1 |
commit: 57ed0a43a214867626046638fd5826626e0b6814 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Sep 24 13:39:11 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Sep 27 13:22:54 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=57ed0a43 |
7 |
|
8 |
Unconfined domains have unconfined access to all of dbus rather than only system bus |
9 |
|
10 |
unconfined: unconfined_t is real-time scheduled by rtkit |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/system/unconfined.if | 3 +-- |
16 |
policy/modules/system/unconfined.te | 49 ++++++------------------------------- |
17 |
2 files changed, 9 insertions(+), 43 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if |
20 |
index db7aabb..5ca20a9 100644 |
21 |
--- a/policy/modules/system/unconfined.if |
22 |
+++ b/policy/modules/system/unconfined.if |
23 |
@@ -67,8 +67,7 @@ interface(`unconfined_domain_noaudit',` |
24 |
') |
25 |
|
26 |
optional_policy(` |
27 |
- # Communicate via dbusd. |
28 |
- dbus_system_bus_unconfined($1) |
29 |
+ dbus_unconfined($1) |
30 |
') |
31 |
|
32 |
optional_policy(` |
33 |
|
34 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
35 |
index 0442922..77018f2 100644 |
36 |
--- a/policy/modules/system/unconfined.te |
37 |
+++ b/policy/modules/system/unconfined.te |
38 |
@@ -80,40 +80,6 @@ optional_policy(` |
39 |
') |
40 |
|
41 |
optional_policy(` |
42 |
- init_dbus_chat_script(unconfined_t) |
43 |
- |
44 |
- dbus_stub(unconfined_t) |
45 |
- |
46 |
- optional_policy(` |
47 |
- avahi_dbus_chat(unconfined_t) |
48 |
- ') |
49 |
- |
50 |
- optional_policy(` |
51 |
- bluetooth_dbus_chat(unconfined_t) |
52 |
- ') |
53 |
- |
54 |
- optional_policy(` |
55 |
- consolekit_dbus_chat(unconfined_t) |
56 |
- ') |
57 |
- |
58 |
- optional_policy(` |
59 |
- cups_dbus_chat_config(unconfined_t) |
60 |
- ') |
61 |
- |
62 |
- optional_policy(` |
63 |
- hal_dbus_chat(unconfined_t) |
64 |
- ') |
65 |
- |
66 |
- optional_policy(` |
67 |
- networkmanager_dbus_chat(unconfined_t) |
68 |
- ') |
69 |
- |
70 |
- optional_policy(` |
71 |
- oddjob_dbus_chat(unconfined_t) |
72 |
- ') |
73 |
-') |
74 |
- |
75 |
-optional_policy(` |
76 |
firstboot_run(unconfined_t, unconfined_r) |
77 |
') |
78 |
|
79 |
@@ -183,6 +149,10 @@ optional_policy(` |
80 |
') |
81 |
|
82 |
optional_policy(` |
83 |
+ rtkit_scheduled(unconfined_t) |
84 |
+') |
85 |
+ |
86 |
+optional_policy(` |
87 |
rpm_run(unconfined_t, unconfined_r) |
88 |
') |
89 |
|
90 |
@@ -209,6 +179,10 @@ optional_policy(` |
91 |
') |
92 |
|
93 |
optional_policy(` |
94 |
+ unconfined_dbus_chat(unconfined_t) |
95 |
+') |
96 |
+ |
97 |
+optional_policy(` |
98 |
usermanage_run_admin_passwd(unconfined_t, unconfined_r) |
99 |
') |
100 |
|
101 |
@@ -237,12 +211,5 @@ allow unconfined_execmem_t self:process { execstack execmem }; |
102 |
unconfined_domain_noaudit(unconfined_execmem_t) |
103 |
|
104 |
optional_policy(` |
105 |
- dbus_stub(unconfined_execmem_t) |
106 |
- |
107 |
- init_dbus_chat_script(unconfined_execmem_t) |
108 |
unconfined_dbus_chat(unconfined_execmem_t) |
109 |
- |
110 |
- optional_policy(` |
111 |
- hal_dbus_chat(unconfined_execmem_t) |
112 |
- ') |
113 |
') |