[refpolicy] [PATCH 1/2] wm: run PolicyKit

Guido Trentalancia guido at trentalancia.com
Fri Oct 6 19:00:26 UTC 2017


Add permissions required to start a Gnome session using gnome-session
and ConsoleKit.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
---
 policy/modules/contrib/policykit.if |   19 +++++++++++++++++++
 policy/modules/contrib/policykit.te |    9 +++++++--
 policy/modules/contrib/wm.if        |    5 +++++
 3 files changed, 31 insertions(+), 2 deletions(-)

--- a/policy/modules/contrib/policykit.if	2017-09-29 19:01:55.177455647 +0200
+++ b/policy/modules/contrib/policykit.if	2017-10-06 20:26:16.020913014 +0200
@@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
 	roleattribute $2 policykit_auth_roles;
 ')
 
+#######################################
+## <summary>
+##	Send generic signals to
+##	policykit auth.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+	gen_require(`
+		type policykit_auth_t;
+	')
+
+	allow $1 policykit_auth_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run polkit grant.
diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
--- a/policy/modules/contrib/policykit.te	2017-09-29 19:01:55.177455647 +0200
+++ b/policy/modules/contrib/policykit.te	2017-10-06 20:38:00.347910134 +0200
@@ -152,8 +152,8 @@ optional_policy(`
 # Auth local policy
 #
 
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
-dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice };
+dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config };
 allow policykit_auth_t self:process { getsched setsched signal };
 allow policykit_auth_t self:unix_stream_socket { accept listen };
 
@@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
 
 kernel_read_system_state(policykit_auth_t)
 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+kernel_dontaudit_search_sysctl(policykit_auth_t)
 
 dev_read_video_dev(policykit_auth_t)
 
+domain_use_interactive_fds(policykit_auth_t)
+
 files_read_etc_runtime_files(policykit_auth_t)
 files_search_home(policykit_auth_t)
 
 fs_getattr_all_fs(policykit_auth_t)
 fs_search_tmpfs(policykit_auth_t)
 
+auth_read_shadow(policykit_auth_t)
 auth_rw_var_auth(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 auth_domtrans_chk_passwd(policykit_auth_t)
@@ -218,6 +222,7 @@ optional_policy(`
 optional_policy(`
 	xserver_stream_connect(policykit_auth_t)
 	xserver_read_xdm_pid(policykit_auth_t)
+	xserver_rw_xsession_log(policykit_auth_t)
 ')
 
 ########################################
diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
--- a/policy/modules/contrib/wm.if	2017-09-29 19:01:55.209455647 +0200
+++ b/policy/modules/contrib/wm.if	2017-10-06 20:18:53.335914824 +0200
@@ -90,6 +90,11 @@ template(`wm_role_template',`
 	')
 
 	optional_policy(`
+		policykit_run_auth($1_wm_t, $2)
+		policykit_signal_auth($1_wm_t)
+	')
+
+	optional_policy(`
 		pulseaudio_run($1_wm_t, $2)
 	')
 ')


More information about the refpolicy mailing list