[refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown the system
guido at trentalancia.com
Tue Mar 1 13:40:53 CST 2011
On Tue, 01/03/2011 at 14.18 -0500, Christopher J. PeBenito wrote:
> On 02/23/11 13:57, Guido Trentalancia wrote:
> > On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:11, Guido Trentalancia wrote:
> >>> This patch adds some permissions needed to shutdown the system
> >>> using the graphical interface.
> >>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> >>> --- refpolicy-git-02022011/policy/modules/services/consolekit.te 2011-01-08 19:07:21.232739776 +0100
> >>> +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te 2011-01-26 01:40:05.845983864 +0100
> >>> @@ -118,6 +118,10 @@ optional_policy(`
> >>> ')
> >>> optional_policy(`
> >>> + shutdown_getattr_exec_files(consolekit_t)
> >>> +')
> >>> +
> >>> +optional_policy(`
> >>> udev_domtrans(consolekit_t)
> >>> udev_read_db(consolekit_t)
> >>> udev_signal(consolekit_t)
> >> How does this allow shutdown of the system? It only allows a getattr on
> >> the shutdown command.
> > Yes, in fact the system shutdown functionality (from Gnome) apparently
> > is not working fine. It's not completing the job.
> > But there are no other AVC denials apart from that. So perhaps something
> > is broken in Gnome or Consolekit, I didn't manage to investigate further
> > so far (until I get further AVCs it's difficult to say that it's related
> > to the policy).
> There may be things that are dontaudited that need to be allowed.
I bet so. But is there any way to disable the effect of dontaudit ?
Something such as a boolean that will treat dontaudit as allow or
otherwise just ignore it so that the AVCs show up ?
More information about the refpolicy