Re: [systemd-devel] selinux policy updates for logind
Matthias Clasen (matthias.cla...@gmail.com) said: On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh dwa...@redhat.com wrote: Well are you seeing a AVC about local_login_t sending a dbus message to systemd? I don't know, I haven't checked. But the patch fixes the problem, and is pretty obvious... Is this just another case of https://bugzilla.redhat.com/show_bug.cgi?id=759202 ? Bill ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] selinux policy updates for logind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2012 11:02 AM, Bill Nottingham wrote: Matthias Clasen (matthias.cla...@gmail.com) said: On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh dwa...@redhat.com wrote: Well are you seeing a AVC about local_login_t sending a dbus message to systemd? I don't know, I haven't checked. But the patch fixes the problem, and is pretty obvious... Is this just another case of https://bugzilla.redhat.com/show_bug.cgi?id=759202 ? Bill Could be, Matthias, are you still seeing this with the latest selinux-policy? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8DMyYACgkQrlYvE4MpobMUGACeOh4tUdp8DpvD1J+TSgBf5Ff1 Ot8AoNqEnwbGCcSdHaQOD6DYvlo2W+3g =xeDz -END PGP SIGNATURE- ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] selinux policy updates for logind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/23/2011 09:16 PM, Matthias Clasen wrote: I've spent some time playing with the ConsoleKit-replacement functionality in logind, and noticed that I couldn't test the PolicyKit integration for the poweroff/reboot methods in logind, since selinux doesn't let my method calls reach their destination. Matthias What AVCs are you seeing? diff -up systemd-37/src/org.freedesktop.login1.conf.selinux systemd-37/src/org.freedesktop.login1.conf --- systemd-37/src/org.freedesktop.login1.conf.selinux▸‧2011-12-23 21:09:32.795513513 -0500 +++ systemd-37/src/org.freedesktop.login1.conf▸‧2011-12-23 21:10:36.456511229 -0500 @@ -69,6 +69,14 @@ send_member=ActivateSession/ allow send_destination=org.freedesktop.login1 + send_interface=org.freedesktop.login1.Manager + send_member=PowerOff/ + +allow send_destination=org.freedesktop.login1 + send_interface=org.freedesktop.login1.Manager + send_member=Reboot/ + +allow send_destination=org.freedesktop.login1 send_interface=org.freedesktop.login1.Seat send_member=ActivateSession/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk77IBIACgkQrlYvE4MpobNhBQCdFZ0lgAOJQz0M/ApwmqWb0RSA Dj8An3y/Dja/rT1PmlqDcl8awiCUMuoA =C5hs -END PGP SIGNATURE- ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] selinux policy updates for logind
Matthias What AVCs are you seeing? I'm getting 'access denied' when trying to call e.g. org.freedesktop.login1.Manager.Reboot from a user process. Which seems disingenuous, considering that logind has PolicyKit support to control access to these methods. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] selinux policy updates for logind
On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh dwa...@redhat.com wrote: Well are you seeing a AVC about local_login_t sending a dbus message to systemd? I don't know, I haven't checked. But the patch fixes the problem, and is pretty obvious... ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] selinux policy updates for logind
I've spent some time playing with the ConsoleKit-replacement functionality in logind, and noticed that I couldn't test the PolicyKit integration for the poweroff/reboot methods in logind, since selinux doesn't let my method calls reach their destination. Matthias diff -up systemd-37/src/org.freedesktop.login1.conf.selinux systemd-37/src/org.freedesktop.login1.conf --- systemd-37/src/org.freedesktop.login1.conf.selinux▸‧2011-12-23 21:09:32.795513513 -0500 +++ systemd-37/src/org.freedesktop.login1.conf▸‧2011-12-23 21:10:36.456511229 -0500 @@ -69,6 +69,14 @@ send_member=ActivateSession/ allow send_destination=org.freedesktop.login1 + send_interface=org.freedesktop.login1.Manager + send_member=PowerOff/ + +allow send_destination=org.freedesktop.login1 + send_interface=org.freedesktop.login1.Manager + send_member=Reboot/ + +allow send_destination=org.freedesktop.login1 send_interface=org.freedesktop.login1.Seat send_member=ActivateSession/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel