From: bigon@debian.org (Laurent Bigonville) Date: Tue, 18 Dec 2012 09:31:53 +0100 Subject: [refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t In-Reply-To: <1355776703.2269.13.camel@localhost> References: <1355774297-13606-1-git-send-email-bigon@debian.org> <1355774297-13606-8-git-send-email-bigon@debian.org> <1355776703.2269.13.camel@localhost> Message-ID: <20121218093153.68fa5d72@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Mon, 17 Dec 2012 21:38:23 +0100, grift a ?crit : > On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote: > > From: Laurent Bigonville > > > > --- > > dbus.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/dbus.te b/dbus.te > > index 2ed2d6e..c418ebb 100644 > > --- a/dbus.te > > +++ b/dbus.te > > @@ -57,6 +57,7 @@ ifdef(`enable_mls',` > > # > > > > allow system_dbusd_t self:capability { sys_resource dac_override > > setgid setpcap setuid }; +allow system_dbusd_t self:capability2 > > block_suspend; dontaudit system_dbusd_t self:capability > > sys_tty_config; allow system_dbusd_t self:process { getattr > > getsched signal_perms setpgid getcap setcap setrlimit }; allow > > system_dbusd_t self:fifo_file rw_fifo_file_perms; > > I am not confident about this. > Do you stil have the avc denial of this event? time->Mon Dec 17 10:38:26 2012 type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355737106.427:178): avc: denied { block_suspend } for pid=3990 comm="host" capability=36 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2 This is indeed maybe not correct Laurent