diff --git a/Changelog b/Changelog index 5f37eed92..b831d811b 100644 --- a/Changelog +++ b/Changelog @@ -32,6 +32,8 @@ - Clean up file context regexes in apache and java, from Eamon Walsh. - Patches from Dan Walsh: Thu, 25 Jan 2007 +- Added modules: + consolekit (Dan Walsh) * Tue Dec 12 2006 Chris PeBenito - 20061212 - Add policy patterns support macros. This changes the behavior of diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc new file mode 100644 index 000000000..e8268f8a3 --- /dev/null +++ b/policy/modules/services/consolekit.fc @@ -0,0 +1 @@ +/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if new file mode 100644 index 000000000..0c123a356 --- /dev/null +++ b/policy/modules/services/consolekit.if @@ -0,0 +1,40 @@ +## Framework for facilitating multiple user sessions on desktops. + +######################################## +## +## Execute a domain transition to run consolekit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`consolekit_domtrans',` + gen_require(` + type consolekit_t, consolekit_exec_t; + ') + + domtrans_pattern($1,consolekit_exec_t,consolekit_t) +') + +######################################## +## +## Send and receive messages from +## consolekit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_dbus_chat',` + gen_require(` + type consolekit_t; + class dbus send_msg; + ') + + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te new file mode 100644 index 000000000..61e6f51c6 --- /dev/null +++ b/policy/modules/services/consolekit.te @@ -0,0 +1,49 @@ + +policy_module(consolekit,1.0.0) + +######################################## +# +# Declarations +# + +type consolekit_t; +type consolekit_exec_t; +init_daemon_domain(consolekit_t, consolekit_exec_t) + +######################################## +# +# consolekit local policy +# + +allow consolekit_t self:capability { sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:process getsched; +allow consolekit_t self:fifo_file rw_fifo_file_perms; +allow consolekit_t self:unix_stream_socket create_stream_socket_perms; + +dev_read_urand(consolekit_t) +dev_read_sysfs(consolekit_t) + +domain_read_all_domains_state(consolekit_t) +domain_use_interactive_fds(consolekit_t) + +files_read_etc_files(consolekit_t) + +init_use_script_ptys(consolekit_t) + +libs_use_ld_so(consolekit_t) +libs_use_shared_libs(consolekit_t) + +miscfiles_read_localization(consolekit_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(consolekit_t) + term_dontaudit_use_generic_ptys(consolekit_t) +') + +optional_policy(` + dbus_system_bus_client_template(consolekit, consolekit_t) + dbus_send_system_bus(consolekit_t) + dbus_connect_system_bus(consolekit_t) + + hal_dbus_chat(consolekit_t) +') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 19df0fb9d..4e689b45c 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.5.1) +policy_module(unconfined,1.5.2) ######################################## # @@ -79,6 +79,10 @@ ifdef(`targeted_policy',` bluetooth_dbus_chat(unconfined_t) ') + optional_policy(` + consolekit_dbus_chat(unconfined_t) + ') + optional_policy(` cups_dbus_chat_config(unconfined_t) ')