From 9e90ce33dbce89e2f65eef36a03d55ecca02eab8 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 20 Jul 2009 11:15:09 -0400
Subject: [PATCH] add policykit from dan.

---
 policy/modules/services/policykit.fc |  10 ++
 policy/modules/services/policykit.if | 212 +++++++++++++++++++++++++++
 policy/modules/services/policykit.te | 208 ++++++++++++++++++++++++++
 3 files changed, 430 insertions(+)
 create mode 100644 policy/modules/services/policykit.fc
 create mode 100644 policy/modules/services/policykit.if
 create mode 100644 policy/modules/services/policykit.te

diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
new file mode 100644
index 00000000..d7264537
--- /dev/null
+++ b/policy/modules/services/policykit.fc
@@ -0,0 +1,10 @@
+/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
new file mode 100644
index 00000000..8726eb36
--- /dev/null
+++ b/policy/modules/services/policykit.if
@@ -0,0 +1,212 @@
+## <summary>Policy framework for controlling privileges for system-wide services.</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	policykit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_dbus_chat',`
+	gen_require(`
+		type policykit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 policykit_t:dbus send_msg;
+	allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_auth',`
+	gen_require(`
+		type policykit_auth_t, policykit_auth_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+## <summary>
+##	Execute a policy_auth in the policy_auth domain, and
+##	allow the specified role the policy_auth domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the load_policy domain.
+##	</summary>
+## </param>
+#
+interface(`policykit_run_auth',`
+	gen_require(`
+		type policykit_auth_t;
+	')
+
+	policykit_domtrans_auth($1)
+	role $2 types policykit_auth_t;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_grant.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_grant',`
+	gen_require(`
+		type policykit_grant_t, policykit_grant_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+## <summary>
+##	Execute a policy_grant in the policy_grant domain, and
+##	allow the specified role the policy_grant domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the load_policy domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`policykit_run_grant',`
+	gen_require(`
+		type policykit_grant_t;
+	')
+
+	policykit_domtrans_grant($1)
+	role $2 types policykit_grant_t;
+
+	allow $1 policykit_grant_t:process signal;
+
+	ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+## <summary>
+##	read policykit reload files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_read_reload',`
+	gen_require(`
+		type policykit_reload_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+##	rw policykit reload files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_rw_reload',`
+	gen_require(`
+		type policykit_reload_t;
+	')
+
+	files_search_var_lib($1)
+	rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_resolve.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_resolve',`
+	gen_require(`
+		type policykit_resolve_t, policykit_resolve_exec_t;
+	')
+
+	domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+	ps_process_pattern(policykit_resolve_t $1)
+')
+
+########################################
+## <summary>
+##	Search policykit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_search_lib',`
+	gen_require(`
+		type policykit_var_lib_t;
+	')
+
+	allow $1 policykit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	read policykit lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_read_lib',`
+	gen_require(`
+		type policykit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, policykit_var_lib_t,  policykit_var_lib_t)
+
+	# Broken placement
+	cron_read_system_job_lib_files($1)
+')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
new file mode 100644
index 00000000..9913701d
--- /dev/null
+++ b/policy/modules/services/policykit.te
@@ -0,0 +1,208 @@
+
+policy_module(policykit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type policykit_t alias polkit_t;
+type policykit_exec_t alias polkit_exec_t;
+init_daemon_domain(policykit_t, policykit_exec_t)
+
+type policykit_auth_t alias polkit_auth_t;
+type policykit_auth_exec_t alias polkit_auth_exec_t;
+init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+type policykit_grant_t alias polkit_grant_t;
+type policykit_grant_exec_t alias polkit_grant_exec_t;
+init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+type policykit_resolve_t alias polkit_resolve_t;
+type policykit_resolve_exec_t alias polkit_resolve_exec_t;
+init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+type policykit_reload_t alias polkit_reload_t;
+files_type(policykit_reload_t)
+
+type policykit_var_lib_t alias polkit_var_lib_t;
+files_type(policykit_var_lib_t)
+
+type policykit_var_run_t alias polkit_var_run_t;
+files_pid_file(policykit_var_run_t)
+
+########################################
+#
+# policykit local policy
+#
+
+allow policykit_t self:capability { setgid setuid };
+allow policykit_t self:process getattr;
+allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_t)
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+policykit_domtrans_resolve(policykit_t)
+
+manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(policykit_t)
+
+files_read_etc_files(policykit_t)
+files_read_usr_files(policykit_t)
+
+auth_use_nsswitch(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+miscfiles_read_localization(policykit_t)
+
+userdom_read_all_users_state(policykit_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow policykit_auth_t self:capability setgid;
+allow policykit_auth_t self:process getattr;
+allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_search_bin(policykit_auth_t)
+
+rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+files_read_etc_files(policykit_auth_t)
+files_read_usr_files(policykit_auth_t)
+
+auth_use_nsswitch(policykit_auth_t)
+
+logging_send_syslog_msg(policykit_auth_t)
+
+miscfiles_read_localization(policykit_auth_t)
+
+userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+
+optional_policy(`
+	dbus_session_bus_client(policykit_auth_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_auth_t)
+	')
+')
+
+optional_policy(`
+	kernel_search_proc(policykit_auth_t)
+	hal_read_state(policykit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow policykit_grant_t self:capability setuid;
+allow policykit_grant_t self:process getattr;
+allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
+
+rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+files_read_etc_files(policykit_grant_t)
+files_read_usr_files(policykit_grant_t)
+
+auth_use_nsswitch(policykit_grant_t)
+auth_domtrans_chk_passwd(policykit_grant_t)
+
+logging_send_syslog_msg(policykit_grant_t)
+
+miscfiles_read_localization(policykit_grant_t)
+
+userdom_read_all_users_state(policykit_grant_t)
+
+optional_policy(`
+	dbus_system_bus_client(policykit_grant_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_grant_t)
+	')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:process getattr;
+allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
+
+read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
+
+read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
+
+can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
+
+files_read_etc_files(policykit_resolve_t)
+files_read_usr_files(policykit_resolve_t)
+
+mcs_ptrace_all(policykit_resolve_t)
+
+auth_use_nsswitch(policykit_resolve_t)
+
+logging_send_syslog_msg(policykit_resolve_t)
+
+miscfiles_read_localization(policykit_resolve_t)
+
+userdom_read_all_users_state(policykit_resolve_t)
+
+optional_policy(`
+	dbus_system_bus_client(policykit_resolve_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(policykit_resolve_t)
+	')
+')
+
+optional_policy(`
+	kernel_search_proc(policykit_resolve_t)
+	hal_read_state(policykit_resolve_t)
+')
+