From c224d91c7bdc13f0effa9e036fcf31248d3a2208 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 19 2007 18:01:15 +0000 Subject: from Dan: This is a new policy for the User Switching capability coming in gnome. consolekit is a daemon that communicates with xdm_t and hal through dbus to change the ownership/access on certain devices when the login session changes from one user to another --- diff --git a/Changelog b/Changelog index 5f37eed..b831d81 100644 --- a/Changelog +++ b/Changelog @@ -32,6 +32,8 @@ - Clean up file context regexes in apache and java, from Eamon Walsh. - Patches from Dan Walsh: Thu, 25 Jan 2007 +- Added modules: + consolekit (Dan Walsh) * Tue Dec 12 2006 Chris PeBenito - 20061212 - Add policy patterns support macros. This changes the behavior of diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc new file mode 100644 index 0000000..e8268f8 --- /dev/null +++ b/policy/modules/services/consolekit.fc @@ -0,0 +1 @@ +/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if new file mode 100644 index 0000000..0c123a3 --- /dev/null +++ b/policy/modules/services/consolekit.if @@ -0,0 +1,40 @@ +## Framework for facilitating multiple user sessions on desktops. + +######################################## +## +## Execute a domain transition to run consolekit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`consolekit_domtrans',` + gen_require(` + type consolekit_t, consolekit_exec_t; + ') + + domtrans_pattern($1,consolekit_exec_t,consolekit_t) +') + +######################################## +## +## Send and receive messages from +## consolekit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_dbus_chat',` + gen_require(` + type consolekit_t; + class dbus send_msg; + ') + + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te new file mode 100644 index 0000000..61e6f51 --- /dev/null +++ b/policy/modules/services/consolekit.te @@ -0,0 +1,49 @@ + +policy_module(consolekit,1.0.0) + +######################################## +# +# Declarations +# + +type consolekit_t; +type consolekit_exec_t; +init_daemon_domain(consolekit_t, consolekit_exec_t) + +######################################## +# +# consolekit local policy +# + +allow consolekit_t self:capability { sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:process getsched; +allow consolekit_t self:fifo_file rw_fifo_file_perms; +allow consolekit_t self:unix_stream_socket create_stream_socket_perms; + +dev_read_urand(consolekit_t) +dev_read_sysfs(consolekit_t) + +domain_read_all_domains_state(consolekit_t) +domain_use_interactive_fds(consolekit_t) + +files_read_etc_files(consolekit_t) + +init_use_script_ptys(consolekit_t) + +libs_use_ld_so(consolekit_t) +libs_use_shared_libs(consolekit_t) + +miscfiles_read_localization(consolekit_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(consolekit_t) + term_dontaudit_use_generic_ptys(consolekit_t) +') + +optional_policy(` + dbus_system_bus_client_template(consolekit, consolekit_t) + dbus_send_system_bus(consolekit_t) + dbus_connect_system_bus(consolekit_t) + + hal_dbus_chat(consolekit_t) +') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 19df0fb..4e689b4 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.5.1) +policy_module(unconfined,1.5.2) ######################################## # @@ -80,6 +80,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + consolekit_dbus_chat(unconfined_t) + ') + + optional_policy(` cups_dbus_chat_config(unconfined_t) ')