From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 01 Mar 2011 21:00:12 +0100
Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown
 the	system
In-Reply-To: <4D6D4F2A.607@redhat.com>
References: <1297836707.3205.53.camel@tesla.lan>
	<4D651951.1030100@tresys.com> <1298487426.29671.26.camel@tesla.lan>
	<4D6D4669.50306@tresys.com> <1299008453.14035.2.camel@tesla.lan>
	<4D6D4F2A.607@redhat.com>
Message-ID: <1299009612.14035.8.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 01/03/2011 at 14.55 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/01/2011 02:40 PM, Guido Trentalancia wrote:
> > On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote:
> >> On 02/23/11 13:57, Guido Trentalancia wrote:
> >>> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> >>>> On 02/16/11 01:11, Guido Trentalancia wrote:
> >>>>> This patch adds some permissions needed to shutdown the system
> >>>>> using the graphical interface.
> >>>>>
> >>>>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> >>>>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te	2011-01-08 19:07:21.232739776 +0100
> >>>>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te	2011-01-26 01:40:05.845983864 +0100
> >>>>> @@ -118,6 +118,10 @@ optional_policy(`
> >>>>>  ')
> >>>>>  
> >>>>>  optional_policy(`
> >>>>> +	shutdown_getattr_exec_files(consolekit_t)
> >>>>> +')
> >>>>> +
> >>>>> +optional_policy(`
> >>>>>  	udev_domtrans(consolekit_t)
> >>>>>  	udev_read_db(consolekit_t)
> >>>>>  	udev_signal(consolekit_t)
> >>>>
> >>>> How does this allow shutdown of the system?  It only allows a getattr on
> >>>> the shutdown command.
> >>>
> >>> Yes, in fact the system shutdown functionality (from Gnome) apparently
> >>> is not working fine. It's not completing the job.
> >>>
> >>> But there are no other AVC denials apart from that. So perhaps something
> >>> is broken in Gnome or Consolekit, I didn't manage to investigate further
> >>> so far (until I get further AVCs it's difficult to say that it's related
> >>> to the policy).
> >>
> >> There may be things that are dontaudited that need to be allowed.
> > 
> > I bet so. But is there any way to disable the effect of dontaudit ?
> > Something such as a boolean that will treat dontaudit as allow or
> > otherwise just ignore it so that the AVCs show up ?
> > 
> > Regards,
> > 
> > Guido
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> semodule -DB

Excellent Dan, thanks for the tip !

Regards,

Guido