[refpolicy] [PATCH 1/2] wm: run PolicyKit

Guido Trentalancia guido at trentalancia.com
Mon Oct 9 18:59:48 UTC 2017


Hello. 

On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito at ieee.org> wrote:
>On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>> Add permissions required to start a Gnome session using gnome-session
>> and ConsoleKit.
>> 
>> Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
>> ---
>>   policy/modules/contrib/policykit.if |   19 +++++++++++++++++++
>>   policy/modules/contrib/policykit.te |    9 +++++++--
>>   policy/modules/contrib/wm.if        |    5 +++++
>>   3 files changed, 31 insertions(+), 2 deletions(-)
>> 
>> --- a/policy/modules/contrib/policykit.if	2017-09-29
>19:01:55.177455647 +0200
>> +++ b/policy/modules/contrib/policykit.if	2017-10-06
>20:26:16.020913014 +0200
>> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
>>   	roleattribute $2 policykit_auth_roles;
>>   ')
>>   
>> +#######################################
>> +## <summary>
>> +##	Send generic signals to
>> +##	policykit auth.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`policykit_signal_auth',`
>> +	gen_require(`
>> +		type policykit_auth_t;
>> +	')
>> +
>> +	allow $1 policykit_auth_t:process signal;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##	Execute a domain transition to run polkit grant.
>> diff -pru a/policy/modules/contrib/policykit.te
>b/policy/modules/contrib/policykit.te
>> --- a/policy/modules/contrib/policykit.te	2017-09-29
>19:01:55.177455647 +0200
>> +++ b/policy/modules/contrib/policykit.te	2017-10-06
>20:38:00.347910134 +0200
>> @@ -152,8 +152,8 @@ optional_policy(`
>>   # Auth local policy
>>   #
>>   
>> -allow policykit_auth_t self:capability { ipc_lock setgid setuid
>sys_nice };
>> -dontaudit policykit_auth_t self:capability sys_tty_config;
>> +allow policykit_auth_t self:capability { dac_override ipc_lock
>setgid setuid sys_nice };
>> +dontaudit policykit_auth_t self:capability { dac_read_search
>sys_tty_config };
>>   allow policykit_auth_t self:process { getsched setsched signal };
>>   allow policykit_auth_t self:unix_stream_socket { accept listen };
>>   
>> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
>>   
>>   kernel_read_system_state(policykit_auth_t)
>>   kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
>> +kernel_dontaudit_search_sysctl(policykit_auth_t)
>>   
>>   dev_read_video_dev(policykit_auth_t)
>>   
>> +domain_use_interactive_fds(policykit_auth_t)
>> +
>>   files_read_etc_runtime_files(policykit_auth_t)
>>   files_search_home(policykit_auth_t)
>>   
>>   fs_getattr_all_fs(policykit_auth_t)
>>   fs_search_tmpfs(policykit_auth_t)
>>   
>> +auth_read_shadow(policykit_auth_t)
>>   auth_rw_var_auth(policykit_auth_t)
>>   auth_use_nsswitch(policykit_auth_t)
>>   auth_domtrans_chk_passwd(policykit_auth_t)
>
>The above shadow addition shouldn't be necessary because of this 
>password check.

I thought the same, but apparently it also needs to read shadow directly... 

>> @@ -218,6 +222,7 @@ optional_policy(`
>>   optional_policy(`
>>   	xserver_stream_connect(policykit_auth_t)
>>   	xserver_read_xdm_pid(policykit_auth_t)
>> +	xserver_rw_xsession_log(policykit_auth_t)
>>   ')
>>   
>>   ########################################
>> diff -pru a/policy/modules/contrib/wm.if
>b/policy/modules/contrib/wm.if
>> --- a/policy/modules/contrib/wm.if	2017-09-29 19:01:55.209455647
>+0200
>> +++ b/policy/modules/contrib/wm.if	2017-10-06 20:18:53.335914824
>+0200
>> @@ -90,6 +90,11 @@ template(`wm_role_template',`
>>   	')
>>   
>>   	optional_policy(`
>> +		policykit_run_auth($1_wm_t, $2)
>> +		policykit_signal_auth($1_wm_t)
>> +	')
>> +
>> +	optional_policy(`
>>   		pulseaudio_run($1_wm_t, $2)
>>   	')
>>   ')

Regards, 

Guido 



More information about the refpolicy mailing list