1 |
commit: 4f610d3cc9efa86e4d975e76e7e600d1d97ed927 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Aug 29 18:09:56 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Aug 29 18:09:56 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4f610d3c |
7 |
|
8 |
Support tagfiles for consolekit |
9 |
|
10 |
Gentoo currently still uses the pam-foreground compatibility, which causes |
11 |
ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console). |
12 |
As /var/run is dynamic nowadays, ConsoleKit also creates the directory. |
13 |
|
14 |
Allow ConsoleKit to create such directory with the right file transition in |
15 |
place. |
16 |
|
17 |
See also sys-auth/consolekit files/pam-foreground-compat.ck |
18 |
|
19 |
--- |
20 |
policy/modules/contrib/consolekit.te | 3 ++ |
21 |
policy/modules/system/authlogin.if | 48 ++++++++++++++++++++++++++++++++++ |
22 |
2 files changed, 51 insertions(+), 0 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te |
25 |
index 516328a..383317e 100644 |
26 |
--- a/policy/modules/contrib/consolekit.te |
27 |
+++ b/policy/modules/contrib/consolekit.te |
28 |
@@ -58,7 +58,10 @@ mcs_ptrace_all(consolekit_t) |
29 |
|
30 |
term_use_all_terms(consolekit_t) |
31 |
|
32 |
+# consolekit daemon creates /var/run/console for tagfiles |
33 |
+auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console") |
34 |
auth_use_nsswitch(consolekit_t) |
35 |
+auth_create_pam_console_data_dirs(consolekit_t) |
36 |
auth_manage_pam_console_data(consolekit_t) |
37 |
auth_write_login_records(consolekit_t) |
38 |
|
39 |
|
40 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
41 |
index 8989233..405a9d1 100644 |
42 |
--- a/policy/modules/system/authlogin.if |
43 |
+++ b/policy/modules/system/authlogin.if |
44 |
@@ -1102,6 +1102,36 @@ interface(`auth_list_pam_console_data',` |
45 |
|
46 |
######################################## |
47 |
## <summary> |
48 |
+## Automatically transition when a resource is created in the generic run |
49 |
+## location (/var/run or /run) to the pam console data label |
50 |
+## (pam_var_console_t). |
51 |
+## </summary> |
52 |
+## <param name="domain"> |
53 |
+## <summary> |
54 |
+## Domain allowed access |
55 |
+## </summary> |
56 |
+## </param> |
57 |
+## <param name="class"> |
58 |
+## <summary> |
59 |
+## Class of the resource created |
60 |
+## </summary> |
61 |
+## </param> |
62 |
+## <param name="filename" optional="true"> |
63 |
+## <summary> |
64 |
+## Name of the resource created (optional). |
65 |
+## </summary> |
66 |
+## </param> |
67 |
+# |
68 |
+interface(`auth_generic_run_filetrans_pam_console_data',` |
69 |
+ gen_require(` |
70 |
+ type pam_var_console_t; |
71 |
+ ') |
72 |
+ |
73 |
+ files_pid_filetrans($1, pam_var_console_t, $2, $3) |
74 |
+') |
75 |
+ |
76 |
+######################################## |
77 |
+## <summary> |
78 |
## Relabel pam_console data directories. |
79 |
## </summary> |
80 |
## <param name="domain"> |
81 |
@@ -1140,6 +1170,24 @@ interface(`auth_read_pam_console_data',` |
82 |
|
83 |
######################################## |
84 |
## <summary> |
85 |
+## Create pam console data directories |
86 |
+## </summary> |
87 |
+## <param name="domain"> |
88 |
+## <summary> |
89 |
+## Domain allowed access |
90 |
+## </summary> |
91 |
+## </param> |
92 |
+# |
93 |
+interface(`auth_create_pam_console_data_dirs',` |
94 |
+ gen_require(` |
95 |
+ type pam_var_console_t; |
96 |
+ ') |
97 |
+ |
98 |
+ allow $1 pam_var_console_t:dir create_dir_perms; |
99 |
+') |
100 |
+ |
101 |
+######################################## |
102 |
+## <summary> |
103 |
## Create, read, write, and delete |
104 |
## pam_console data files. |
105 |
## </summary> |