From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-500164-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 1BA89138010
	for <garchives@archives.gentoo.org>; Wed, 29 Aug 2012 18:48:58 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8357EE050C;
	Wed, 29 Aug 2012 18:48:05 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 48398E050C
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Aug 2012 18:48:05 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6EF5F33E46B
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Aug 2012 18:48:04 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 0D657E5447
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Aug 2012 18:48:02 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1346263796.4f610d3cc9efa86e4d975e76e7e600d1d97ed927.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/consolekit.te policy/modules/system/authlogin.if
X-VCS-Directories: policy/modules/contrib/ policy/modules/system/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 4f610d3cc9efa86e4d975e76e7e600d1d97ed927
X-VCS-Branch: master
Date: Wed, 29 Aug 2012 18:48:02 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 5164c08f-cd81-4c75-b019-cf4009bec48a
X-Archives-Hash: 931ad27d79d1f5308c87db668795073b

commit:     4f610d3cc9efa86e4d975e76e7e600d1d97ed927
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 29 18:09:56 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 29 18:09:56 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4f610d3c

Support tagfiles for consolekit

Gentoo currently still uses the pam-foreground compatibility, which causes
ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
As /var/run is dynamic nowadays, ConsoleKit also creates the directory.

Allow ConsoleKit to create such directory with the right file transition in
place.

See also sys-auth/consolekit files/pam-foreground-compat.ck

---
 policy/modules/contrib/consolekit.te |    3 ++
 policy/modules/system/authlogin.if   |   48 ++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 516328a..383317e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -58,7 +58,10 @@ mcs_ptrace_all(consolekit_t)
 
 term_use_all_terms(consolekit_t)
 
+# consolekit daemon creates /var/run/console for tagfiles
+auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console")
 auth_use_nsswitch(consolekit_t)
+auth_create_pam_console_data_dirs(consolekit_t)
 auth_manage_pam_console_data(consolekit_t)
 auth_write_login_records(consolekit_t)
 

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8989233..405a9d1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,6 +1102,36 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Automatically transition when a resource is created in the generic run
+##	location (/var/run or /run) to the pam console data label
+##	(pam_var_console_t).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class of the resource created
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource created (optional).
+##	</summary>
+## </param>
+#
+interface(`auth_generic_run_filetrans_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Relabel pam_console data directories.
 ## </summary>
 ## <param name="domain">
@@ -1140,6 +1170,24 @@ interface(`auth_read_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create pam console data directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	pam_console data files.
 ## </summary>