From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 01 Mar 2011 14:18:01 -0500
Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown
 the	system
In-Reply-To: <1298487426.29671.26.camel@tesla.lan>
References: <1297836707.3205.53.camel@tesla.lan>	 <4D651951.1030100@tresys.com>
	<1298487426.29671.26.camel@tesla.lan>
Message-ID: <4D6D4669.50306@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/23/11 13:57, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:11, Guido Trentalancia wrote:
>>> This patch adds some permissions needed to shutdown the system
>>> using the graphical interface.
>>>
>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te	2011-01-08 19:07:21.232739776 +0100
>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te	2011-01-26 01:40:05.845983864 +0100
>>> @@ -118,6 +118,10 @@ optional_policy(`
>>>  ')
>>>  
>>>  optional_policy(`
>>> +	shutdown_getattr_exec_files(consolekit_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>  	udev_domtrans(consolekit_t)
>>>  	udev_read_db(consolekit_t)
>>>  	udev_signal(consolekit_t)
>>
>> How does this allow shutdown of the system?  It only allows a getattr on
>> the shutdown command.
> 
> Yes, in fact the system shutdown functionality (from Gnome) apparently
> is not working fine. It's not completing the job.
> 
> But there are no other AVC denials apart from that. So perhaps something
> is broken in Gnome or Consolekit, I didn't manage to investigate further
> so far (until I get further AVCs it's difficult to say that it's related
> to the policy).

There may be things that are dontaudited that need to be allowed.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com