From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 21 Jun 2012 03:09:31 +0200 Subject: [refpolicy] [PATCH v2]: fix packagekit file context (standard location for the daemon) In-Reply-To: <1340207771.3570.11.camel@vortex> References: <1340207771.3570.11.camel@vortex> Message-ID: <1340240971.2940.2.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. I also noticed that the working directories that it needs to access as a minimum condition also seems broken, according to the latest version available: --- refpolicy-04062012/policy/modules/contrib/rpm.fc 2012-06-21 01:58:45.505739558 +0200 +++ refpolicy-04062012-packagekit-fc-standard/policy/modules/contrib/rpm.fc 2012-06-21 02:06:21.475277343 +0200 @@ -7,13 +7,13 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -27,9 +27,11 @@ ifdef(`distro_redhat', ` /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ') +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) Besides that, it might need permissions related to the network, but I suppose that can be managed on a per-site or per-distribution basis (or otherwise by using booleans). On Wed, 2012-06-20 at 17:56 +0200, Guido Trentalancia wrote: > It seems that the current refpolicy file contexts are using a wrong (or > at least rather obsolete) location for the PackageKit daemon executable. > > It's standard location is in /usr/libexec and not /usr/sbin (FC17 also > apparently uses the latter). > > Finally, consider that PackageKit should now ship also with > distributions other than Redhat. > > So, either of these two patches, would probably be a good move: > > --- refpolicy-04062012/policy/modules/contrib/rpm.fc 2011-09-09 18:29:23.592611047 +0200 > +++ refpolicy-04062012-packagekit-fc/policy/modules/contrib/rpm.fc 2012-06-19 19:12:07.420661407 +0200 > @@ -13,7 +13,13 @@ > > /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) > /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) > + > +ifndef(`distro_redhat', ` > +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) > +') > +ifdef(`distro_redhat', ` > /usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) > +') > > /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) > /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) > > Or: > > --- refpolicy-04062012/policy/modules/contrib/rpm.fc 2012-06-20 17:47:29.249999920 +0200 > +++ refpolicy-04062012-packagekit-fc-standard/policy/modules/contrib/rpm.fc 2012-06-20 17:46:05.436179710 +0200 > @@ -13,7 +13,8 @@ > > /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) > /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) > -/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) > + > +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) > > /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) > /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)