1 |
commit: b43e53edeed2e3caa3f40bb8d38e7a3cdf36d76d |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Sep 27 13:26:50 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 18:02:53 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b43e53ed |
7 |
|
8 |
Changes to the dbus policy module and its dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/dbus.fc | 25 +-- |
17 |
policy/modules/contrib/dbus.if | 270 +++++++++++++++------------------ |
18 |
policy/modules/contrib/dbus.te | 144 +++++++++++++++--- |
19 |
policy/modules/contrib/evolution.te | 6 +- |
20 |
policy/modules/contrib/gpg.te | 4 +- |
21 |
policy/modules/contrib/mozilla.te | 8 +- |
22 |
policy/modules/contrib/policykit.te | 4 +- |
23 |
policy/modules/contrib/pulseaudio.te | 6 +- |
24 |
policy/modules/contrib/telepathy.if | 6 + |
25 |
policy/modules/contrib/telepathy.te | 2 +- |
26 |
policy/modules/contrib/thunderbird.te | 4 +- |
27 |
policy/modules/contrib/wm.if | 2 +- |
28 |
policy/modules/contrib/wm.te | 2 +- |
29 |
13 files changed, 277 insertions(+), 206 deletions(-) |
30 |
|
31 |
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc |
32 |
index e6345ce..897f816 100644 |
33 |
--- a/policy/modules/contrib/dbus.fc |
34 |
+++ b/policy/modules/contrib/dbus.fc |
35 |
@@ -1,25 +1,18 @@ |
36 |
-/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) |
37 |
+/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) |
38 |
|
39 |
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
40 |
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
41 |
|
42 |
-ifdef(`distro_redhat',` |
43 |
-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
44 |
-') |
45 |
+/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
46 |
|
47 |
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
48 |
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
49 |
|
50 |
-ifdef(`distro_debian',` |
51 |
-/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
52 |
-') |
53 |
+/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
54 |
|
55 |
-ifdef(`distro_gentoo',` |
56 |
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
57 |
-') |
58 |
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) |
59 |
|
60 |
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) |
61 |
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) |
62 |
|
63 |
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) |
64 |
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) |
65 |
+/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) |
66 |
|
67 |
-ifdef(`distro_redhat',` |
68 |
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) |
69 |
-') |
70 |
|
71 |
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if |
72 |
index 222d21f..b548647 100644 |
73 |
--- a/policy/modules/contrib/dbus.if |
74 |
+++ b/policy/modules/contrib/dbus.if |
75 |
@@ -1,4 +1,4 @@ |
76 |
-## <summary>Desktop messaging bus</summary> |
77 |
+## <summary>Desktop messaging bus.</summary> |
78 |
|
79 |
######################################## |
80 |
## <summary> |
81 |
@@ -19,7 +19,7 @@ interface(`dbus_stub',` |
82 |
|
83 |
######################################## |
84 |
## <summary> |
85 |
-## Role access for dbus |
86 |
+## Role access for dbus. |
87 |
## </summary> |
88 |
## <param name="role_prefix"> |
89 |
## <summary> |
90 |
@@ -41,20 +41,20 @@ interface(`dbus_stub',` |
91 |
template(`dbus_role_template',` |
92 |
gen_require(` |
93 |
class dbus { send_msg acquire_svc }; |
94 |
- |
95 |
attribute session_bus_type; |
96 |
- type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; |
97 |
+ type system_dbusd_t, dbusd_exec_t; |
98 |
') |
99 |
|
100 |
############################## |
101 |
# |
102 |
- # Delcarations |
103 |
+ # Declarations |
104 |
# |
105 |
|
106 |
type $1_dbusd_t, session_bus_type; |
107 |
domain_type($1_dbusd_t) |
108 |
domain_entry_file($1_dbusd_t, dbusd_exec_t) |
109 |
ubac_constrained($1_dbusd_t) |
110 |
+ |
111 |
role $2 types $1_dbusd_t; |
112 |
|
113 |
############################## |
114 |
@@ -62,118 +62,36 @@ template(`dbus_role_template',` |
115 |
# Local policy |
116 |
# |
117 |
|
118 |
- allow $1_dbusd_t self:process { getattr sigkill signal }; |
119 |
- dontaudit $1_dbusd_t self:process ptrace; |
