From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 10 Oct 2017 21:21:19 +0200 Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit In-Reply-To: References: <1507316426.20230.10.camel@trentalancia.com> Message-ID: <1507663279.4488.4.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Strictly speaking it's not polkit, but a strictly related package called "polkit-gnome". For your reference, it's the following getpwnam() call: https://git.gnome.org/browse/PolicyKit-gnome/tree/src/polkitgnomeauthen ticationdialog.c#n174 See also: http://man7.org/linux/man-pages/man3/getpwnam.3p.html Thus, we need auth_read_shadow(polkit_auth_t) in the Reference Policy... On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via refpolicy wrote: > Hello. > > On the 9th of October 2017 20:51:39 CEST, Chris PeBenito ee.org> wrote: > > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote: > > > Add permissions required to start a Gnome session using gnome- > > > session > > > and ConsoleKit. > > > > > > Signed-off-by: Guido Trentalancia > > > --- > > > policy/modules/contrib/policykit.if | 19 +++++++++++++++++++ > > > policy/modules/contrib/policykit.te | 9 +++++++-- > > > policy/modules/contrib/wm.if | 5 +++++ > > > 3 files changed, 31 insertions(+), 2 deletions(-) > > > > > > --- a/policy/modules/contrib/policykit.if 2017-09-29 > > > > 19:01:55.177455647 +0200 > > > +++ b/policy/modules/contrib/policykit.if 2017-10-06 > > > > 20:26:16.020913014 +0200 > > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',` > > > roleattribute $2 policykit_auth_roles; > > > ') > > > > > > +####################################### > > > +## > > > +## Send generic signals to > > > +## policykit auth. > > > +## > > > +## > > > +## > > > +## Domain allowed access. > > > +## > > > +## > > > +# > > > +interface(`policykit_signal_auth',` > > > + gen_require(` > > > + type policykit_auth_t; > > > + ') > > > + > > > + allow $1 policykit_auth_t:process signal; > > > +') > > > + > > > ######################################## > > > ## > > > ## Execute a domain transition to run polkit grant. > > > diff -pru a/policy/modules/contrib/policykit.te > > > > b/policy/modules/contrib/policykit.te > > > --- a/policy/modules/contrib/policykit.te 2017-09-29 > > > > 19:01:55.177455647 +0200 > > > +++ b/policy/modules/contrib/policykit.te 2017-10-06 > > > > 20:38:00.347910134 +0200 > > > @@ -152,8 +152,8 @@ optional_policy(` > > > # Auth local policy > > > # > > > > > > -allow policykit_auth_t self:capability { ipc_lock setgid setuid > > > > sys_nice }; > > > -dontaudit policykit_auth_t self:capability sys_tty_config; > > > +allow policykit_auth_t self:capability { dac_override ipc_lock > > > > setgid setuid sys_nice }; > > > +dontaudit policykit_auth_t self:capability { dac_read_search > > > > sys_tty_config }; > > > allow policykit_auth_t self:process { getsched setsched signal > > > }; > > > allow policykit_auth_t self:unix_stream_socket { accept listen > > > }; > > > > > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut > > > > > > kernel_read_system_state(policykit_auth_t) > > > kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) > > > +kernel_dontaudit_search_sysctl(policykit_auth_t) > > > > > > dev_read_video_dev(policykit_auth_t) > > > > > > +domain_use_interactive_fds(policykit_auth_t) > > > + > > > files_read_etc_runtime_files(policykit_auth_t) > > > files_search_home(policykit_auth_t) > > > > > > fs_getattr_all_fs(policykit_auth_t) > > > fs_search_tmpfs(policykit_auth_t) > > > > > > +auth_read_shadow(policykit_auth_t) > > > auth_rw_var_auth(policykit_auth_t) > > > auth_use_nsswitch(policykit_auth_t) > > > auth_domtrans_chk_passwd(policykit_auth_t) > > > > The above shadow addition shouldn't be necessary because of this > > password check. > > I thought the same, but apparently it also needs to read shadow > directly... > > > > @@ -218,6 +222,7 @@ optional_policy(` > > > optional_policy(` > > > xserver_stream_connect(policykit_auth_t) > > > xserver_read_xdm_pid(policykit_auth_t) > > > + xserver_rw_xsession_log(policykit_auth_t) > > > ') > > > > > > ######################################## > > > diff -pru a/policy/modules/contrib/wm.if > > > > b/policy/modules/contrib/wm.if > > > --- a/policy/modules/contrib/wm.if 2017-09-29 > > > 19:01:55.209455647 > > > > +0200 > > > +++ b/policy/modules/contrib/wm.if 2017-10-06 > > > 20:18:53.335914824 > > > > +0200 > > > @@ -90,6 +90,11 @@ template(`wm_role_template',` > > > ') > > > > > > optional_policy(` > > > + policykit_run_auth($1_wm_t, $2) > > > + policykit_signal_auth($1_wm_t) > > > + ') > > > + > > > + optional_policy(` > > > pulseaudio_run($1_wm_t, $2) > > > ') > > > ') Regards, Guido