> > @@ -141,6 +141,11 @@ optional_policy(`
> >  ')
> >  
> >  optional_policy(`
> > +	consolekit_list_pid_files(system_dbusd_t)
> > +	consolekit_read_pid_files(system_dbusd_t)
> > +')
> > +
> > +optional_policy(`
> >  	cpufreqselector_dbus_chat(system_dbusd_t)
> >  ')
> >  
> > diff -pruN refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te
> > --- refpolicy-git-02022011-test-apply/policy/modules/services/policykit.te	2011-02-07 01:01:15.075210887 +0100
> > +++ refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te	2011-02-07 01:40:21.323469411 +0100
> > @@ -70,6 +70,11 @@ miscfiles_read_localization(policykit_t)
> >  userdom_read_all_users_state(policykit_t)
> >  
> >  optional_policy(`
> > +	consolekit_list_pid_files(policykit_t)
> > +	consolekit_read_pid_files(policykit_t)
> > +')
> > +
> > +optional_policy(`
> >  	gnome_read_config(policykit_t)
> >  ')
> 
> I think it would be fine just to add the list permission to the
> read_pid_files interface.

Do you mean list_dir_perms in read interface and remove list interface ?
That's fine to me. It would improve the style.

Regards,

Guido