From: jason@perfinion.com (Jason Zaman) Date: Thu, 27 Oct 2016 01:19:18 +0800 Subject: [refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup Message-ID: <1477502361-20223-1-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Allow dbus chat to policykit. pcscd needs to lookup the domain that connects to the socket. type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1 --- pcscd.if | 3 +++ pcscd.te | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/pcscd.if b/pcscd.if index ac7e60c..b5c522d 100644 --- a/pcscd.if +++ b/pcscd.if @@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',` files_search_pids($1) stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) + + allow pcscd_t $1:dir list_dir_perms; + allow pcscd_t $1:file read_file_perms; ') ######################################## diff --git a/pcscd.te b/pcscd.te index 1828900..bcc863c 100644 --- a/pcscd.te +++ b/pcscd.te @@ -73,6 +73,10 @@ optional_policy(` optional_policy(` hal_dbus_chat(pcscd_t) ') + + optional_policy(` + policykit_dbus_chat(pcscd_t) + ') ') optional_policy(` -- 2.7.3