Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 27 Sep 2012 18:08:09
Message-Id: 1348768973.b43e53edeed2e3caa3f40bb8d38e7a3cdf36d76d.SwifT@gentoo
1 commit: b43e53edeed2e3caa3f40bb8d38e7a3cdf36d76d
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Thu Sep 27 13:26:50 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Sep 27 18:02:53 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b43e53ed
7
8 Changes to the dbus policy module and its dependencies
9
10 Ported from Fedora with changes
11
12 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
14
15 ---
16 policy/modules/contrib/dbus.fc | 25 +--
17 policy/modules/contrib/dbus.if | 270 +++++++++++++++------------------
18 policy/modules/contrib/dbus.te | 144 +++++++++++++++---
19 policy/modules/contrib/evolution.te | 6 +-
20 policy/modules/contrib/gpg.te | 4 +-
21 policy/modules/contrib/mozilla.te | 8 +-
22 policy/modules/contrib/policykit.te | 4 +-
23 policy/modules/contrib/pulseaudio.te | 6 +-
24 policy/modules/contrib/telepathy.if | 6 +
25 policy/modules/contrib/telepathy.te | 2 +-
26 policy/modules/contrib/thunderbird.te | 4 +-
27 policy/modules/contrib/wm.if | 2 +-
28 policy/modules/contrib/wm.te | 2 +-
29 13 files changed, 277 insertions(+), 206 deletions(-)
30
31 diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
32 index e6345ce..897f816 100644
33 --- a/policy/modules/contrib/dbus.fc
34 +++ b/policy/modules/contrib/dbus.fc
35 @@ -1,25 +1,18 @@
36 -/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
37 +/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
38
39 -/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
40 +/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
41
42 -ifdef(`distro_redhat',`
43 -/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
44 -')
45 +/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
46
47 -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
48 +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
49
50 -ifdef(`distro_debian',`
51 -/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
52 -')
53 +/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
54
55 -ifdef(`distro_gentoo',`
56 -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
57 -')
58 +/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
59
60 -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
61 +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
62
63 -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
64 +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
65 +/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
66
67 -ifdef(`distro_redhat',`
68 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
69 -')
70
71 diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
72 index 222d21f..b548647 100644
73 --- a/policy/modules/contrib/dbus.if
74 +++ b/policy/modules/contrib/dbus.if
75 @@ -1,4 +1,4 @@
76 -## <summary>Desktop messaging bus</summary>
77 +## <summary>Desktop messaging bus.</summary>
78
79 ########################################
80 ## <summary>
81 @@ -19,7 +19,7 @@ interface(`dbus_stub',`
82
83 ########################################
84 ## <summary>
85 -## Role access for dbus
86 +## Role access for dbus.
87 ## </summary>
88 ## <param name="role_prefix">
89 ## <summary>
90 @@ -41,20 +41,20 @@ interface(`dbus_stub',`
91 template(`dbus_role_template',`
92 gen_require(`
93 class dbus { send_msg acquire_svc };
94 -
95 attribute session_bus_type;
96 - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
97 + type system_dbusd_t, dbusd_exec_t;
98 ')
99
100 ##############################
101 #
102 - # Delcarations
103 + # Declarations
104 #
105
106 type $1_dbusd_t, session_bus_type;
107 domain_type($1_dbusd_t)
108 domain_entry_file($1_dbusd_t, dbusd_exec_t)
109 ubac_constrained($1_dbusd_t)
110 +
111 role $2 types $1_dbusd_t;
112
113 ##############################
114 @@ -62,118 +62,36 @@ template(`dbus_role_template',`
115 # Local policy
116 #
117
118 - allow $1_dbusd_t self:process { getattr sigkill signal };
119 - dontaudit $1_dbusd_t self:process ptrace;
120 - allow $1_dbusd_t self:file { getattr read write };
121 - allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
122 - allow $1_dbusd_t self:dbus { send_msg acquire_svc };
123 - allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
124 - allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
125 - allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
126 - allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
127 -
128 - # For connecting to the bus
129 allow $3 $1_dbusd_t:unix_stream_socket connectto;
130 -
131 - # SE-DBus specific permissions
132 allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
133 - allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
134
135 - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
136 - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
137 - read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
