From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 01 Mar 2011 14:55:22 -0500 Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown the system In-Reply-To: <1299008453.14035.2.camel@tesla.lan> References: <1297836707.3205.53.camel@tesla.lan> <4D651951.1030100@tresys.com> <1298487426.29671.26.camel@tesla.lan> <4D6D4669.50306@tresys.com> <1299008453.14035.2.camel@tesla.lan> Message-ID: <4D6D4F2A.607@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2011 02:40 PM, Guido Trentalancia wrote: > On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote: >> On 02/23/11 13:57, Guido Trentalancia wrote: >>> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote: >>>> On 02/16/11 01:11, Guido Trentalancia wrote: >>>>> This patch adds some permissions needed to shutdown the system >>>>> using the graphical interface. >>>>> >>>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te >>>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100 >>>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100 >>>>> @@ -118,6 +118,10 @@ optional_policy(` >>>>> ') >>>>> >>>>> optional_policy(` >>>>> + shutdown_getattr_exec_files(consolekit_t) >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> udev_domtrans(consolekit_t) >>>>> udev_read_db(consolekit_t) >>>>> udev_signal(consolekit_t) >>>> >>>> How does this allow shutdown of the system? It only allows a getattr on >>>> the shutdown command. >>> >>> Yes, in fact the system shutdown functionality (from Gnome) apparently >>> is not working fine. It's not completing the job. >>> >>> But there are no other AVC denials apart from that. So perhaps something >>> is broken in Gnome or Consolekit, I didn't manage to investigate further >>> so far (until I get further AVCs it's difficult to say that it's related >>> to the policy). >> >> There may be things that are dontaudited that need to be allowed. > > I bet so. But is there any way to disable the effect of dontaudit ? > Something such as a boolean that will treat dontaudit as allow or > otherwise just ignore it so that the AVCs show up ? > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy semodule -DB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1tTyoACgkQrlYvE4MpobPNeQCgqqNH3F46s3Scz66nVxS26Htp 0+kAnRXL9hHVTuGAJKvhAuDPv2TPDAws =iJfy -----END PGP SIGNATURE-----