From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 10 Oct 2017 21:42:41 +0200 Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit In-Reply-To: <1507664296.4488.12.camel@trentalancia.com> References: <1507316426.20230.10.camel@trentalancia.com> <1507664296.4488.12.camel@trentalancia.com> Message-ID: <1507664561.4488.15.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 10/10/2017 at 21.38 +0200, Guido Trentalancia via refpolicy wrote: > Hello again Christopher. > > On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via > refpolicy wrote: > > Hello. > > > > On the 9th of October 2017 20:51:39 CEST, Chris PeBenito > ie > > ee.org> wrote: > > > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote: > > > > Add permissions required to start a Gnome session using gnome- > > > > session > > > > and ConsoleKit. > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > policy/modules/contrib/policykit.if | 19 > > > > +++++++++++++++++++ > > > > policy/modules/contrib/policykit.te | 9 +++++++-- > > > > policy/modules/contrib/wm.if | 5 +++++ > > > > 3 files changed, 31 insertions(+), 2 deletions(-) > > > > > > > > --- a/policy/modules/contrib/policykit.if 2017-09-29 > > > > > > 19:01:55.177455647 +0200 > > > > +++ b/policy/modules/contrib/policykit.if 2017-10-06 > > > > > > 20:26:16.020913014 +0200 > > > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',` > > > > roleattribute $2 policykit_auth_roles; > > > > ') > > > > > > > > +####################################### > > > > +## > > > > +## Send generic signals to > > > > +## policykit auth. > > > > +## > > > > +## > > > > +## > > > > +## Domain allowed access. > > > > +## > > > > +## > > > > +# > > > > +interface(`policykit_signal_auth',` > > > > + gen_require(` > > > > + type policykit_auth_t; > > > > + ') > > > > + > > > > + allow $1 policykit_auth_t:process signal; > > > > +') > > > > + > > > > ######################################## > > > > ## > > > > ## Execute a domain transition to run polkit grant. > > > > diff -pru a/policy/modules/contrib/policykit.te > > > > > > b/policy/modules/contrib/policykit.te > > > > --- a/policy/modules/contrib/policykit.te 2017-09-29 > > > > > > 19:01:55.177455647 +0200 > > > > +++ b/policy/modules/contrib/policykit.te 2017-10-06 > > > > > > 20:38:00.347910134 +0200 > > > > @@ -152,8 +152,8 @@ optional_policy(` > > > > # Auth local policy > > > > # > > > > > > > > -allow policykit_auth_t self:capability { ipc_lock setgid > > > > setuid > > > > > > sys_nice }; > > > > -dontaudit policykit_auth_t self:capability sys_tty_config; > > > > +allow policykit_auth_t self:capability { dac_override ipc_lock > > > > > > setgid setuid sys_nice }; > > > > +dontaudit policykit_auth_t self:capability { dac_read_search > > > > > > sys_tty_config }; > > > > allow policykit_auth_t self:process { getsched setsched > > > > signal > > > > }; > > > > allow policykit_auth_t self:unix_stream_socket { accept > > > > listen > > > > }; > > > > > > > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut > > > > > > > > kernel_read_system_state(policykit_auth_t) > > > > kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) > > > > +kernel_dontaudit_search_sysctl(policykit_auth_t) > > > > > > > > dev_read_video_dev(policykit_auth_t) > > > > > > > > +domain_use_interactive_fds(policykit_auth_t) > > > > + > > > > files_read_etc_runtime_files(policykit_auth_t) > > > > files_search_home(policykit_auth_t) > > > > > > > > fs_getattr_all_fs(policykit_auth_t) > > > > fs_search_tmpfs(policykit_auth_t) > > > > > > > > +auth_read_shadow(policykit_auth_t) > > By the way, the original polkit package also uses getpwnam() and > getspnam(): > > http://man7.org/linux/man-pages/man3/getpwnam.3.html > > http://man7.org/linux/man-pages/man3/getspnam.3.html > > It can be compiled with PAM support OR *shadow* support: > > --with-authfw= Authentication framework (none/pam/shadow) > > See, for example: > > https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenth > el > per-shadow.c > > Therefore, it seems that both polkit and polkit-gnome need > auth_read_shadow() in the policy (actual policy is incomplete). But, because polkit-gnome *always* requires to read shadow, a boolean seems absolutely useless in this case. > I hope it helps... > > > > > auth_rw_var_auth(policykit_auth_t) > > > > auth_use_nsswitch(policykit_auth_t) > > > > auth_domtrans_chk_passwd(policykit_auth_t) > > > > > > The above shadow addition shouldn't be necessary because of this > > > password check. > > > > I thought the same, but apparently it also needs to read shadow > > directly... > > > > > > @@ -218,6 +222,7 @@ optional_policy(` > > > > optional_policy(` > > > > xserver_stream_connect(policykit_auth_t) > > > > xserver_read_xdm_pid(policykit_auth_t) > > > > + xserver_rw_xsession_log(policykit_auth_t) > > > > ') > > > > > > > > ######################################## > > > > diff -pru a/policy/modules/contrib/wm.if > > > > > > b/policy/modules/contrib/wm.if > > > > --- a/policy/modules/contrib/wm.if 2017-09-29 > > > > 19:01:55.209455647 > > > > > > +0200 > > > > +++ b/policy/modules/contrib/wm.if 2017-10-06 > > > > 20:18:53.335914824 > > > > > > +0200 > > > > @@ -90,6 +90,11 @@ template(`wm_role_template',` > > > > ') > > > > > > > > optional_policy(` > > > > + policykit_run_auth($1_wm_t, $2) > > > > + policykit_signal_auth($1_wm_t) > > > > + ') > > > > + > > > > + optional_policy(` > > > > pulseaudio_run($1_wm_t, $2) > > > > ') > > > > ') Regards, Guido