Description: Polkit and related changes
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2012-06-15

Index: refpolicy-2.20110726/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/authlogin.te	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/system/authlogin.te	2012-06-26 15:55:15.763895631 +1000
@@ -94,6 +94,7 @@
 
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
+dev_search_sysfs(chkpwd_t)
 
 kernel_read_crypto_sysctls(chkpwd_t)
 # is_selinux_enabled
Index: refpolicy-2.20110726/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/policykit.te	2011-03-29 02:05:15.000000000 +1100
+++ refpolicy-2.20110726/policy/modules/services/policykit.te	2012-06-26 15:47:33.000000000 +1000
@@ -41,8 +41,21 @@
 allow policykit_t self:unix_dgram_socket create_socket_perms;
 allow policykit_t self:unix_stream_socket create_stream_socket_perms;
 
+kernel_read_system_state(policykit_t)
+fs_getattr_xattr_fs(policykit_t)
 policykit_domtrans_auth(policykit_t)
 
+optional_policy(`
+	dbus_system_domain(policykit_t, policykit_exec_t)
+
+	init_dbus_chat(policykit_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_t)
+		consolekit_read_pid_files(policykit_t)
+	')
+')
+
 can_exec(policykit_t, policykit_exec_t)
 corecmd_exec_bin(policykit_t)
 
Index: refpolicy-2.20110726/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/consolekit.te	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/consolekit.te	2012-06-26 15:47:33.000000000 +1000
@@ -28,6 +28,7 @@
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
 allow consolekit_t self:unix_dgram_socket create_socket_perms;
+fs_getattr_xattr_fs(consolekit_t)
 
 manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
 logging_log_filetrans(consolekit_t, consolekit_log_t, file)
Index: refpolicy-2.20110726/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dbus.te	2011-07-26 22:10:40.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/dbus.te	2012-06-26 15:47:33.000000000 +1000
@@ -10,6 +10,7 @@
 #
 
 attribute dbusd_unconfined;
+attribute system_bus_type;
 attribute session_bus_type;
 
 type dbusd_etc_t;
@@ -36,6 +37,7 @@
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
+init_sock_file(system_dbusd_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +54,9 @@
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -74,9 +76,10 @@
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir sock_file })
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
@@ -111,6 +114,8 @@
 corecmd_list_bin(system_dbusd_t)
 corecmd_read_bin_pipes(system_dbusd_t)
 corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
 
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
@@ -121,7 +126,10 @@
 
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
 init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_search_pid_dirs(system_dbusd_t)
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
@@ -141,6 +149,18 @@
 ')
 
 optional_policy(`
+	consolekit_read_pid_files(system_dbusd_t)
+')
+
+optional_policy(`
+	cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(system_dbusd_t)
 	policykit_domtrans_auth(system_dbusd_t)
 	policykit_search_lib(system_dbusd_t)
@@ -151,12 +171,148 @@
 ')
 
 optional_policy(`
+	systemd_use_fds_logind(system_dbusd_t)
+	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+	fs_search_cgroup_dirs(system_dbusd_t)
+	systemd_login_list_pid_dirs(system_dbusd_t)
+')
+
+optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
 
+
 ########################################
 #
-# Unconfined access to this module
+# system_bus_type rules
+#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+	abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+	rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+	unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
+# session_bus_type rules
 #
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process setrlimit;
+allow session_bus_type self:file { getattr read write };
+allow session_bus_type self:fifo_file rw_fifo_file_perms;
+allow session_bus_type self:dbus { send_msg acquire_svc };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
+allow session_bus_type self:netlink_selinux_socket create_socket_perms;
+
+allow session_bus_type dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
+
+kernel_read_system_state(session_bus_type)
+kernel_read_kernel_sysctls(session_bus_type)
+
+corecmd_list_bin(session_bus_type)
+corecmd_read_bin_symlinks(session_bus_type)
+corecmd_read_bin_files(session_bus_type)
+corecmd_read_bin_pipes(session_bus_type)
+corecmd_read_bin_sockets(session_bus_type)
+
+corenet_all_recvfrom_unlabeled(session_bus_type)
+corenet_all_recvfrom_netlabel(session_bus_type)
+corenet_tcp_sendrecv_generic_if(session_bus_type)
+corenet_tcp_sendrecv_generic_node(session_bus_type)
+corenet_tcp_sendrecv_all_ports(session_bus_type)
+corenet_tcp_bind_generic_node(session_bus_type)
+corenet_tcp_bind_reserved_port(session_bus_type)
+
+dev_read_urand(session_bus_type)
+
+domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
+
+files_read_etc_files(session_bus_type)
+files_list_home(session_bus_type)
+files_read_usr_files(session_bus_type)
+files_dontaudit_search_var(session_bus_type)
+
+fs_getattr_romfs(session_bus_type)
+fs_getattr_xattr_fs(session_bus_type)
+fs_list_inotifyfs(session_bus_type)
+fs_dontaudit_list_nfs(session_bus_type)
+
+selinux_get_fs_mount(session_bus_type)
+selinux_validate_context(session_bus_type)
+selinux_compute_access_vector(session_bus_type)
+selinux_compute_create_context(session_bus_type)
+selinux_compute_relabel_context(session_bus_type)
+selinux_compute_user_contexts(session_bus_type)
+
+auth_read_pam_console_data(session_bus_type)
+
+logging_send_audit_msgs(session_bus_type)
+logging_send_syslog_msg(session_bus_type)
+
+miscfiles_read_localization(session_bus_type)
+
+seutil_read_config(session_bus_type)
+seutil_read_default_contexts(session_bus_type)
+
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+
 
+optional_policy(`
+	hal_dbus_chat(session_bus_type)
+')
+
+
+optional_policy(`
+	xserver_use_xdm_fds(session_bus_type)
+	xserver_rw_xdm_pipes(session_bus_type)
+	xserver_use_xdm_fds(session_bus_type)
+	xserver_rw_xdm_pipes(session_bus_type)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
 allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
Index: refpolicy-2.20110726/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/xserver.fc	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/xserver.fc	2012-06-26 15:47:33.000000000 +1000
@@ -9,7 +9,6 @@
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
-HOME_DIR/\.xsession-errors --	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
 # /etc
Index: refpolicy-2.20110726/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dbus.if	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/dbus.if	2012-06-26 15:55:15.763895631 +1000
@@ -85,6 +85,13 @@
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
 
 	auth_use_nsswitch($1_dbusd_t)
+	init_search_pid_dirs($1_dbusd_t)
+	optional_policy(`
+		consolekit_read_pid_files($1_dbusd_t)
+	')
+	optional_policy(`
+		systemd_login_list_pid_dirs($1_dbusd_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20110726/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/devicekit.te	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/devicekit.te	2012-06-26 15:47:33.000000000 +1000
@@ -220,6 +220,7 @@
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_xattr_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 
Index: refpolicy-2.20110726/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/userdomain.if	2012-06-26 15:47:33.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/system/userdomain.if	2012-06-26 15:55:15.763895631 +1000
@@ -589,6 +589,18 @@
 		optional_policy(`
 			networkmanager_dbus_chat($1_t)
 		')
+		optional_policy(`
+			devicekit_dbus_chat_power($1_t)
+		')
+		optional_policy(`
+			devicekit_dbus_chat_disk($1_t)
+		')
+		optional_policy(`
+			kerneloops_dbus_chat($1_t)
+		')
+		optional_policy(`
+			policykit_dbus_chat($1_t)
+		')
 	')
 
 	optional_policy(`
