2009-08-17 19:24:53

by martin

[permalink] [raw]
Subject: [refpolicy] policykit Debian paths and rules

The policykit binaries on Debian live in /usr/lib/policykit so add file
contexts for that.
Also a couple of policykit rules.

Index: policy/modules/services/policykit.fc
===================================================================
--- policy/modules/services/policykit.fc.orig
+++ policy/modules/services/policykit.fc
@@ -3,6 +3,11 @@
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)

+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
Index: policy/modules/services/policykit.te
===================================================================
--- policy/modules/services/policykit.te.orig
+++ policy/modules/services/policykit.te
@@ -92,6 +92,8 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })

+kernel_read_system_state(policykit_auth_t)
+
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)

@@ -105,6 +107,7 @@

optional_policy(`
dbus_session_bus_client(policykit_auth_t)
+ dbus_system_bus_client(policykit_auth_t)

optional_policy(`
consolekit_dbus_chat(policykit_auth_t)

--
Martin Orr


2009-08-18 13:50:24

by cpebenito

[permalink] [raw]
Subject: [refpolicy] policykit Debian paths and rules

On Mon, 2009-08-17 at 20:24 +0100, Martin Orr wrote:
> The policykit binaries on Debian live in /usr/lib/policykit so add file
> contexts for that.
> Also a couple of policykit rules.

Merged, with a little reorganization.

> Index: policy/modules/services/policykit.fc
> ===================================================================
> --- policy/modules/services/policykit.fc.orig
> +++ policy/modules/services/policykit.fc
> @@ -3,6 +3,11 @@
> /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
> /usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
>
> +/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
> +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
> +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
> +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
> +
> /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
> /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
> /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
> Index: policy/modules/services/policykit.te
> ===================================================================
> --- policy/modules/services/policykit.te.orig
> +++ policy/modules/services/policykit.te
> @@ -92,6 +92,8 @@
> manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
> files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
>
> +kernel_read_system_state(policykit_auth_t)
> +
> files_read_etc_files(policykit_auth_t)
> files_read_usr_files(policykit_auth_t)
>
> @@ -105,6 +107,7 @@
>
> optional_policy(`
> dbus_session_bus_client(policykit_auth_t)
> + dbus_system_bus_client(policykit_auth_t)
>
> optional_policy(`
> consolekit_dbus_chat(policykit_auth_t)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150