From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 1 Jun 2016 13:36:54 -0400 Subject: [refpolicy] [PATCH 1/7] consolekit: allow managing user runtime In-Reply-To: <1464797564-6559-1-git-send-email-jason@perfinion.com> References: <1464797564-6559-1-git-send-email-jason@perfinion.com> Message-ID: <96c304c0-0053-eec7-e3b3-209ff7ff7dd7@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 6/1/2016 12:12 PM, Jason Zaman wrote: > --- > consolekit.te | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) This whole set is merged. > diff --git a/consolekit.te b/consolekit.te > index 050c5c5..1c540c9 100644 > --- a/consolekit.te > +++ b/consolekit.te > @@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") > # Local policy > # > > -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; > -allow consolekit_t self:process { getsched signal }; > +allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace }; > +allow consolekit_t self:process { getsched signal setfscreate }; > allow consolekit_t self:fifo_file rw_fifo_file_perms; > allow consolekit_t self:unix_stream_socket { accept listen }; > > @@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t) > files_search_all_mountpoints(consolekit_t) > > fs_list_inotifyfs(consolekit_t) > +fs_mount_tmpfs(consolekit_t) > +fs_unmount_tmpfs(consolekit_t) > +fs_relabelfrom_tmpfs(consolekit_t) > > mcs_ptrace_all(consolekit_t) > > +seutil_libselinux_linked(consolekit_t) > +seutil_read_file_contexts(consolekit_t) > + > term_use_all_terms(consolekit_t) > > auth_use_nsswitch(consolekit_t) > @@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t) > > userdom_dontaudit_read_user_home_content_files(consolekit_t) > userdom_read_user_tmp_files(consolekit_t) > +userdom_manage_user_runtime_root_dirs(consolekit_t) > +userdom_manage_user_runtime_dirs(consolekit_t) > +userdom_mounton_user_runtime_dirs(consolekit_t) > +userdom_relabelto_user_runtime_dirs(consolekit_t) > +userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user") > +userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir) > > tunable_policy(`use_nfs_home_dirs',` > fs_read_nfs_files(consolekit_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com