120 |
- allow $1_dbusd_t self:file { getattr read write }; |
121 |
- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; |
122 |
- allow $1_dbusd_t self:dbus { send_msg acquire_svc }; |
123 |
- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; |
124 |
- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; |
125 |
- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; |
126 |
- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; |
127 |
- |
128 |
- # For connecting to the bus |
129 |
allow $3 $1_dbusd_t:unix_stream_socket connectto; |
130 |
- |
131 |
- # SE-DBus specific permissions |
132 |
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; |
133 |
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; |
134 |
|
135 |
- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; |
136 |
- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) |
137 |
- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) |
138 |
- |
139 |
- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) |
140 |
- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) |
141 |
- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) |
142 |
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; |
143 |
|
144 |
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) |
145 |
- allow $3 $1_dbusd_t:process { signull sigkill signal }; |
146 |
|
147 |
- # cjp: this seems very broken |
148 |
- corecmd_bin_domtrans($1_dbusd_t, $3) |
149 |
- allow $1_dbusd_t $3:process sigkill; |
150 |
- allow $3 $1_dbusd_t:fd use; |
151 |
- allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; |
152 |
- allow $3 $1_dbusd_t:process sigchld; |
153 |
- |
154 |
- kernel_read_system_state($1_dbusd_t) |
155 |
- kernel_read_kernel_sysctls($1_dbusd_t) |
156 |
- |
157 |
- corecmd_list_bin($1_dbusd_t) |
158 |
- corecmd_read_bin_symlinks($1_dbusd_t) |
159 |
- corecmd_read_bin_files($1_dbusd_t) |
160 |
- corecmd_read_bin_pipes($1_dbusd_t) |
161 |
- corecmd_read_bin_sockets($1_dbusd_t) |
162 |
- |
163 |
- corenet_all_recvfrom_unlabeled($1_dbusd_t) |
164 |
- corenet_all_recvfrom_netlabel($1_dbusd_t) |
165 |
- corenet_tcp_sendrecv_generic_if($1_dbusd_t) |
166 |
- corenet_tcp_sendrecv_generic_node($1_dbusd_t) |
167 |
- corenet_tcp_sendrecv_all_ports($1_dbusd_t) |
168 |
- corenet_tcp_bind_generic_node($1_dbusd_t) |
169 |
- corenet_tcp_bind_reserved_port($1_dbusd_t) |
170 |
- |
171 |
- dev_read_urand($1_dbusd_t) |
172 |
- |
173 |
- domain_use_interactive_fds($1_dbusd_t) |
174 |
- domain_read_all_domains_state($1_dbusd_t) |
175 |
- |
176 |
- files_read_etc_files($1_dbusd_t) |
177 |
- files_list_home($1_dbusd_t) |
178 |
- files_read_usr_files($1_dbusd_t) |
179 |
- files_dontaudit_search_var($1_dbusd_t) |
180 |
- |
181 |
- fs_getattr_romfs($1_dbusd_t) |
182 |
- fs_getattr_xattr_fs($1_dbusd_t) |
183 |
- fs_list_inotifyfs($1_dbusd_t) |
184 |
- fs_dontaudit_list_nfs($1_dbusd_t) |
185 |
- |
186 |
- selinux_get_fs_mount($1_dbusd_t) |
187 |
- selinux_validate_context($1_dbusd_t) |
188 |
- selinux_compute_access_vector($1_dbusd_t) |
189 |
- selinux_compute_create_context($1_dbusd_t) |
190 |
- selinux_compute_relabel_context($1_dbusd_t) |
191 |
- selinux_compute_user_contexts($1_dbusd_t) |
192 |
- |
193 |
- auth_read_pam_console_data($1_dbusd_t) |
194 |
- auth_use_nsswitch($1_dbusd_t) |
195 |
- |
196 |
- logging_send_audit_msgs($1_dbusd_t) |
197 |
- logging_send_syslog_msg($1_dbusd_t) |
198 |
- |
199 |
- miscfiles_read_localization($1_dbusd_t) |
200 |
- |
201 |
- seutil_read_config($1_dbusd_t) |
202 |
- seutil_read_default_contexts($1_dbusd_t) |
203 |
+ ps_process_pattern($3, $1_dbusd_t) |
204 |
+ allow $3 $1_dbusd_t:process { ptrace signal_perms }; |
205 |
|
206 |
- term_use_all_terms($1_dbusd_t) |
207 |
+ allow $1_dbusd_t $3:process sigkill; |
208 |
|
209 |
- userdom_read_user_home_content_files($1_dbusd_t) |
210 |
+ corecmd_bin_domtrans($1_dbusd_t, $3) |
211 |
+ corecmd_shell_domtrans($1_dbusd_t, $3) |
212 |
|
213 |
+ auth_use_nsswitch($1_dbusd_t) |
214 |
|
215 |
- ifdef(`hide_broken_symptoms', ` |
216 |
+ ifdef(`hide_broken_symptoms',` |
217 |
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; |
218 |
') |
219 |
|
220 |
optional_policy(` |
221 |
- hal_dbus_chat($1_dbusd_t) |
