[refpolicy] [ screen patch 1/1] Add screen-locking functionality. Signed-off-by: Dominick Grift <domg472 at gmail.com>

Dominick Grift domg472 at gmail.com
Thu Oct 22 09:13:59 CDT 2009


On Thu, Oct 22, 2009 at 10:05:13AM -0400, Christopher J. PeBenito wrote:
> On Thu, 2009-10-22 at 15:56 +0200, Dominick Grift wrote:
> > On Thu, Oct 22, 2009 at 09:53:01AM -0400, Christopher J. PeBenito wrote:
> > > On Thu, 2009-10-22 at 11:14 +0200, Dominick Grift wrote:
> > > > @@ -146,4 +148,8 @@ template(`screen_role_template',`
> > > >  		fs_list_nfs($1_screen_t)
> > > >  		fs_read_nfs_symlinks($1_screen_t)
> > > >  	')
> > > > +
> > > > +	optional_policy(`
> > > > +		dbus_system_bus_client($1_screen_t)
> > > > +	')
> > > 
> > > Is this an unrelated change?
> > 
> > No it is related:
> > 
> > allow dgrift_screen_t chkpwd_exec_t:file { read execute open execute_no_trans };
> > allow dgrift_screen_t self:capability { audit_write dac_override };
> > allow dgrift_screen_t self:fifo_file { write read ioctl };
> > allow dgrift_screen_t self:netlink_audit_socket { nlmsg_relay write create read };
> > allow dgrift_screen_t system_dbusd_t:unix_stream_socket connectto;
> > allow dgrift_screen_t system_dbusd_var_run_t:sock_file write;
> > 
> > This is all related to screen-locking
> 
> If dbus is required for screen locking, then the other rules should go
> in the dbus optional, along with a comment about screen locking.

My mistake its actually chkpasswd that want the dbus. so if you merge the other two hunks it will work.

i double checked it

it only needs:

	allow $1_screen_t self:fifo_file rw_fifo_file_perms;
	auth_domtrans_chk_passwd($1_screen_t)

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091022/f4d4f3e0/attachment.bin 


More information about the refpolicy mailing list