Written by: Martin Orr

Patches for policykit-1

It is a dbus system domain
Let it getsched
Let it read /proc/filesystems
Let it read /var/run/ConsoleKit

type=SYSCALL msg=audit(1306690544.036:27): arch=c000003e syscall=143 success=no exit=-13 a0=b92 a1=7f871625cdd8 a2=7fff2ebdf610 a3=0 items=0 ppid=2961 pid=2962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/lib/policykit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306690544.036:27): avc:  denied  { getsched } for  pid=2962 comm="polkitd" scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tclass=process
----
type=SYSCALL msg=audit(1306690544.036:26): arch=c000003e syscall=2 success=no exit=-13 a0=7f8713fac906 a1=0 a2=1b6 a3=0 items=0 ppid=2961 pid=2962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/lib/policykit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306690544.036:26): avc:  denied  { read } for  pid=2962 comm="polkitd" name="filesystems" dev=proc ino=4026531994 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
type=SYSCALL msg=audit(1306698124.612:165): arch=c000003e syscall=4 success=no exit=-13 a0=7fcf2e8b65f5 a1=7ffffd2d2560 a2=7ffffd2d2560 a3=0 items=0 ppid=5781 pid=5782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/lib/policykit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306698124.612:165): avc:  denied  { search } for  pid=5782 comm="polkitd" name="ConsoleKit" dev=tmpfs ino=4814 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=dir
----
type=SYSCALL msg=audit(1306576943.296:15069): arch=c000003e syscall=59 success=no exit=-13 a0=d85d00 a1=d85a40 a2=d83010 a3=0 items=0 ppid=2854 pid=2855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/usr/lib/dbus-1.0/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306576943.296:15069): avc:  denied  { execute } for  pid=2855 comm="dbus-daemon-lau" name="polkitd" dev=dm-0 ino=731232 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:policykit_exec_t:s0 tclass=file

Index: policy/modules/services/policykit.te
===================================================================
--- policy/modules/services/policykit.te.orig
+++ policy/modules/services/policykit.te
@@ -36,7 +36,7 @@
 #
 
 allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
+allow policykit_t self:process { getattr getsched };
 allow policykit_t self:fifo_file rw_file_perms;
 allow policykit_t self:unix_dgram_socket create_socket_perms;
 allow policykit_t self:unix_stream_socket create_stream_socket_perms;
@@ -57,6 +57,7 @@
 files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(policykit_t)
+kernel_read_system_state(policykit_t)
 
 files_read_etc_files(policykit_t)
 files_read_usr_files(policykit_t)
@@ -69,6 +70,14 @@
 
 userdom_read_all_users_state(policykit_t)
 
+optional_policy(`
+	consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
+	dbus_system_domain(policykit_t, policykit_exec_t)
+')
+
 ########################################
 #
 # polkit_auth local policy