apt: allow preventing shutdown by calling a systemd-logind D-Bus method

Since apt 1.8.1 (more precisely since commit
60cc44d160),
apt calls D-Bus method "Inhibit" of interface
"org.freedesktop.login1.Manager" in order to prevent a shutdown from
happening while installing software.

The call from apt to systemd-logind was already allowed through
unconfined_dbus_send(apt_t), but not the reply, which triggered the
following audit log:

    type=USER_AVC msg=audit(1567780304.196:651): pid=287 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.137 spid=290 tpid=29557
    scontext=system_u:system_r:systemd_logind_t
    tcontext=sysadm_u:sysadm_r:apt_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

This commit is contained in:

Nicolas Iooss

2019-09-06 18:38:59 +02:00

parent 51c4812c23

commit de99bc36dd

No known key found for this signature in database

GPG Key ID: C191415F340DAAA0

1 changed files with 4 additions and 0 deletions

4

policy/modules/admin/apt.te

View File

 		policykit_dbus_chat(apt_t)
 	')
+	optional_policy(`
+		systemd_dbus_chat_logind(apt_t)
+	')
 	optional_policy(`
 		unconfined_dbus_send(apt_t)
 	')

apt: allow preventing shutdown by calling a systemd-logind D-Bus method

4 policy/modules/admin/apt.te Unescape Escape View File

4

policy/modules/admin/apt.te

View File