From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 09 Oct 2017 20:59:48 +0200 Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit In-Reply-To: References: <1507316426.20230.10.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. On the 9th of October 2017 20:51:39 CEST, Chris PeBenito wrote: >On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote: >> Add permissions required to start a Gnome session using gnome-session >> and ConsoleKit. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/policykit.if | 19 +++++++++++++++++++ >> policy/modules/contrib/policykit.te | 9 +++++++-- >> policy/modules/contrib/wm.if | 5 +++++ >> 3 files changed, 31 insertions(+), 2 deletions(-) >> >> --- a/policy/modules/contrib/policykit.if 2017-09-29 >19:01:55.177455647 +0200 >> +++ b/policy/modules/contrib/policykit.if 2017-10-06 >20:26:16.020913014 +0200 >> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',` >> roleattribute $2 policykit_auth_roles; >> ') >> >> +####################################### >> +## >> +## Send generic signals to >> +## policykit auth. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`policykit_signal_auth',` >> + gen_require(` >> + type policykit_auth_t; >> + ') >> + >> + allow $1 policykit_auth_t:process signal; >> +') >> + >> ######################################## >> ## >> ## Execute a domain transition to run polkit grant. >> diff -pru a/policy/modules/contrib/policykit.te >b/policy/modules/contrib/policykit.te >> --- a/policy/modules/contrib/policykit.te 2017-09-29 >19:01:55.177455647 +0200 >> +++ b/policy/modules/contrib/policykit.te 2017-10-06 >20:38:00.347910134 +0200 >> @@ -152,8 +152,8 @@ optional_policy(` >> # Auth local policy >> # >> >> -allow policykit_auth_t self:capability { ipc_lock setgid setuid >sys_nice }; >> -dontaudit policykit_auth_t self:capability sys_tty_config; >> +allow policykit_auth_t self:capability { dac_override ipc_lock >setgid setuid sys_nice }; >> +dontaudit policykit_auth_t self:capability { dac_read_search >sys_tty_config }; >> allow policykit_auth_t self:process { getsched setsched signal }; >> allow policykit_auth_t self:unix_stream_socket { accept listen }; >> >> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut >> >> kernel_read_system_state(policykit_auth_t) >> kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) >> +kernel_dontaudit_search_sysctl(policykit_auth_t) >> >> dev_read_video_dev(policykit_auth_t) >> >> +domain_use_interactive_fds(policykit_auth_t) >> + >> files_read_etc_runtime_files(policykit_auth_t) >> files_search_home(policykit_auth_t) >> >> fs_getattr_all_fs(policykit_auth_t) >> fs_search_tmpfs(policykit_auth_t) >> >> +auth_read_shadow(policykit_auth_t) >> auth_rw_var_auth(policykit_auth_t) >> auth_use_nsswitch(policykit_auth_t) >> auth_domtrans_chk_passwd(policykit_auth_t) > >The above shadow addition shouldn't be necessary because of this >password check. I thought the same, but apparently it also needs to read shadow directly... >> @@ -218,6 +222,7 @@ optional_policy(` >> optional_policy(` >> xserver_stream_connect(policykit_auth_t) >> xserver_read_xdm_pid(policykit_auth_t) >> + xserver_rw_xsession_log(policykit_auth_t) >> ') >> >> ######################################## >> diff -pru a/policy/modules/contrib/wm.if >b/policy/modules/contrib/wm.if >> --- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647 >+0200 >> +++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824 >+0200 >> @@ -90,6 +90,11 @@ template(`wm_role_template',` >> ') >> >> optional_policy(` >> + policykit_run_auth($1_wm_t, $2) >> + policykit_signal_auth($1_wm_t) >> + ') >> + >> + optional_policy(` >> pulseaudio_run($1_wm_t, $2) >> ') >> ') Regards, Guido