From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 28 Feb 2011 20:07:50 +0100
Subject: [refpolicy] [PATCH 18/34]: patch for the policykit module
 (labeling, start from dbus, read xdm files)
In-Reply-To: <4D6BA982.6070101@tresys.com>
References: <1297837325.3205.75.camel@tesla.lan> <4D6BA982.6070101@tresys.com>
Message-ID: <1298920070.3123.9.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 28/02/2011 at 08.56 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:22, Guido Trentalancia wrote:
> > This patch adds a file context for the /var/lib/polkit-1 directory.
> > It then allows policykit to be started from dbus. It also adds
> > some other permissions needed to run policykit and a new interface
> > which is used to read xdm files.
> > 
> > diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc
> > --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc	2011-01-08 19:07:21.280747356 +0100
> > +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc	2011-02-07 03:31:53.547856778 +0100
> > @@ -11,5 +11,6 @@
> >  /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
> >  /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
> >  /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
> > +/var/lib/polkit-1(/.*)?				gen_context(system_u:object_r:policykit_var_lib_t,s0)
> >  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
> >  
> > diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te
> > --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te	2011-02-07 03:31:24.763790944 +0100
> > +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te	2011-02-07 03:31:53.550857306 +0100
> > @@ -35,8 +35,8 @@ files_pid_file(policykit_var_run_t)
> >  # policykit local policy
> >  #
> >  
> > -allow policykit_t self:capability { setgid setuid };
> > -allow policykit_t self:process getattr;
> > +allow policykit_t self:capability { setgid setuid sys_ptrace };
> 
> This sys_ptrace is highly questionable.

Could that be due to calls to the following functions:

sigemptyset()
sigaddset()
sigprocmask()

There are no calls to ptrace() and this is not due to
reading /proc/PID/cmdline.

In truth I can only check if this is critical for policykit.

> > +allow policykit_t self:process { getattr getsched signal };
> >  allow policykit_t self:fifo_file rw_file_perms;
> >  allow policykit_t self:unix_dgram_socket create_socket_perms;
> >  allow policykit_t self:unix_stream_socket create_stream_socket_perms;
> > @@ -57,6 +57,7 @@ manage_files_pattern(policykit_t, policy
> >  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
> >  
> >  kernel_read_kernel_sysctls(policykit_t)
> > +kernel_read_system_state(policykit_t)
> >  
> >  files_read_etc_files(policykit_t)
> >  files_read_usr_files(policykit_t)
> > @@ -78,6 +79,14 @@ optional_policy(`
> >  	gnome_read_config(policykit_t)
> >  ')
> >  
> > +optional_policy(`
> > +	dbus_system_domain(policykit_t, policykit_exec_t)
> > +')
> > +
> > +optional_policy(`
> > +	xserver_read_xdm_files(policykit_t)
> > +')
> > +
> >  ########################################
> >  #
> >  # polkit_auth local policy
> > diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/xserver.if refpolicy-git-02022011-test-apply3/policy/modules/services/xserver.if
> > --- refpolicy-git-02022011-test-apply2/policy/modules/services/xserver.if	2011-01-08 19:07:21.344757464 +0100
> > +++ refpolicy-git-02022011-test-apply3/policy/modules/services/xserver.if	2011-02-07 03:31:53.552857658 +0100
> > @@ -638,6 +638,25 @@ interface(`xserver_rw_console',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      Read xdm files.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`xserver_read_xdm_files',`
> > +        gen_require(`
> > +		type xdm_t;
> > +	')
> > +
> > +	allow $1 xdm_t:dir list_dir_perms;
> > +	read_files_pattern($1, xdm_t, xdm_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Use file descriptors for xdm.
> >  ## </summary>
> >  ## <param name="domain">
>