From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 30 Oct 2016 14:21:07 -0400 Subject: [refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup In-Reply-To: <1477502361-20223-1-git-send-email-jason@perfinion.com> References: <1477502361-20223-1-git-send-email-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/26/16 13:19, Jason Zaman wrote: > Allow dbus chat to policykit. > pcscd needs to lookup the domain that connects to the socket. > > type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1 > type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1 > --- > pcscd.if | 3 +++ > pcscd.te | 4 ++++ > 2 files changed, 7 insertions(+) > > diff --git a/pcscd.if b/pcscd.if > index ac7e60c..b5c522d 100644 > --- a/pcscd.if > +++ b/pcscd.if > @@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',` > > files_search_pids($1) > stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) > + > + allow pcscd_t $1:dir list_dir_perms; > + allow pcscd_t $1:file read_file_perms; > ') > > ######################################## > diff --git a/pcscd.te b/pcscd.te > index 1828900..bcc863c 100644 > --- a/pcscd.te > +++ b/pcscd.te > @@ -73,6 +73,10 @@ optional_policy(` > optional_policy(` > hal_dbus_chat(pcscd_t) > ') > + > + optional_policy(` > + policykit_dbus_chat(pcscd_t) > + ') > ') > > optional_policy(` Merged. -- Chris PeBenito