222 |
- ') |
223 |
- |
224 |
- optional_policy(` |
225 |
xdg_read_generic_data_home_files($1_dbusd_t) |
226 |
') |
227 |
- |
228 |
- optional_policy(` |
229 |
- xserver_use_xdm_fds($1_dbusd_t) |
230 |
- xserver_rw_xdm_pipes($1_dbusd_t) |
231 |
- ') |
232 |
') |
233 |
|
234 |
####################################### |
235 |
## <summary> |
236 |
## Template for creating connections to |
237 |
-## the system DBUS. |
238 |
+## the system bus. |
239 |
## </summary> |
240 |
## <param name="domain"> |
241 |
## <summary> |
242 |
@@ -183,19 +101,16 @@ template(`dbus_role_template',` |
243 |
# |
244 |
interface(`dbus_system_bus_client',` |
245 |
gen_require(` |
246 |
- type system_dbusd_t, system_dbusd_t; |
247 |
- type system_dbusd_var_run_t, system_dbusd_var_lib_t; |
248 |
+ type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; |
249 |
class dbus send_msg; |
250 |
') |
251 |
|
252 |
- # SE-DBus specific permissions |
253 |
allow $1 { system_dbusd_t self }:dbus send_msg; |
254 |
allow system_dbusd_t $1:dbus send_msg; |
255 |
|
256 |
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) |
257 |
files_search_var_lib($1) |
258 |
|
259 |
- # For connecting to the bus |
260 |
files_search_pids($1) |
261 |
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) |
262 |
dbus_read_config($1) |
263 |
@@ -203,9 +118,61 @@ interface(`dbus_system_bus_client',` |
264 |
|
265 |
####################################### |
266 |
## <summary> |
267 |
-## Template for creating connections to |
268 |
-## a user DBUS. |
269 |
+## Acquire service on specified |
270 |
+## DBUS session bus. |
271 |
+## </summary> |
272 |
+## <param name="role_prefix"> |
273 |
+## <summary> |
274 |
+## The prefix of the user role (e.g., user |
275 |
+## is the prefix for user_r). |
276 |
+## </summary> |
277 |
+## </param> |
278 |
+## <param name="domain"> |
279 |
+## <summary> |
280 |
+## Domain allowed access. |
281 |
+## </summary> |
282 |
+## </param> |
283 |
+# |
284 |
+interface(`dbus_connect_session_bus',` |
285 |
+ gen_require(` |
286 |
+ type $1_dbusd_t; |
287 |
+ class dbus acquire_svc; |
288 |
+ ') |
289 |
+ |
290 |
+ allow $2 $1_dbusd_t:dbus acquire_svc; |
291 |
+') |
292 |
+ |
293 |
+####################################### |
294 |
+## <summary> |
295 |
+## Acquire service on all DBUS |
296 |
+## session busses. |
297 |
+## </summary> |
298 |
+## <param name="domain"> |
299 |
+## <summary> |
300 |
+## Domain allowed access. |
301 |
+## </summary> |
302 |
+## </param> |
303 |
+# |
304 |
+interface(`dbus_connect_all_session_bus',` |
305 |
+ gen_require(` |
306 |
+ attribute session_bus_type; |
307 |
+ class dbus acquire_svc; |
308 |
+ ') |
309 |
+ |
310 |
+ allow $1 session_bus_type:dbus acquire_svc; |
311 |
+') |
312 |
+ |
313 |
+####################################### |
314 |
+## <summary> |
315 |
+## Creating connections to specified |
316 |
+## DBUS session bus. |
317 |
## </summary> |
318 |
+## <param name="role_prefix"> |
319 |
+## <summary> |
320 |
+## The prefix of the user role (e.g., user |
321 |
+## is the prefix for user_r). |
322 |
+## </summary> |
323 |
+## </param> |
324 |
## <param name="domain"> |
325 |
## <summary> |
326 |
## Domain allowed access. |
327 |
@@ -214,23 +181,48 @@ interface(`dbus_system_bus_client',` |
328 |
# |
329 |
interface(`dbus_session_bus_client',` |
330 |
gen_require(` |
331 |
+ type $1_dbusd_t; |
332 |
+ class dbus send_msg; |
333 |
+ ') |
334 |
+ |
335 |
+ allow $2 { $1_dbusd_t self }:dbus send_msg; |
336 |
+ allow $2 $1_dbusd_t:unix_stream_socket connectto; |
337 |
+ allow $2 $1_dbusd_t:fd use; |
338 |
+') |
339 |
+ |
340 |
+####################################### |
341 |
+## <summary> |
342 |
+## Creating connections to all |
343 |
+## DBUS session busses. |
344 |
+## </summary> |
345 |
+## <param name="domain"> |
346 |
+## <summary> |
347 |
+## Domain allowed access. |
348 |
+## </summary> |
349 |
+## </param> |
350 |
+# |
351 |
+interface(`dbus_all_session_bus_client',` |
352 |
+ gen_require(` |
353 |
attribute session_bus_type; |
354 |
class dbus send_msg; |
355 |
') |
356 |
|
357 |
- # SE-DBus specific permissions |
358 |
allow $1 { session_bus_type self }:dbus send_msg; |
359 |
- |
360 |
- # For connecting to the bus |
361 |
allow $1 session_bus_type:unix_stream_socket connectto; |
362 |
- |
363 |
- dontaudit $1 session_bus_type:fd use; |
364 |
+ allow $1 session_bus_type:fd use; |
365 |
') |
366 |
|
367 |
-######################################## |
368 |
+####################################### |
369 |
## <summary> |
370 |
-## Send a message the session DBUS. |
371 |
+## Send messages to specified |
372 |
+## DBUS session bus. |
373 |
## </summary> |
374 |
+## <param name="role_prefix"> |
375 |
+## <summary> |
376 |
+## The prefix of the user role (e.g., user |
377 |
+## is the prefix for user_r). |
378 |
+## </summary> |
379 |
+## </param> |
380 |
## <param name="domain"> |
381 |
## <summary> |
382 |
## Domain allowed access. |
383 |
@@ -239,16 +231,16 @@ interface(`dbus_session_bus_client',` |
384 |
# |
385 |
interface(`dbus_send_session_bus',` |
386 |
gen_require(` |
387 |
- attribute session_bus_type; |
388 |
+ type $1_dbusd_t; |
389 |
class dbus send_msg; |
390 |
') |
391 |
|
392 |
- allow $1 session_bus_type:dbus send_msg; |
393 |
+ allow $2 $1_dbusd_t:dbus send_msg; |
394 |
') |
395 |
|
396 |
######################################## |
397 |
## <summary> |
398 |
-## Read dbus configuration. |
399 |
+## Read dbus configuration content. |
400 |
## </summary> |
401 |
## <param name="domain"> |
402 |
## <summary> |
403 |
@@ -307,29 +299,15 @@ interface(`dbus_manage_lib_files',` |
404 |
|
405 |
######################################## |
406 |
## <summary> |
407 |
-## Connect to the system DBUS |
408 |
-## for service (acquire_svc). |
409 |
+## Allow a application domain to be |
410 |
+## started by the specified session bus. |
411 |
## </summary> |
412 |
-## <param name="domain"> |
413 |
+## <param name="role_prefix"> |
414 |
## <summary> |
415 |
-## Domain allowed access. |
416 |
+## The prefix of the user role (e.g., user |
417 |
+## is the prefix for user_r). |
418 |
## </summary> |
419 |
## </param> |
420 |
-# |
421 |
-interface(`dbus_connect_session_bus',` |
422 |
- gen_require(` |
423 |
- attribute session_bus_type; |
424 |
- class dbus acquire_svc; |
425 |
- ') |
426 |
- |
427 |
- allow $1 session_bus_type:dbus acquire_svc; |
428 |
-') |
429 |
- |
430 |
-######################################## |
431 |
-## <summary> |
432 |
-## Allow a application domain to be started |
433 |
-## by the session dbus. |
434 |
-## </summary> |
435 |
## <param name="domain"> |
436 |
## <summary> |
437 |
## Type to be used as a domain. |
438 |
@@ -344,19 +322,18 @@ interface(`dbus_connect_session_bus',` |
439 |
# |
440 |
interface(`dbus_session_domain',` |
441 |
gen_require(` |
442 |
- attribute session_bus_type; |
443 |
+ type $1_dbusd_t; |
444 |
') |
445 |
|
446 |
- domtrans_pattern(session_bus_type, $2, $1) |
447 |
+ domtrans_pattern($1_dbusd_t, $2, $3) |
448 |
|
449 |
- dbus_session_bus_client($1) |
450 |
- dbus_connect_session_bus($1) |
451 |
+ dbus_session_bus_client($1, $2) |
452 |
+ dbus_connect_session_bus($1, $2) |
453 |
') |
454 |
|
455 |
######################################## |
456 |
## <summary> |
457 |
-## Connect to the system DBUS |
458 |
-## for service (acquire_svc). |
459 |
+## Acquire service on the DBUS system bus. |
460 |
## </summary> |
461 |
## <param name="domain"> |
462 |
## <summary> |
463 |
@@ -375,7 +352,7 @@ interface(`dbus_connect_system_bus',` |
464 |
|
465 |
######################################## |
466 |
## <summary> |
467 |
-## Send a message on the system DBUS. |
468 |
+## Send messages to the DBUS system bus. |
469 |
## </summary> |
470 |
## <param name="domain"> |
471 |
## <summary> |
472 |
@@ -438,7 +415,7 @@ interface(`dbus_create_system_dbusd_var_run_dirs',` |
473 |
|
474 |
######################################## |
475 |
## <summary> |
476 |
-## Allow unconfined access to the system DBUS. |
477 |
+## Unconfined access to DBUS system bus. |
478 |
## </summary> |
479 |
## <param name="domain"> |
480 |
## <summary> |
481 |
@@ -457,8 +434,8 @@ interface(`dbus_system_bus_unconfined',` |
482 |
|
483 |
######################################## |
484 |
## <summary> |
485 |
-## Create a domain for processes |
486 |
-## which can be started by the system dbus |
487 |
+## Create a domain for processes which |
488 |
+## can be started by the DBUS system bus. |
489 |
## </summary> |
490 |
## <param name="domain"> |
491 |
## <summary> |
492 |
@@ -498,7 +475,8 @@ interface(`dbus_system_domain',` |
493 |
|
494 |
######################################## |
495 |
## <summary> |
496 |
-## Use and inherit system DBUS file descriptors. |
497 |
+## Use and inherit DBUS system bus |
498 |
+## file descriptors. |
499 |
## </summary> |
500 |
## <param name="domain"> |
501 |
## <summary> |
502 |
@@ -516,7 +494,8 @@ interface(`dbus_use_system_bus_fds',` |
503 |
|
504 |
######################################## |
505 |
## <summary> |
506 |
-## Dontaudit Read, and write system dbus TCP sockets. |
507 |
+## Do not audit attempts to read and |
508 |
+## write DBUS system bus TCP sockets. |
509 |
## </summary> |
510 |
## <param name="domain"> |
511 |
## <summary> |
512 |
@@ -529,13 +508,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` |
513 |
type system_dbusd_t; |
514 |
') |
515 |
|
516 |
- allow $1 system_dbusd_t:tcp_socket { read write }; |
517 |
- allow $1 system_dbusd_t:fd use; |
518 |
+ dontaudit $1 system_dbusd_t:tcp_socket { read write }; |
519 |
') |
520 |
|
521 |
######################################## |
522 |
## <summary> |
523 |
-## Allow unconfined access to the system DBUS. |
524 |
+## Unconfined access to DBUS. |
525 |
## </summary> |
526 |
## <param name="domain"> |
527 |
## <summary> |
528 |
|
529 |
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te |
530 |
index 192037d..1020bac 100644 |
531 |
--- a/policy/modules/contrib/dbus.te |
532 |
+++ b/policy/modules/contrib/dbus.te |
533 |
@@ -1,4 +1,4 @@ |
534 |
-policy_module(dbus, 1.17.0) |
535 |
+policy_module(dbus, 1.18.0) |
536 |
|
537 |
gen_require(` |
538 |
class dbus all_dbus_perms; |
539 |
@@ -6,7 +6,7 @@ gen_require(` |
540 |
|
541 |
############################## |
542 |
# |
543 |
-# Delcarations |
544 |
+# Declarations |
545 |
# |
546 |
|
547 |
attribute dbusd_unconfined; |
548 |
@@ -45,45 +45,53 @@ ifdef(`enable_mls',` |
549 |
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) |
550 |
') |
551 |
|
552 |
-############################## |
553 |
+###################################### |
554 |
# |
555 |
-# System bus local policy |
556 |
+# Local policy |
557 |
# |
558 |
|
559 |
-# dac_override: /var/run/dbus is owned by messagebus on Debian |
560 |
-# cjp: dac_override should probably go in a distro_debian |
561 |
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; |
562 |
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; |
563 |
dontaudit system_dbusd_t self:capability sys_tty_config; |
564 |
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; |
565 |
allow system_dbusd_t self:fifo_file rw_fifo_file_perms; |
566 |
allow system_dbusd_t self:dbus { send_msg acquire_svc }; |
567 |
-allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; |
568 |
-allow system_dbusd_t self:unix_dgram_socket create_socket_perms; |
569 |
-# Receive notifications of policy reloads and enforcing status changes. |
570 |
+allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; |
571 |
allow system_dbusd_t self:netlink_selinux_socket { create bind read }; |
572 |
|
573 |
-can_exec(system_dbusd_t, dbusd_exec_t) |
574 |
- |
575 |
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; |
576 |
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) |
577 |
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) |
578 |
|
579 |
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) |
580 |
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) |
581 |
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) |
582 |
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) |
583 |
|
584 |
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) |
585 |
|
586 |
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) |
587 |
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) |
588 |
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) |
589 |
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) |
590 |
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) |
591 |
+ |
592 |
+can_exec(system_dbusd_t, dbusd_exec_t) |
593 |
|
594 |
kernel_read_system_state(system_dbusd_t) |
595 |
kernel_read_kernel_sysctls(system_dbusd_t) |
596 |
|
597 |
+corecmd_list_bin(system_dbusd_t) |
598 |
+corecmd_read_bin_pipes(system_dbusd_t) |
599 |
+corecmd_read_bin_sockets(system_dbusd_t) |
600 |
+corecmd_exec_shell(system_dbusd_t) |
601 |
+ |
602 |
dev_read_urand(system_dbusd_t) |
603 |
dev_read_sysfs(system_dbusd_t) |
604 |
|
605 |
+domain_use_interactive_fds(system_dbusd_t) |
606 |
+domain_read_all_domains_state(system_dbusd_t) |
607 |
+ |
608 |
+files_list_home(system_dbusd_t) |
609 |
+files_read_usr_files(system_dbusd_t) |
610 |
+ |
611 |
fs_getattr_all_fs(system_dbusd_t) |
612 |
fs_list_inotifyfs(system_dbusd_t) |
613 |
fs_search_auto_mountpoints(system_dbusd_t) |
614 |
@@ -108,16 +116,9 @@ term_dontaudit_use_console(system_dbusd_t) |
615 |
auth_use_nsswitch(system_dbusd_t) |
616 |
auth_read_pam_console_data(system_dbusd_t) |
617 |
|
618 |
-corecmd_list_bin(system_dbusd_t) |
619 |
-corecmd_read_bin_pipes(system_dbusd_t) |
620 |
-corecmd_read_bin_sockets(system_dbusd_t) |
621 |
- |
622 |
-domain_use_interactive_fds(system_dbusd_t) |
623 |
-domain_read_all_domains_state(system_dbusd_t) |
624 |
- |
625 |
-files_read_etc_files(system_dbusd_t) |
626 |
-files_list_home(system_dbusd_t) |
627 |
-files_read_usr_files(system_dbusd_t) |
628 |
+init_use_fds(system_dbusd_t) |
629 |
+init_use_script_ptys(system_dbusd_t) |
630 |
+init_domtrans_script(system_dbusd_t) |
631 |
|
632 |
init_use_fds(system_dbusd_t) |
633 |
init_use_script_ptys(system_dbusd_t) |
634 |
@@ -141,6 +142,14 @@ optional_policy(` |
635 |
') |
636 |
|
637 |
optional_policy(` |
638 |
+ bluetooth_stream_connect(system_dbusd_t) |
639 |
+') |
640 |
+ |
641 |
+optional_policy(` |
642 |
+ cpufreqselector_dbus_chat(system_dbusd_t) |
643 |
+') |
644 |
+ |
645 |
+optional_policy(` |
646 |
policykit_dbus_chat(system_dbusd_t) |
647 |
policykit_domtrans_auth(system_dbusd_t) |
648 |
policykit_search_lib(system_dbusd_t) |
649 |
@@ -156,7 +165,92 @@ optional_policy(` |
650 |
|
651 |
######################################## |
652 |
# |
653 |
+# Common session bus local policy |
654 |
+# |
655 |
+ |
656 |
+allow session_bus_type self:capability2 block_suspend; |
657 |
+dontaudit session_bus_type self:capability sys_resource; |
658 |
+allow session_bus_type self:process { getattr sigkill signal }; |
659 |
+dontaudit session_bus_type self:process { ptrace setrlimit }; |
660 |
+allow session_bus_type self:file { getattr read write }; |
661 |
+allow session_bus_type self:fifo_file rw_fifo_file_perms; |
662 |
+allow session_bus_type self:dbus { send_msg acquire_svc }; |
663 |
+allow session_bus_type self:unix_stream_socket { accept listen }; |
664 |
+allow session_bus_type self:tcp_socket { accept listen }; |
665 |
+allow session_bus_type self:netlink_selinux_socket create_socket_perms; |
666 |
+ |
667 |
+allow session_bus_type dbusd_etc_t:dir list_dir_perms; |
668 |
+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) |
669 |
+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) |
670 |
+ |
671 |
+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) |
672 |
+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) |
673 |
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) |
674 |
+ |
675 |
+kernel_read_system_state(session_bus_type) |
676 |
+kernel_read_kernel_sysctls(session_bus_type) |
677 |
+ |
678 |
+corecmd_list_bin(session_bus_type) |
679 |
+corecmd_read_bin_symlinks(session_bus_type) |
680 |
+corecmd_read_bin_files(session_bus_type) |
681 |
+corecmd_read_bin_pipes(session_bus_type) |
682 |
+corecmd_read_bin_sockets(session_bus_type) |
683 |
+ |
684 |
+corenet_all_recvfrom_unlabeled(session_bus_type) |
685 |
+corenet_all_recvfrom_netlabel(session_bus_type) |
686 |
+corenet_tcp_sendrecv_generic_if(session_bus_type) |
687 |
+corenet_tcp_sendrecv_generic_node(session_bus_type) |
688 |
+corenet_tcp_sendrecv_all_ports(session_bus_type) |
689 |
+corenet_tcp_bind_generic_node(session_bus_type) |
690 |
+ |
691 |
+corenet_sendrecv_all_server_packets(session_bus_type) |
692 |
+corenet_tcp_bind_reserved_port(session_bus_type) |
693 |
+ |
694 |
+dev_read_urand(session_bus_type) |
695 |
+ |
696 |
+domain_read_all_domains_state(session_bus_type) |
697 |
+domain_use_interactive_fds(session_bus_type) |
698 |
+ |
699 |
+files_list_home(session_bus_type) |
700 |
+files_read_usr_files(session_bus_type) |
701 |
+files_dontaudit_search_var(session_bus_type) |
702 |
+ |
703 |
+fs_getattr_romfs(session_bus_type) |
704 |
+fs_getattr_xattr_fs(session_bus_type) |
705 |
+fs_list_inotifyfs(session_bus_type) |
706 |
+fs_dontaudit_list_nfs(session_bus_type) |
707 |
+ |
708 |
+selinux_get_fs_mount(session_bus_type) |
709 |
+selinux_validate_context(session_bus_type) |
710 |
+selinux_compute_access_vector(session_bus_type) |
711 |
+selinux_compute_create_context(session_bus_type) |
712 |
+selinux_compute_relabel_context(session_bus_type) |
713 |
+selinux_compute_user_contexts(session_bus_type) |
714 |
+ |
715 |
+auth_read_pam_console_data(session_bus_type) |
716 |
+ |
717 |
+logging_send_audit_msgs(session_bus_type) |
718 |
+logging_send_syslog_msg(session_bus_type) |
719 |
+ |
720 |
+miscfiles_read_localization(session_bus_type) |
721 |
+ |
722 |
+seutil_read_config(session_bus_type) |
723 |
+seutil_read_default_contexts(session_bus_type) |
724 |
+ |
725 |
+term_use_all_terms(session_bus_type) |
726 |
+ |
727 |
+optional_policy(` |
728 |
+ hal_dbus_chat(session_bus_type) |
729 |
+') |
730 |
+ |
731 |
+optional_policy(` |
732 |
+ xserver_use_xdm_fds(session_bus_type) |
733 |
+ xserver_rw_xdm_pipes(session_bus_type) |
734 |
+') |
735 |
+ |
736 |
+######################################## |
737 |
+# |
738 |
# Unconfined access to this module |
739 |
# |
740 |
|
741 |
-allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; |
742 |
+allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; |
743 |
|
744 |
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te |
745 |
index 73cb712..1c536fe 100644 |
746 |
--- a/policy/modules/contrib/evolution.te |
747 |
+++ b/policy/modules/contrib/evolution.te |
748 |
@@ -1,4 +1,4 @@ |
749 |
-policy_module(evolution, 2.3.0) |
750 |
+policy_module(evolution, 2.3.1) |
751 |
|
752 |
######################################## |
753 |
# |
754 |
@@ -283,7 +283,7 @@ optional_policy(` |
755 |
|
756 |
optional_policy(` |
757 |
dbus_system_bus_client(evolution_t) |
758 |
- dbus_session_bus_client(evolution_t) |
759 |
+ dbus_all_session_bus_client(evolution_t) |
760 |
') |
761 |
|
762 |
optional_policy(` |
763 |
@@ -383,7 +383,7 @@ tunable_policy(`use_samba_home_dirs',` |
764 |
') |
765 |
|
766 |
optional_policy(` |
767 |
- dbus_session_bus_client(evolution_alarm_t) |
768 |
+ dbus_all_session_bus_client(evolution_alarm_t) |
769 |
') |
770 |
|
771 |
optional_policy(` |
772 |
|
773 |
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te |
774 |
index 3afaba2..c999516 100644 |
775 |
--- a/policy/modules/contrib/gpg.te |
776 |
+++ b/policy/modules/contrib/gpg.te |
777 |
@@ -1,4 +1,4 @@ |
778 |
-policy_module(gpg, 2.6.2) |
779 |
+policy_module(gpg, 2.6.3) |
780 |
|
781 |
######################################## |
782 |
# |
783 |
@@ -341,7 +341,7 @@ tunable_policy(`use_samba_home_dirs',` |
784 |
') |
785 |
|
786 |
optional_policy(` |
787 |
- dbus_session_bus_client(gpg_pinentry_t) |
788 |
+ dbus_all_session_bus_client(gpg_pinentry_t) |
789 |
dbus_system_bus_client(gpg_pinentry_t) |
790 |
') |
791 |
|
792 |
|
793 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
794 |
index 012b782..201a4a9 100644 |
795 |
--- a/policy/modules/contrib/mozilla.te |
796 |
+++ b/policy/modules/contrib/mozilla.te |
797 |
@@ -1,4 +1,4 @@ |
798 |
-policy_module(mozilla, 2.6.0) |
799 |
+policy_module(mozilla, 2.6.1) |
800 |
|
801 |
######################################## |
802 |
# |
803 |
@@ -287,8 +287,8 @@ optional_policy(` |
804 |
') |
805 |
|
806 |
optional_policy(` |
807 |
- dbus_session_bus_client(mozilla_t) |
808 |
dbus_system_bus_client(mozilla_t) |
809 |
+ dbus_all_session_bus_client(mozilla_t) |
810 |
|
811 |
optional_policy(` |
812 |
networkmanager_dbus_chat(mozilla_t) |
813 |
@@ -493,9 +493,9 @@ optional_policy(` |
814 |
') |
815 |
|
816 |
optional_policy(` |
817 |
- dbus_read_lib_files(mozilla_plugin_t) |
818 |
- dbus_session_bus_client(mozilla_plugin_t) |
819 |
dbus_system_bus_client(mozilla_plugin_t) |
820 |
+ dbus_all_session_bus_client(mozilla_plugin_t) |
