[refpolicy] [PATCH 1/2] wm: run PolicyKit

Chris PeBenito pebenito at ieee.org
Mon Oct 9 18:51:39 UTC 2017


On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> Add permissions required to start a Gnome session using gnome-session
> and ConsoleKit.
> 
> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> ---
>   policy/modules/contrib/policykit.if |   19 +++++++++++++++++++
>   policy/modules/contrib/policykit.te |    9 +++++++--
>   policy/modules/contrib/wm.if        |    5 +++++
>   3 files changed, 31 insertions(+), 2 deletions(-)
> 
> --- a/policy/modules/contrib/policykit.if	2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.if	2017-10-06 20:26:16.020913014 +0200
> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
>   	roleattribute $2 policykit_auth_roles;
>   ')
>   
> +#######################################
> +## <summary>
> +##	Send generic signals to
> +##	policykit auth.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`policykit_signal_auth',`
> +	gen_require(`
> +		type policykit_auth_t;
> +	')
> +
> +	allow $1 policykit_auth_t:process signal;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Execute a domain transition to run polkit grant.
> diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
> --- a/policy/modules/contrib/policykit.te	2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.te	2017-10-06 20:38:00.347910134 +0200
> @@ -152,8 +152,8 @@ optional_policy(`
>   # Auth local policy
>   #
>   
> -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
> -dontaudit policykit_auth_t self:capability sys_tty_config;
> +allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice };
> +dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config };
>   allow policykit_auth_t self:process { getsched setsched signal };
>   allow policykit_auth_t self:unix_stream_socket { accept listen };
>   
> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
>   
>   kernel_read_system_state(policykit_auth_t)
>   kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> +kernel_dontaudit_search_sysctl(policykit_auth_t)
>   
>   dev_read_video_dev(policykit_auth_t)
>   
> +domain_use_interactive_fds(policykit_auth_t)
> +
>   files_read_etc_runtime_files(policykit_auth_t)
>   files_search_home(policykit_auth_t)
>   
>   fs_getattr_all_fs(policykit_auth_t)
>   fs_search_tmpfs(policykit_auth_t)
>   
> +auth_read_shadow(policykit_auth_t)
>   auth_rw_var_auth(policykit_auth_t)
>   auth_use_nsswitch(policykit_auth_t)
>   auth_domtrans_chk_passwd(policykit_auth_t)

The above shadow addition shouldn't be necessary because of this 
password check.

> @@ -218,6 +222,7 @@ optional_policy(`
>   optional_policy(`
>   	xserver_stream_connect(policykit_auth_t)
>   	xserver_read_xdm_pid(policykit_auth_t)
> +	xserver_rw_xsession_log(policykit_auth_t)
>   ')
>   
>   ########################################
> diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
> --- a/policy/modules/contrib/wm.if	2017-09-29 19:01:55.209455647 +0200
> +++ b/policy/modules/contrib/wm.if	2017-10-06 20:18:53.335914824 +0200
> @@ -90,6 +90,11 @@ template(`wm_role_template',`
>   	')
>   
>   	optional_policy(`
> +		policykit_run_auth($1_wm_t, $2)
> +		policykit_signal_auth($1_wm_t)
> +	')
> +
> +	optional_policy(`
>   		pulseaudio_run($1_wm_t, $2)
>   	')
>   ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito


More information about the refpolicy mailing list