On Thu, Jan 31, 2019 at 8:42 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
> From: Dan Walsh <dwalsh@xxxxxxxxxx>
>
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
Hi,
As I am unfamiliar with D-Bus code, I try to understand what is the
nature of this change (is-it a bugfix, an improvement, something
else?). Here are the facts:
- Currently, dbus/selinux_server.py uses «
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode") »
for function « change_default_mode ».
- "org.selinux.change_default_mode" does not exist, and I do not know
whether that means that some kind of default policykit policy gets
applied.
- "org.selinux.change_policy_type" is defined in
dbus/org.selinux.policy, without any user.
- The commit that introduced dbus/selinux_server.py (commit
e6a1298e5421 ("These are massive changes involved in building new
GUI.")) added a function named « change_default_mode », without any
specific policykit access checking.
- Commit e8718ef51463 ("Make sure we do the polkit check on all dbus
interfaces.") added «
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode") » in
policycoreutils/sepolicy/selinux_server.py.
If I understand correctly, this last commit is buggy and should have
added "org.selinux.change_default_mode" to
policycoreutils/sepolicy/org.selinux.policy. Therefore this new patch
fixes a bug and removes an unused policykit action. Is this right? If
yes, I suggest adding this to the commit description:
Add missing action org.selinux.change_default_mode for
change_default_mode() and remove unused action
org.selinux.change_policy_type.
Fixes: e8718ef51463 ("Make sure we do the polkit check on all dbus
interfaces.")
Would this be acceptable?
Thanks,
Nicolas
> ---
> dbus/org.selinux.policy | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/dbus/org.selinux.policy b/dbus/org.selinux.policy
> index 01266102..9772127b 100644
> --- a/dbus/org.selinux.policy
> +++ b/dbus/org.selinux.policy
> @@ -70,9 +70,9 @@
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
> - <action id="org.selinux.change_policy_type">
> - <description>SELinux write access</description>
> - <message>System policy prevents change_policy_type access to SELinux</message>
> + <action id="org.selinux.change_default_mode">
> + <description>Change SELinux default enforcing mode</description>
> + <message>System policy prevents change_default_policy access to SELinux</message>
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> --
> 2.20.1
>
