[refpolicy] [PATCH 1/9] Properly label nm-dispatcher.action on Debian

[refpolicy] [PATCH 1/9] Properly label nm-dispatcher.action on Debian

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 networkmanager.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/networkmanager.fc b/networkmanager.fc
index 2a3cca4..a1fb3c3 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -13,6 +13,7 @@
 /etc/wicd/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 /etc/wicd/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 
+/usr/lib/NetworkManager/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 /usr/libexec/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 2/9] Allow system_dbusd_t to transition to networkmanager_initrc_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

nm-dispatcher.action executable is labeled as
NetworkManager_initrc_exec_t and will be executed by the system dbus
---
 dbus.te |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dbus.te b/dbus.te
index ad29d6f..2ed2d6e 100644
--- a/dbus.te
+++ b/dbus.te
@@ -148,6 +148,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_read_lib(system_dbusd_t)
 ')
 
-- 
1.7.10.4

[refpolicy] [PATCH 3/9] policykit.fc: Properly label polkit-agent-helper-1 on Debian

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 policykit.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/policykit.fc b/policykit.fc
index 4d43b85..1d76c72 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -5,6 +5,7 @@
 /usr/lib/policykit/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 /usr/lib/policykit/polkit-resolve-exe-helper.*	--	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
 /usr/lib/policykit/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/lib/policykit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
 
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 4/9] cups.fc: Properly label cups-pk-helper-mechanism on Debian

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 cups.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/cups.fc b/cups.fc
index 6f7a1cd..14db0e1 100644
--- a/cups.fc
+++ b/cups.fc
@@ -31,6 +31,7 @@
 /usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /usr/Printer/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
+/usr/lib/cups-pk-helper/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/lib/cups/daemon/cups-lpd	--	gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
 /usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
 /usr/lib/cups/backend/hp.*	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 5/9] Allow pcscd the fsetid capability

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 pcscd.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pcscd.te b/pcscd.te
index b7b82ab..5e44a7b 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -21,7 +21,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
 # Local policy
 #
 
-allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:capability { dac_override dac_read_search fsetid };
 allow pcscd_t self:process signal;
 allow pcscd_t self:fifo_file rw_fifo_file_perms;
 allow pcscd_t self:unix_stream_socket { accept listen };
-- 
1.7.10.4

[refpolicy] [PATCH 6/9] Allow networkmanager_t to read crypto_sysctl_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

nm-openvpn-service is started in the networkmanager_t context, if it's
compiled with gnutls instead openssl, the library will read
/proc/sys/crypto/fips_enabled
---
 networkmanager.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/networkmanager.te b/networkmanager.te
index ebaea1d..e96e750 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -83,6 +83,7 @@ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_
 
 can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
 
+kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
-- 
1.7.10.4

[refpolicy] [PATCH 7/9] Allow virsh_t context to read sysctl_crypto_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 virt.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/virt.te b/virt.te
index 18b1cc6..333e53b 100644
--- a/virt.te
+++ b/virt.te
@@ -768,6 +768,7 @@ virt_manage_images(virsh_t)
 virt_manage_config(virsh_t)
 virt_stream_connect(virsh_t)
 
+kernel_read_crypto_sysctls(virsh_t)
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-- 
1.7.10.4

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 dbus.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/dbus.te b/dbus.te
index 2ed2d6e..c418ebb 100644
--- a/dbus.te
+++ b/dbus.te
@@ -57,6 +57,7 @@ ifdef(`enable_mls',`
 #
 
 allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability2 block_suspend;
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
-- 
1.7.10.4

[refpolicy] [PATCH 9/9] Allow cupsd_t to read cupsd_log_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 cups.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/cups.te b/cups.te
index 501f6e3..cf3046f 100644
--- a/cups.te
+++ b/cups.te
@@ -135,6 +135,7 @@ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
 manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
 
-- 
1.7.10.4

[refpolicy] [PATCH 2/9] Allow system_dbusd_t to transition to networkmanager_initrc_t

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> nm-dispatcher.action executable is labeled as
> NetworkManager_initrc_exec_t and will be executed by the system dbus
> ---
>  dbus.te |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/dbus.te b/dbus.te
> index ad29d6f..2ed2d6e 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -148,6 +148,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	networkmanager_initrc_domtrans(system_dbusd_t)
> +')
> +
> +optional_policy(`
>  	policykit_read_lib(system_dbusd_t)
>  ')
>  

This is a better solution (which i am about to commit instead):

> From 3629eb16814fa4ea3542892508250dd1b5e00c9d Mon, 17 Dec 2012 21:16:33 +0100
> From: Dominick Grift <dominick.grift@gmail.com>
> Date: Mon, 17 Dec 2012 21:16:23 +0100
> Subject: [PATCH] Changes to the dbus policy module
> 
> 
> System bus needs to be able to transition to init script domain on any
> init script file type instead of only the generic init script file type
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/dbus.te b/dbus.te
> index ad29d6f..4f75f33 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -1,4 +1,4 @@
> -policy_module(dbus, 1.18.6)
> +policy_module(dbus, 1.18.7)
>  
>  gen_require(`
>  	class dbus all_dbus_perms;
> @@ -125,7 +125,7 @@
>  
>  init_use_fds(system_dbusd_t)
>  init_use_script_ptys(system_dbusd_t)
> -init_domtrans_script(system_dbusd_t)
> +init_all_labeled_script_domtrans(system_dbusd_t)
>  
>  init_use_fds(system_dbusd_t)
>  init_use_script_ptys(system_dbusd_t)

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> ---
>  dbus.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/dbus.te b/dbus.te
> index 2ed2d6e..c418ebb 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
>  #
>  
>  allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability2 block_suspend;
>  dontaudit system_dbusd_t self:capability sys_tty_config;
>  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
>  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;

I am not confident about this.
Do you stil have the avc denial of this event?

[refpolicy] [PATCH 1/9] Properly label nm-dispatcher.action on Debian

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks

> ---
>  networkmanager.fc |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/networkmanager.fc b/networkmanager.fc
> index 2a3cca4..a1fb3c3 100644
> --- a/networkmanager.fc
> +++ b/networkmanager.fc
> @@ -13,6 +13,7 @@
>  /etc/wicd/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
>  /etc/wicd/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
>  
> +/usr/lib/NetworkManager/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>  /usr/libexec/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>  
>  /sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)

[refpolicy] [PATCH 3/9] policykit.fc: Properly label polkit-agent-helper-1 on Debian

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks

> ---
>  policykit.fc |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policykit.fc b/policykit.fc
> index 4d43b85..1d76c72 100644
> --- a/policykit.fc
> +++ b/policykit.fc
> @@ -5,6 +5,7 @@
>  /usr/lib/policykit/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
>  /usr/lib/policykit/polkit-resolve-exe-helper.*	--	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
>  /usr/lib/policykit/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
> +/usr/lib/policykit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
>  /usr/lib/policykit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
>  
>  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)

[refpolicy] [PATCH 4/9] cups.fc: Properly label cups-pk-helper-mechanism on Debian

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks
> ---
>  cups.fc |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/cups.fc b/cups.fc
> index 6f7a1cd..14db0e1 100644
> --- a/cups.fc
> +++ b/cups.fc
> @@ -31,6 +31,7 @@
>  /usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
>  /usr/Printer/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
>  
> +/usr/lib/cups-pk-helper/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
>  /usr/lib/cups/daemon/cups-lpd	--	gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
>  /usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
>  /usr/lib/cups/backend/hp.*	--	gen_context(system_u:object_r:hplip_exec_t,s0)

[refpolicy] [PATCH 5/9] Allow pcscd the fsetid capability

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks

> ---
>  pcscd.te |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/pcscd.te b/pcscd.te
> index b7b82ab..5e44a7b 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -21,7 +21,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
>  # Local policy
>  #
>  
> -allow pcscd_t self:capability { dac_override dac_read_search };
> +allow pcscd_t self:capability { dac_override dac_read_search fsetid };
>  allow pcscd_t self:process signal;
>  allow pcscd_t self:fifo_file rw_fifo_file_perms;
>  allow pcscd_t self:unix_stream_socket { accept listen };

[refpolicy] [PATCH 6/9] Allow networkmanager_t to read crypto_sysctl_t

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 

This was merged, thanks
> nm-openvpn-service is started in the networkmanager_t context, if it's
> compiled with gnutls instead openssl, the library will read
> /proc/sys/crypto/fips_enabled
> ---
>  networkmanager.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/networkmanager.te b/networkmanager.te
> index ebaea1d..e96e750 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -83,6 +83,7 @@ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_
>  
>  can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>  
> +kernel_read_crypto_sysctls(NetworkManager_t)
>  kernel_read_system_state(NetworkManager_t)
>  kernel_read_network_state(NetworkManager_t)
>  kernel_read_kernel_sysctls(NetworkManager_t)

[refpolicy] [PATCH 7/9] Allow virsh_t context to read sysctl_crypto_t

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks

> ---
>  virt.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/virt.te b/virt.te
> index 18b1cc6..333e53b 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -768,6 +768,7 @@ virt_manage_images(virsh_t)
>  virt_manage_config(virsh_t)
>  virt_stream_connect(virsh_t)
>  
> +kernel_read_crypto_sysctls(virsh_t)
>  kernel_read_system_state(virsh_t)
>  kernel_read_network_state(virsh_t)
>  kernel_read_kernel_sysctls(virsh_t)

[refpolicy] [PATCH 9/9] Allow cupsd_t to read cupsd_log_t

[grift]

