From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 23 Feb 2011 20:14:19 +0100
Subject: [refpolicy] [PATCH 11/34]: patch to allow consolekit shutdown
 the system
In-Reply-To: <1298487426.29671.26.camel@tesla.lan>
References: <1297836707.3205.53.camel@tesla.lan>
	<4D651951.1030100@tresys.com>  <1298487426.29671.26.camel@tesla.lan>
Message-ID: <1298488459.22930.7.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 23/02/2011 at 19.57 +0100, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.27 -0500, Christopher J. PeBenito wrote:
> > On 02/16/11 01:11, Guido Trentalancia wrote:
> > > This patch adds some permissions needed to shutdown the system
> > > using the graphical interface.
> > > 
> > > diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/consolekit.te refpolicy-git-02022011-new/policy/modules/services/consolekit.te
> > > --- refpolicy-git-02022011/policy/modules/services/consolekit.te	2011-01-08 19:07:21.232739776 +0100
> > > +++ refpolicy-git-02022011-new/policy/modules/services/consolekit.te	2011-01-26 01:40:05.845983864 +0100
> > > @@ -118,6 +118,10 @@ optional_policy(`
> > >  ')
> > >  
> > >  optional_policy(`
> > > +	shutdown_getattr_exec_files(consolekit_t)
> > > +')
> > > +
> > > +optional_policy(`
> > >  	udev_domtrans(consolekit_t)
> > >  	udev_read_db(consolekit_t)
> > >  	udev_signal(consolekit_t)
> > 
> > How does this allow shutdown of the system?  It only allows a getattr on
> > the shutdown command.
> 
> Yes, in fact the system shutdown functionality (from Gnome) apparently
> is not working fine. It's not completing the job.
> 
> But there are no other AVC denials apart from that. So perhaps something
> is broken in Gnome or Consolekit, I didn't manage to investigate further
> so far (until I get further AVCs it's difficult to say that it's related
> to the policy).

Some more insight on this. It's trying to shutdown through a script
called ck-system-restart (it belongs to ConsoleKit). Such script is
labeled bin_t (located at /usr/lib/ConsoleKit/scripts) and it is just
calling /sbin/shutdown. All of this could be initiated for example by
gnome-panel (the other possibility would be from gdm when nobody is
logged in or the session is locked).

Shall I prepend an strace to shutdown in that script ?

Regards,

Guido