From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 10 Oct 2017 21:21:19 +0200
Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit
In-Reply-To: <D6FC7231-87E3-492E-8836-2EC59143FEA9@trentalancia.com>
References: <1507316426.20230.10.camel@trentalancia.com>
	<b33d0e93-949b-2579-2984-fef294c7224f@ieee.org>
	<D6FC7231-87E3-492E-8836-2EC59143FEA9@trentalancia.com>
Message-ID: <1507663279.4488.4.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Strictly speaking it's not polkit, but a strictly related package
called "polkit-gnome".

For your reference, it's the following getpwnam() call:

https://git.gnome.org/browse/PolicyKit-gnome/tree/src/polkitgnomeauthen
ticationdialog.c#n174

See also:

http://man7.org/linux/man-pages/man3/getpwnam.3p.html

Thus, we need auth_read_shadow(polkit_auth_t) in the Reference
Policy...

On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via
refpolicy wrote:
> Hello. 
> 
> On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito@ie
> ee.org> wrote:
> > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> > > Add permissions required to start a Gnome session using gnome-
> > > session
> > > and ConsoleKit.
> > > 
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > > ---
> > >   policy/modules/contrib/policykit.if |   19 +++++++++++++++++++
> > >   policy/modules/contrib/policykit.te |    9 +++++++--
> > >   policy/modules/contrib/wm.if        |    5 +++++
> > >   3 files changed, 31 insertions(+), 2 deletions(-)
> > > 
> > > --- a/policy/modules/contrib/policykit.if	2017-09-29
> > 
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.if	2017-10-06
> > 
> > 20:26:16.020913014 +0200
> > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> > >   	roleattribute $2 policykit_auth_roles;
> > >   ')
> > >   
> > > +#######################################
> > > +## <summary>
> > > +##	Send generic signals to
> > > +##	policykit auth.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`policykit_signal_auth',`
> > > +	gen_require(`
> > > +		type policykit_auth_t;
> > > +	')
> > > +
> > > +	allow $1 policykit_auth_t:process signal;
> > > +')
> > > +
> > >   ########################################
> > >   ## <summary>
> > >   ##	Execute a domain transition to run polkit grant.
> > > diff -pru a/policy/modules/contrib/policykit.te
> > 
> > b/policy/modules/contrib/policykit.te
> > > --- a/policy/modules/contrib/policykit.te	2017-09-29
> > 
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.te	2017-10-06
> > 
> > 20:38:00.347910134 +0200
> > > @@ -152,8 +152,8 @@ optional_policy(`
> > >   # Auth local policy
> > >   #
> > >   
> > > -allow policykit_auth_t self:capability { ipc_lock setgid setuid
> > 
> > sys_nice };
> > > -dontaudit policykit_auth_t self:capability sys_tty_config;
> > > +allow policykit_auth_t self:capability { dac_override ipc_lock
> > 
> > setgid setuid sys_nice };
> > > +dontaudit policykit_auth_t self:capability { dac_read_search
> > 
> > sys_tty_config };
> > >   allow policykit_auth_t self:process { getsched setsched signal
> > > };
> > >   allow policykit_auth_t self:unix_stream_socket { accept listen
> > > };
> > >   
> > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
> > >   
> > >   kernel_read_system_state(policykit_auth_t)
> > >   kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> > > +kernel_dontaudit_search_sysctl(policykit_auth_t)
> > >   
> > >   dev_read_video_dev(policykit_auth_t)
> > >   
> > > +domain_use_interactive_fds(policykit_auth_t)
> > > +
> > >   files_read_etc_runtime_files(policykit_auth_t)
> > >   files_search_home(policykit_auth_t)
> > >   
> > >   fs_getattr_all_fs(policykit_auth_t)
> > >   fs_search_tmpfs(policykit_auth_t)
> > >   
> > > +auth_read_shadow(policykit_auth_t)
> > >   auth_rw_var_auth(policykit_auth_t)
> > >   auth_use_nsswitch(policykit_auth_t)
> > >   auth_domtrans_chk_passwd(policykit_auth_t)
> > 
> > The above shadow addition shouldn't be necessary because of this 
> > password check.
> 
> I thought the same, but apparently it also needs to read shadow
> directly... 
> 
> > > @@ -218,6 +222,7 @@ optional_policy(`
> > >   optional_policy(`
> > >   	xserver_stream_connect(policykit_auth_t)
> > >   	xserver_read_xdm_pid(policykit_auth_t)
> > > +	xserver_rw_xsession_log(policykit_auth_t)
> > >   ')
> > >   
> > >   ########################################
> > > diff -pru a/policy/modules/contrib/wm.if
> > 
> > b/policy/modules/contrib/wm.if
> > > --- a/policy/modules/contrib/wm.if	2017-09-29
> > > 19:01:55.209455647
> > 
> > +0200
> > > +++ b/policy/modules/contrib/wm.if	2017-10-06
> > > 20:18:53.335914824
> > 
> > +0200
> > > @@ -90,6 +90,11 @@ template(`wm_role_template',`
> > >   	')
> > >   
> > >   	optional_policy(`
> > > +		policykit_run_auth($1_wm_t, $2)
> > > +		policykit_signal_auth($1_wm_t)
> > > +	')
> > > +
> > > +	optional_policy(`
> > >   		pulseaudio_run($1_wm_t, $2)
> > >   	')
> > >   ')

Regards,

Guido