On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>

This was merged, thanks
> ---
>  cups.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/cups.te b/cups.te
> index 501f6e3..cf3046f 100644
> --- a/cups.te
> +++ b/cups.te
> @@ -135,6 +135,7 @@ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
>  manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
>  append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
>  create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> +read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
>  setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
>  logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
>  

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[Laurent Bigonville]

Le Mon, 17 Dec 2012 21:38:23 +0100,
grift <dominick.grift@gmail.com> a ?crit :

> On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> > 
> > ---
> >  dbus.te |    1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/dbus.te b/dbus.te
> > index 2ed2d6e..c418ebb 100644
> > --- a/dbus.te
> > +++ b/dbus.te
> > @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
> >  #
> >  
> >  allow system_dbusd_t self:capability { sys_resource dac_override
> > setgid setpcap setuid }; +allow system_dbusd_t self:capability2
> > block_suspend; dontaudit system_dbusd_t self:capability
> > sys_tty_config; allow system_dbusd_t self:process { getattr
> > getsched signal_perms setpgid getcap setcap setrlimit }; allow
> > system_dbusd_t self:fifo_file rw_fifo_file_perms;
> 
> I am not confident about this.
> Do you stil have the avc denial of this event?

time->Mon Dec 17 10:38:26 2012
type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355737106.427:178): avc:  denied  { block_suspend } for  pid=3990 comm="host" capability=36  scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2

This is indeed maybe not correct

Laurent

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[grift]

On Tue, 2012-12-18 at 09:31 +0100, Laurent Bigonville wrote:
> Le Mon, 17 Dec 2012 21:38:23 +0100,
> grift <dominick.grift@gmail.com> a ?crit :
> 
> > On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <bigon@bigon.be>
> > > 
> > > ---
> > >  dbus.te |    1 +
> > >  1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/dbus.te b/dbus.te
> > > index 2ed2d6e..c418ebb 100644
> > > --- a/dbus.te
> > > +++ b/dbus.te
> > > @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
> > >  #
> > >  
> > >  allow system_dbusd_t self:capability { sys_resource dac_override
> > > setgid setpcap setuid }; +allow system_dbusd_t self:capability2
> > > block_suspend; dontaudit system_dbusd_t self:capability
> > > sys_tty_config; allow system_dbusd_t self:process { getattr
> > > getsched signal_perms setpgid getcap setcap setrlimit }; allow
> > > system_dbusd_t self:fifo_file rw_fifo_file_perms;
> > 
> > I am not confident about this.
> > Do you stil have the avc denial of this event?
> 
> time->Mon Dec 17 10:38:26 2012
> type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1355737106.427:178): avc:  denied  { block_suspend } for  pid=3990 comm="host" capability=36  scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2
> 
> This is indeed maybe not correct
> 
> Laurent

What is "host"

can you do a ps auxZ | grep system_dbusd_t

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[Laurent Bigonville]

Le Tue, 18 Dec 2012 09:44:37 +0100,
grift <dominick.grift@gmail.com> a ?crit :

> What is "host"

$ whatis host
host (1)             - DNS lookup utility

> can you do a ps auxZ | grep system_dbusd_t

$ ps auxZ | grep system_dbusd_t
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 message+ 3066 0.0  0.0 41632 2560 ? Ssl 09:06   0:01 /usr/bin/dbus-daemon --system

I'll try to figure out which component is calling this.

Laurent

[refpolicy] [PATCH 8/9] Allow capability block_suspend to system_dbusd_t

[grift]

On Tue, 2012-12-18 at 10:18 +0100, Laurent Bigonville wrote:
> Le Tue, 18 Dec 2012 09:44:37 +0100,
> grift <dominick.grift@gmail.com> a ?crit :
> 
> > What is "host"
> 
> $ whatis host
> host (1)             - DNS lookup utility
> 
> > can you do a ps auxZ | grep system_dbusd_t
> 
> $ ps auxZ | grep system_dbusd_t
> system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 message+ 3066 0.0  0.0 41632 2560 ? Ssl 09:06   0:01 /usr/bin/dbus-daemon --system
> 
> I'll try to figure out which component is calling this.
> 
> Laurent

Ok , turns out that this was actually due to the mislabeled nm
dispatcher.action program.

Now that it is correctly labeled NetworkManager_initc_exec_t and now
that system_dbusd_t can domain transition to initrc_t via any " init
script file type"  this no longer happens for system_dbusd_t.

Instead we need to allow initrc_t the block suspend capability2

We also tried to label the action program NetworkManager_exec_t but that
caused many other denials and since the same program in a different
location was already also NetworkManager_initrc_exec_t we decided to
stick to that for the sake of uniformity and because we trust that the
decision to label it NetworkManager_initrc_exec_t was well thought out.

By the way, this also made me realize that dbus session domains probably
also should not need block suspend capability.

I ported that rule from Fedora earlier but i have commented it out
( push is pending ) because i would like to reproduce and see the avc
denial