From: jason@perfinion.com (Jason Zaman)
Date: Thu, 27 Oct 2016 01:19:18 +0800
Subject: [refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup
Message-ID: <1477502361-20223-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow dbus chat to policykit.
pcscd needs to lookup the domain that connects to the socket.

type=AVC msg=audit(1477409841.224:12512): avc:  denied  { open } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc:  denied  { getattr } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
---
 pcscd.if | 3 +++
 pcscd.te | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/pcscd.if b/pcscd.if
index ac7e60c..b5c522d 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
 
 	files_search_pids($1)
 	stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+	allow pcscd_t $1:dir list_dir_perms;
+	allow pcscd_t $1:file read_file_perms;
 ')
 
 ########################################
diff --git a/pcscd.te b/pcscd.te
index 1828900..bcc863c 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
 	optional_policy(`
 		hal_dbus_chat(pcscd_t)
 	')
+
+	optional_policy(`
+		policykit_dbus_chat(pcscd_t)
+	')
 ')
 
 optional_policy(`
-- 
2.7.3