Re: [systemd-devel] selinux policy updates for logind

2011-12-28 Thread Daniel J Walsh 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/23/2011 09:16 PM, Matthias Clasen wrote:
 I've spent some time playing with the ConsoleKit-replacement 
 functionality in logind, and noticed that I couldn't test the
 PolicyKit integration for the poweroff/reboot methods in logind,
 since selinux doesn't let my method calls reach their destination.
 
 Matthias
What AVCs are you seeing?
 
 
 diff -up systemd-37/src/org.freedesktop.login1.conf.selinux 
 systemd-37/src/org.freedesktop.login1.conf ---
 systemd-37/src/org.freedesktop.login1.conf.selinux▸‧2011-12-23 
 21:09:32.795513513 -0500 +++
 systemd-37/src/org.freedesktop.login1.conf▸‧2011-12-23 
 21:10:36.456511229 -0500 @@ -69,6 +69,14 @@ 
 send_member=ActivateSession/
 
 allow send_destination=org.freedesktop.login1 +
 send_interface=org.freedesktop.login1.Manager +
 send_member=PowerOff/ + +allow
 send_destination=org.freedesktop.login1 +
 send_interface=org.freedesktop.login1.Manager +
 send_member=Reboot/ + +allow
 send_destination=org.freedesktop.login1 
 send_interface=org.freedesktop.login1.Seat 
 send_member=ActivateSession/ 
 ___ systemd-devel
 mailing list systemd-devel@lists.freedesktop.org 
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk77IBIACgkQrlYvE4MpobNhBQCdFZ0lgAOJQz0M/ApwmqWb0RSA
Dj8An3y/Dja/rT1PmlqDcl8awiCUMuoA
=C5hs
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] selinux policy updates for logind

2011-12-28 Thread Matthias Clasen 
 Matthias
 What AVCs are you seeing?

I'm getting 'access denied' when trying to call e.g.
org.freedesktop.login1.Manager.Reboot from a user process.
Which seems disingenuous, considering that logind has PolicyKit
support to control access to these methods.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] selinux policy updates for logind

2011-12-28 Thread Matthias Clasen 
On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh dwa...@redhat.com wrote:

 Well are you seeing a AVC about local_login_t sending a dbus message
 to systemd?

I don't know, I haven't checked.
But the patch fixes the problem, and is pretty obvious...
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel