[selinux-policy: 614/3172] finish remaining dbus bits

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:57:44 UTC 2010 

commit 631ee4d3cff3e669af896de430647c8a8d850c48
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 1 13:34:45 2005 +0000

    finish remaining dbus bits

 refpolicy/policy/modules/admin/updfstab.te    |    5 +--
 refpolicy/policy/modules/services/dbus.if     |   47 +++++++++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.if |    6 ---
 3 files changed, 48 insertions(+), 10 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 7998aa2..4c15864 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -95,6 +95,7 @@ optional_policy(`authlogin.te',`
 
 optional_policy(`dbus.te',`
 	dbus_system_bus_client_template(updfstab,updfstab_t)
+	dbus_send_system_bus_msg(updfstab_t)
 ')
 
 optional_policy(`modutils.te',`
@@ -114,7 +115,3 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te',`
 	udev_read_db(updfstab_t)
 ')
-
-ifdef(`TODO',`
-allow updfstab_t system_dbusd_t:dbus { send_msg };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index efe31f0..4003f02 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -35,6 +35,8 @@ template(`dbus_per_userdomain_template',`
 	domain_type($1_dbusd_t)
 	role $3 types $1_dbusd_t;
 
+	type $1_dbusd_$1_t;
+
 	type $1_dbusd_tmp_t;
 	files_tmp_file($1_dbusd_tmp_t)
 
@@ -47,9 +49,19 @@ template(`dbus_per_userdomain_template',`
 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
 	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
 	# Receive notifications of policy reloads and enforcing status changes.
 	allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
 
+	# For connecting to the bus
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
+	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+
+	# SE-DBus specific permissions
+	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+	allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+
 	allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
 	allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
 	allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
@@ -69,6 +81,14 @@ template(`dbus_per_userdomain_template',`
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctl($1_dbusd_t)
 
+	corenet_tcp_sendrecv_all_if($1_dbusd_t)
+	corenet_raw_sendrecv_all_if($1_dbusd_t)
+	corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
+	corenet_raw_sendrecv_all_nodes($1_dbusd_t)
+	corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+	corenet_tcp_bind_all_nodes($1_dbusd_t)
+	corenet_tcp_bind_reserved_port($1_dbusd_t)
+
 	dev_read_urand($1_dbusd_t)
 
 	selinux_get_fs_mount($1_dbusd_t)
@@ -104,6 +124,8 @@ template(`dbus_per_userdomain_template',`
 	seutil_read_config($1_dbusd_t)
 	seutil_read_default_contexts($1_dbusd_t)
 
+	sysnet_read_config($1_dbusd_t)
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_dbusd_t)
 		files_read_default_files($1_dbusd_t)
@@ -135,6 +157,14 @@ template(`dbus_per_userdomain_template',`
 ## </param>
 #
 template(`dbus_system_bus_client_template',`
+	gen_require(`
+		type system_dbusd_t, system_dbusd_t;
+		type system_dbusd_var_run_t;
+		class dir search;
+		class sock_file write;
+		class unix_stream_socket connectto;
+		class dbus send_msg;
+	')
 
 	type $1_dbusd_system_t;
 	type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
@@ -148,3 +178,20 @@ template(`dbus_system_bus_client_template',`
 	allow $2 system_dbusd_var_run_t:sock_file write;
 	allow $2 system_dbusd_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Send a message on the system DBUS.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dbus_send_system_bus_msg',`
+	gen_require(`
+		type system_dbusd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 system_dbusd_t:dbus send_msg;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9015581..bd1a467 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -349,12 +349,6 @@ template(`base_user_template',`
 
 	# Grant permissions to access the system DBus
 	ifdef(`dbusd.te', `
-		can_network_server_tcp($1_dbusd_t)
-		allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-	
-		allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-		dbusd_client($1, $1)
-		allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
 		ifdef(`hald.te', `
 			allow $1_t hald_t:dbus send_msg;
 			allow hald_t $1_t:dbus send_msg;

More information about the scm-commits mailing list