From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 06 Oct 2017 21:00:26 +0200 Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit Message-ID: <1507316426.20230.10.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add permissions required to start a Gnome session using gnome-session and ConsoleKit. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/policykit.if | 19 +++++++++++++++++++ policy/modules/contrib/policykit.te | 9 +++++++-- policy/modules/contrib/wm.if | 5 +++++ 3 files changed, 31 insertions(+), 2 deletions(-) --- a/policy/modules/contrib/policykit.if 2017-09-29 19:01:55.177455647 +0200 +++ b/policy/modules/contrib/policykit.if 2017-10-06 20:26:16.020913014 +0200 @@ -87,6 +87,25 @@ interface(`policykit_run_auth',` roleattribute $2 policykit_auth_roles; ') +####################################### +## +## Send generic signals to +## policykit auth. +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_signal_auth',` + gen_require(` + type policykit_auth_t; + ') + + allow $1 policykit_auth_t:process signal; +') + ######################################## ## ## Execute a domain transition to run polkit grant. diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te --- a/policy/modules/contrib/policykit.te 2017-09-29 19:01:55.177455647 +0200 +++ b/policy/modules/contrib/policykit.te 2017-10-06 20:38:00.347910134 +0200 @@ -152,8 +152,8 @@ optional_policy(` # Auth local policy # -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; -dontaudit policykit_auth_t self:capability sys_tty_config; +allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice }; +dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config }; allow policykit_auth_t self:process { getsched setsched signal }; allow policykit_auth_t self:unix_stream_socket { accept listen }; @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut kernel_read_system_state(policykit_auth_t) kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) +kernel_dontaudit_search_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) +domain_use_interactive_fds(policykit_auth_t) + files_read_etc_runtime_files(policykit_auth_t) files_search_home(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) +auth_read_shadow(policykit_auth_t) auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) @@ -218,6 +222,7 @@ optional_policy(` optional_policy(` xserver_stream_connect(policykit_auth_t) xserver_read_xdm_pid(policykit_auth_t) + xserver_rw_xsession_log(policykit_auth_t) ') ######################################## diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if --- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647 +0200 +++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824 +0200 @@ -90,6 +90,11 @@ template(`wm_role_template',` ') optional_policy(` + policykit_run_auth($1_wm_t, $2) + policykit_signal_auth($1_wm_t) + ') + + optional_policy(` pulseaudio_run($1_wm_t, $2) ') ')