821 |
+ dbus_read_lib_files(mozilla_plugin_t) |
822 |
') |
823 |
|
824 |
optional_policy(` |
825 |
|
826 |
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te |
827 |
index fd58d32..2c37cce 100644 |
828 |
--- a/policy/modules/contrib/policykit.te |
829 |
+++ b/policy/modules/contrib/policykit.te |
830 |
@@ -1,4 +1,4 @@ |
831 |
-policy_module(policykit, 1.2.1) |
832 |
+policy_module(policykit, 1.2.2) |
833 |
|
834 |
######################################## |
835 |
# |
836 |
@@ -106,7 +106,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) |
837 |
|
838 |
optional_policy(` |
839 |
dbus_system_bus_client(policykit_auth_t) |
840 |
- dbus_session_bus_client(policykit_auth_t) |
841 |
+ dbus_all_session_bus_client(policykit_auth_t) |
842 |
|
843 |
optional_policy(` |
844 |
consolekit_dbus_chat(policykit_auth_t) |
845 |
|
846 |
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te |
847 |
index 901ac9b..b48444a 100644 |
848 |
--- a/policy/modules/contrib/pulseaudio.te |
849 |
+++ b/policy/modules/contrib/pulseaudio.te |
850 |
@@ -1,4 +1,4 @@ |
851 |
-policy_module(pulseaudio, 1.5.0) |
852 |
+policy_module(pulseaudio, 1.5.1) |
853 |
|
854 |
######################################## |
855 |
# |
856 |
@@ -104,8 +104,8 @@ optional_policy(` |
857 |
optional_policy(` |
858 |
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) |
859 |
dbus_system_bus_client(pulseaudio_t) |
860 |
- dbus_session_bus_client(pulseaudio_t) |
861 |
- dbus_connect_session_bus(pulseaudio_t) |
862 |
+ dbus_all_session_bus_client(pulseaudio_t) |
863 |
+ dbus_connect_all_session_bus(pulseaudio_t) |
864 |
|
865 |
optional_policy(` |
866 |
consolekit_dbus_chat(pulseaudio_t) |
867 |
|
868 |
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if |
869 |
index f09171e..a3530f5 100644 |
870 |
--- a/policy/modules/contrib/telepathy.if |
871 |
+++ b/policy/modules/contrib/telepathy.if |
872 |
@@ -44,6 +44,12 @@ template(`telepathy_domain_template',` |
873 |
## The type of the user domain. |
874 |
## </summary> |
875 |
## </param> |
876 |
+## <param name="role_prefix"> |
877 |
+## <summary> |
878 |
+## The prefix of the user role (e.g., user |
879 |
+## is the prefix for user_r). |
880 |
+## </summary> |
881 |
+## </param> |
882 |
# |
883 |
template(`telepathy_role', ` |
884 |
gen_require(` |
885 |
|
886 |
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te |
887 |
index 1ff3f20..f01a972 100644 |
888 |
--- a/policy/modules/contrib/telepathy.te |
889 |
+++ b/policy/modules/contrib/telepathy.te |
890 |
@@ -1,4 +1,4 @@ |
891 |
-policy_module(telepathy, 1.3.2) |
892 |
+policy_module(telepathy, 1.3.3) |
893 |
|
894 |
######################################## |
895 |
# |
896 |
|
897 |
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te |
898 |
index bf37d98..4a87f58 100644 |
899 |
--- a/policy/modules/contrib/thunderbird.te |
900 |
+++ b/policy/modules/contrib/thunderbird.te |
901 |
@@ -1,4 +1,4 @@ |
902 |
-policy_module(thunderbird, 2.3.0) |
903 |
+policy_module(thunderbird, 2.3.1) |
904 |
|
905 |
######################################## |
906 |
# |
907 |
@@ -179,7 +179,7 @@ tunable_policy(`mail_read_content',` |
908 |
|
909 |
optional_policy(` |
910 |
dbus_system_bus_client(thunderbird_t) |
911 |
- dbus_session_bus_client(thunderbird_t) |
912 |
+ dbus_all_session_bus_client(thunderbird_t) |
913 |
') |
914 |
|
915 |
optional_policy(` |
916 |
|
917 |
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if |
918 |
index b3efef7..e6497fb 100644 |
919 |
--- a/policy/modules/contrib/wm.if |
920 |
+++ b/policy/modules/contrib/wm.if |
921 |
@@ -79,7 +79,7 @@ template(`wm_role_template',` |
922 |
|
923 |
optional_policy(` |
924 |
dbus_system_bus_client($1_wm_t) |
925 |
- dbus_session_bus_client($1_wm_t) |
926 |
+ dbus_session_bus_client($1, $1_wm_t) |
927 |
') |
928 |
|
929 |
optional_policy(` |
930 |
|
931 |
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te |
932 |
index 19d447e..8e1a668 100644 |
933 |
--- a/policy/modules/contrib/wm.te |
934 |
+++ b/policy/modules/contrib/wm.te |
935 |
@@ -1,4 +1,4 @@ |
936 |
-policy_module(wm, 1.2.0) |
937 |
+policy_module(wm, 1.2.1) |
938 |
|
939 |
######################################## |
940 |
# |