[selinux-policy: 2171/3172] dbus patch from dan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:12:53 UTC 2010 

commit e04438840b32d7e7b73b5c7a07592f3d264e5b27
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jul 27 09:46:35 2009 -0400

    dbus patch from dan

 policy/modules/services/dbus.fc |    3 +
 policy/modules/services/dbus.if |   97 ++++++++++++++++++++++++++++++++++++++-
 policy/modules/services/dbus.te |   42 +++++++++++++++--
 3 files changed, 136 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
index e67e4e6..a88652f 100644
--- a/policy/modules/services/dbus.fc
+++ b/policy/modules/services/dbus.fc
@@ -4,6 +4,9 @@
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 /bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
 /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 0f435c5..87ba7d1 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -117,6 +117,7 @@ template(`dbus_role_template',`
 	dev_read_urand($1_dbusd_t)
 
  	domain_use_interactive_fds($1_dbusd_t)
+	domain_read_all_domains_state($1_dbusd_t)
 
 	files_read_etc_files($1_dbusd_t)
 	files_list_home($1_dbusd_t)
@@ -255,7 +256,27 @@ interface(`dbus_read_config',`
 
 ########################################
 ## <summary>
-##	Connect to the the system DBUS
+##	Connect to the the session DBUS
+##	for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_connect_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus acquire_svc;
+	')
+
+	allow $1 session_bus_type:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##	Connect to the system DBUS
 ##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
@@ -310,3 +331,77 @@ interface(`dbus_system_bus_unconfined',`
 
 	allow $1 system_dbusd_t:dbus *;
 ')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+	gen_require(`
+		type system_dbusd_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+
+	dbus_system_bus_client($1)
+	dbus_connect_system_bus($1)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+	')
+')
+
+########################################
+## <summary>
+##	Dontaudit Read, and write system dbus TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:tcp_socket { read write };
+	allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+	gen_require(`
+		attribute dbusd_unconfined;
+	')
+
+	typeattribute $1 dbusd_unconfined;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index bdd0967..d67a6e1 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus, 1.10.3)
+policy_module(dbus, 1.10.4)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -10,13 +10,15 @@ gen_require(`
 # Delcarations
 #
 
+attribute dbusd_unconfined;
 attribute session_bus_type;
 
 type dbusd_etc_t;
-files_type(dbusd_etc_t)
+files_config_file(dbusd_etc_t)
 
 type dbusd_exec_t;
 corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
 
 type session_dbusd_tmp_t;
 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
@@ -31,11 +33,19 @@ type system_dbusd_tmp_t;
 files_tmp_file(system_dbusd_tmp_t)
 
 type system_dbusd_var_lib_t;
-files_pid_file(system_dbusd_var_lib_t)
+files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
+')
+
 ##############################
 #
 # System bus local policy
@@ -45,7 +55,7 @@ files_pid_file(system_dbusd_var_run_t)
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -53,6 +63,8 @@ allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
+can_exec(system_dbusd_t, dbusd_exec_t)
+
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -75,6 +87,14 @@ dev_read_sysfs(system_dbusd_t)
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
+
+mls_fd_use_all_levels(system_dbusd_t)
+mls_rangetrans_target(system_dbusd_t)
+mls_file_read_all_levels(system_dbusd_t)
+mls_socket_write_all_levels(system_dbusd_t)
+mls_socket_read_to_clearance(system_dbusd_t)
+mls_dbus_recv_all_levels(system_dbusd_t)
 
 selinux_get_fs_mount(system_dbusd_t)
 selinux_validate_context(system_dbusd_t)
@@ -91,9 +111,9 @@ auth_read_pam_console_data(system_dbusd_t)
 corecmd_list_bin(system_dbusd_t)
 corecmd_read_bin_pipes(system_dbusd_t)
 corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
 
 domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
 
 files_read_etc_files(system_dbusd_t)
 files_list_home(system_dbusd_t)
@@ -120,9 +140,21 @@ optional_policy(`
 ')
 
 optional_policy(`
+	policykit_domtrans_auth(system_dbusd_t)
+	policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
 	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
 
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;

More information about the scm-commits mailing list