From: jason@perfinion.com (Jason Zaman) Date: Mon, 8 Aug 2016 16:10:11 +0800 Subject: [refpolicy] [PATCH] staff: Allow dbus chat with accountsd_t for LightDM Message-ID: <1470643811-32586-1-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com LightDM is split into two parts: the main part and greeter. The greeter logs in as root so switches to staff_t and is not in xdm_t anymore and needs to get the list of users. It crashes and fails to start without this. type=USER_AVC msg=audit(1470642176.704:342177): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.Accounts member=ListCachedUsers dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.705:342178): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.706:342179): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.709:342180): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.714:342181): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.DisplayManager spid=8833 tpid=4994 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.838:342182): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=signal interface=org.freedesktop.Accounts.User member=Changed dest=org.freedesktop.DBus spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.849:342183): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470642176.851:342184): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?' --- policy/modules/roles/staff.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 33c6993..448a83c 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) # optional_policy(` + accountsd_dbus_chat(staff_t) +') + +optional_policy(` apache_role(staff_r, staff_t) ') -- 2.7.3