From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 10 Oct 2017 21:42:41 +0200
Subject: [refpolicy] [PATCH 1/2] wm: run PolicyKit
In-Reply-To: <1507664296.4488.12.camel@trentalancia.com>
References: <1507316426.20230.10.camel@trentalancia.com>
	<b33d0e93-949b-2579-2984-fef294c7224f@ieee.org>
	<D6FC7231-87E3-492E-8836-2EC59143FEA9@trentalancia.com>
	<1507664296.4488.12.camel@trentalancia.com>
Message-ID: <1507664561.4488.15.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 10/10/2017 at 21.38 +0200, Guido Trentalancia via
refpolicy wrote:
> Hello again Christopher.
> 
> On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via
> refpolicy wrote:
> > Hello. 
> > 
> > On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito@
> > ie
> > ee.org> wrote:
> > > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> > > > Add permissions required to start a Gnome session using gnome-
> > > > session
> > > > and ConsoleKit.
> > > > 
> > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > > > ---
> > > >   policy/modules/contrib/policykit.if |   19
> > > > +++++++++++++++++++
> > > >   policy/modules/contrib/policykit.te |    9 +++++++--
> > > >   policy/modules/contrib/wm.if        |    5 +++++
> > > >   3 files changed, 31 insertions(+), 2 deletions(-)
> > > > 
> > > > --- a/policy/modules/contrib/policykit.if	2017-09-29
> > > 
> > > 19:01:55.177455647 +0200
> > > > +++ b/policy/modules/contrib/policykit.if	2017-10-06
> > > 
> > > 20:26:16.020913014 +0200
> > > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> > > >   	roleattribute $2 policykit_auth_roles;
> > > >   ')
> > > >   
> > > > +#######################################
> > > > +## <summary>
> > > > +##	Send generic signals to
> > > > +##	policykit auth.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +##	<summary>
> > > > +##	Domain allowed access.
> > > > +##	</summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`policykit_signal_auth',`
> > > > +	gen_require(`
> > > > +		type policykit_auth_t;
> > > > +	')
> > > > +
> > > > +	allow $1 policykit_auth_t:process signal;
> > > > +')
> > > > +
> > > >   ########################################
> > > >   ## <summary>
> > > >   ##	Execute a domain transition to run polkit grant.
> > > > diff -pru a/policy/modules/contrib/policykit.te
> > > 
> > > b/policy/modules/contrib/policykit.te
> > > > --- a/policy/modules/contrib/policykit.te	2017-09-29
> > > 
> > > 19:01:55.177455647 +0200
> > > > +++ b/policy/modules/contrib/policykit.te	2017-10-06
> > > 
> > > 20:38:00.347910134 +0200
> > > > @@ -152,8 +152,8 @@ optional_policy(`
> > > >   # Auth local policy
> > > >   #
> > > >   
> > > > -allow policykit_auth_t self:capability { ipc_lock setgid
> > > > setuid
> > > 
> > > sys_nice };
> > > > -dontaudit policykit_auth_t self:capability sys_tty_config;
> > > > +allow policykit_auth_t self:capability { dac_override ipc_lock
> > > 
> > > setgid setuid sys_nice };
> > > > +dontaudit policykit_auth_t self:capability { dac_read_search
> > > 
> > > sys_tty_config };
> > > >   allow policykit_auth_t self:process { getsched setsched
> > > > signal
> > > > };
> > > >   allow policykit_auth_t self:unix_stream_socket { accept
> > > > listen
> > > > };
> > > >   
> > > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
> > > >   
> > > >   kernel_read_system_state(policykit_auth_t)
> > > >   kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> > > > +kernel_dontaudit_search_sysctl(policykit_auth_t)
> > > >   
> > > >   dev_read_video_dev(policykit_auth_t)
> > > >   
> > > > +domain_use_interactive_fds(policykit_auth_t)
> > > > +
> > > >   files_read_etc_runtime_files(policykit_auth_t)
> > > >   files_search_home(policykit_auth_t)
> > > >   
> > > >   fs_getattr_all_fs(policykit_auth_t)
> > > >   fs_search_tmpfs(policykit_auth_t)
> > > >   
> > > > +auth_read_shadow(policykit_auth_t)
> 
> By the way, the original polkit package also uses getpwnam() and
> getspnam():
> 
> http://man7.org/linux/man-pages/man3/getpwnam.3.html
> 
> http://man7.org/linux/man-pages/man3/getspnam.3.html
> 
> It can be compiled with PAM support OR *shadow* support:
> 
> --with-authfw=<name>    Authentication framework (none/pam/shadow)
> 
> See, for example:
> 
> https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenth
> el
> per-shadow.c
> 
> Therefore, it seems that both polkit and polkit-gnome need
> auth_read_shadow() in the policy (actual policy is incomplete).

But, because polkit-gnome *always* requires to read shadow, a boolean
seems absolutely useless in this case.

> I hope it helps...
> 
> > > >   auth_rw_var_auth(policykit_auth_t)
> > > >   auth_use_nsswitch(policykit_auth_t)
> > > >   auth_domtrans_chk_passwd(policykit_auth_t)
> > > 
> > > The above shadow addition shouldn't be necessary because of this 
> > > password check.
> > 
> > I thought the same, but apparently it also needs to read shadow
> > directly... 
> > 
> > > > @@ -218,6 +222,7 @@ optional_policy(`
> > > >   optional_policy(`
> > > >   	xserver_stream_connect(policykit_auth_t)
> > > >   	xserver_read_xdm_pid(policykit_auth_t)
> > > > +	xserver_rw_xsession_log(policykit_auth_t)
> > > >   ')
> > > >   
> > > >   ########################################
> > > > diff -pru a/policy/modules/contrib/wm.if
> > > 
> > > b/policy/modules/contrib/wm.if
> > > > --- a/policy/modules/contrib/wm.if	2017-09-29
> > > > 19:01:55.209455647
> > > 
> > > +0200
> > > > +++ b/policy/modules/contrib/wm.if	2017-10-06
> > > > 20:18:53.335914824
> > > 
> > > +0200
> > > > @@ -90,6 +90,11 @@ template(`wm_role_template',`
> > > >   	')
> > > >   
> > > >   	optional_policy(`
> > > > +		policykit_run_auth($1_wm_t, $2)
> > > > +		policykit_signal_auth($1_wm_t)
> > > > +	')
> > > > +
> > > > +	optional_policy(`
> > > >   		pulseaudio_run($1_wm_t, $2)
> > > >   	')
> > > >   ')

Regards,

Guido