From: dominick.grift@gmail.com (grift) Date: Tue, 18 Dec 2012 09:44:37 +0100 Subject: [refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t In-Reply-To: <20121218093153.68fa5d72@soldur.bigon.be> References: <1355774297-13606-1-git-send-email-bigon@debian.org> <1355774297-13606-8-git-send-email-bigon@debian.org> <1355776703.2269.13.camel@localhost> <20121218093153.68fa5d72@soldur.bigon.be> Message-ID: <1355820277.1849.1.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-12-18 at 09:31 +0100, Laurent Bigonville wrote: > Le Mon, 17 Dec 2012 21:38:23 +0100, > grift a ?crit : > > > On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote: > > > From: Laurent Bigonville > > > > > > --- > > > dbus.te | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/dbus.te b/dbus.te > > > index 2ed2d6e..c418ebb 100644 > > > --- a/dbus.te > > > +++ b/dbus.te > > > @@ -57,6 +57,7 @@ ifdef(`enable_mls',` > > > # > > > > > > allow system_dbusd_t self:capability { sys_resource dac_override > > > setgid setpcap setuid }; +allow system_dbusd_t self:capability2 > > > block_suspend; dontaudit system_dbusd_t self:capability > > > sys_tty_config; allow system_dbusd_t self:process { getattr > > > getsched signal_perms setpgid getcap setcap setrlimit }; allow > > > system_dbusd_t self:fifo_file rw_fifo_file_perms; > > > > I am not confident about this. > > Do you stil have the avc denial of this event? > > time->Mon Dec 17 10:38:26 2012 > type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1355737106.427:178): avc: denied { block_suspend } for pid=3990 comm="host" capability=36 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2 > > This is indeed maybe not correct > > Laurent What is "host" can you do a ps auxZ | grep system_dbusd_t