From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 28 Feb 2011 10:28:29 -0500
Subject: [refpolicy] [PATCH 18/34]: patch for the policykit module
 (labeling, start from dbus, read xdm files)
In-Reply-To: <4D6BA982.6070101@tresys.com>
References: <1297837325.3205.75.camel@tesla.lan> <4D6BA982.6070101@tresys.com>
Message-ID: <4D6BBF1D.8000208@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2011 08:56 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:22, Guido Trentalancia wrote:
>> This patch adds a file context for the /var/lib/polkit-1 directory.
>> It then allows policykit to be started from dbus. It also adds
>> some other permissions needed to run policykit and a new interface
>> which is used to read xdm files.
>>
>> diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc
>> --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc	2011-01-08 19:07:21.280747356 +0100
>> +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc	2011-02-07 03:31:53.547856778 +0100
>> @@ -11,5 +11,6 @@
>>  /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
>>  /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
>>  /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
>> +/var/lib/polkit-1(/.*)?				gen_context(system_u:object_r:policykit_var_lib_t,s0)
>>  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
>>  
>> diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te
>> --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te	2011-02-07 03:31:24.763790944 +0100
>> +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te	2011-02-07 03:31:53.550857306 +0100
>> @@ -35,8 +35,8 @@ files_pid_file(policykit_var_run_t)
>>  # policykit local policy
>>  #
>>  
>> -allow policykit_t self:capability { setgid setuid };
>> -allow policykit_t self:process getattr;
>> +allow policykit_t self:capability { setgid setuid sys_ptrace };
> 
> This sys_ptrace is highly questionable.
> 

We have this in Fedora.  I believe policykit is examining the /proc
entry of applications and this causes the sys_ptrace.  Maybe reading
/proc/PID/cmdline.


- --- snip ----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1rvxwACgkQrlYvE4MpobONWQCfd5tKz7QZhJQuQvmRYtJ9peyS
yLYAoNcMMc8z3oWAcPnMR33Fw6xwlwhR
=Q84e
-----END PGP SIGNATURE-----