138 -
139 - manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
140 - manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
141 - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
142 + allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
143
144 domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
145 - allow $3 $1_dbusd_t:process { signull sigkill signal };
146
147 - # cjp: this seems very broken
148 - corecmd_bin_domtrans($1_dbusd_t, $3)
149 - allow $1_dbusd_t $3:process sigkill;
150 - allow $3 $1_dbusd_t:fd use;
151 - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
152 - allow $3 $1_dbusd_t:process sigchld;
153 -
154 - kernel_read_system_state($1_dbusd_t)
155 - kernel_read_kernel_sysctls($1_dbusd_t)
156 -
157 - corecmd_list_bin($1_dbusd_t)
158 - corecmd_read_bin_symlinks($1_dbusd_t)
159 - corecmd_read_bin_files($1_dbusd_t)
160 - corecmd_read_bin_pipes($1_dbusd_t)
161 - corecmd_read_bin_sockets($1_dbusd_t)
162 -
163 - corenet_all_recvfrom_unlabeled($1_dbusd_t)
164 - corenet_all_recvfrom_netlabel($1_dbusd_t)
165 - corenet_tcp_sendrecv_generic_if($1_dbusd_t)
166 - corenet_tcp_sendrecv_generic_node($1_dbusd_t)
167 - corenet_tcp_sendrecv_all_ports($1_dbusd_t)
168 - corenet_tcp_bind_generic_node($1_dbusd_t)
169 - corenet_tcp_bind_reserved_port($1_dbusd_t)
170 -
171 - dev_read_urand($1_dbusd_t)
172 -
173 - domain_use_interactive_fds($1_dbusd_t)
174 - domain_read_all_domains_state($1_dbusd_t)
175 -
176 - files_read_etc_files($1_dbusd_t)
177 - files_list_home($1_dbusd_t)
178 - files_read_usr_files($1_dbusd_t)
179 - files_dontaudit_search_var($1_dbusd_t)
180 -
181 - fs_getattr_romfs($1_dbusd_t)
182 - fs_getattr_xattr_fs($1_dbusd_t)
183 - fs_list_inotifyfs($1_dbusd_t)
184 - fs_dontaudit_list_nfs($1_dbusd_t)
185 -
186 - selinux_get_fs_mount($1_dbusd_t)
187 - selinux_validate_context($1_dbusd_t)
188 - selinux_compute_access_vector($1_dbusd_t)
189 - selinux_compute_create_context($1_dbusd_t)
190 - selinux_compute_relabel_context($1_dbusd_t)
191 - selinux_compute_user_contexts($1_dbusd_t)
192 -
193 - auth_read_pam_console_data($1_dbusd_t)
194 - auth_use_nsswitch($1_dbusd_t)
195 -
196 - logging_send_audit_msgs($1_dbusd_t)
197 - logging_send_syslog_msg($1_dbusd_t)
198 -
199 - miscfiles_read_localization($1_dbusd_t)
200 -
201 - seutil_read_config($1_dbusd_t)
202 - seutil_read_default_contexts($1_dbusd_t)
203 + ps_process_pattern($3, $1_dbusd_t)
204 + allow $3 $1_dbusd_t:process { ptrace signal_perms };
205
206 - term_use_all_terms($1_dbusd_t)
207 + allow $1_dbusd_t $3:process sigkill;
208
209 - userdom_read_user_home_content_files($1_dbusd_t)
210 + corecmd_bin_domtrans($1_dbusd_t, $3)
211 + corecmd_shell_domtrans($1_dbusd_t, $3)
212
213 + auth_use_nsswitch($1_dbusd_t)
214
215 - ifdef(`hide_broken_symptoms', `
216 + ifdef(`hide_broken_symptoms',`
217 dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
218 ')
219
220 optional_policy(`
221 - hal_dbus_chat($1_dbusd_t)
222 - ')
223 -
224 - optional_policy(`
225 xdg_read_generic_data_home_files($1_dbusd_t)
226 ')
227 -
228 - optional_policy(`
229 - xserver_use_xdm_fds($1_dbusd_t)
230 - xserver_rw_xdm_pipes($1_dbusd_t)
231 - ')
232 ')
233
234 #######################################
235 ## <summary>
236 ## Template for creating connections to
237 -## the system DBUS.
238 +## the system bus.
239 ## </summary>
240 ## <param name="domain">
241 ## <summary>
242 @@ -183,19 +101,16 @@ template(`dbus_role_template',`
243 #
244 interface(`dbus_system_bus_client',`
245 gen_require(`
246 - type system_dbusd_t, system_dbusd_t;
247 - type system_dbusd_var_run_t, system_dbusd_var_lib_t;
248 + type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
249 class dbus send_msg;
250 ')
251
252 - # SE-DBus specific permissions
253 allow $1 { system_dbusd_t self }:dbus send_msg;
254 allow system_dbusd_t $1:dbus send_msg;
255
256 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
257 files_search_var_lib($1)
258
259 - # For connecting to the bus
260 files_search_pids($1)
261 stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
262 dbus_read_config($1)
263 @@ -203,9 +118,61 @@ interface(`dbus_system_bus_client',`
264
265 #######################################
266 ## <summary>
267 -## Template for creating connections to
268 -## a user DBUS.
269 +## Acquire service on specified
270 +## DBUS session bus.
271 +## </summary>
272 +## <param name="role_prefix">
273 +## <summary>
274 +## The prefix of the user role (e.g., user
275 +## is the prefix for user_r).
276 +## </summary>
277 +## </param>
278 +## <param name="domain">
279 +## <summary>
280 +## Domain allowed access.
281 +## </summary>
282 +## </param>
283 +#
284 +interface(`dbus_connect_session_bus',`
285 + gen_require(`
286 + type $1_dbusd_t;
287 + class dbus acquire_svc;
288 + ')
289 +
290 + allow $2 $1_dbusd_t:dbus acquire_svc;
291 +')
292 +
293 +#######################################
294 +## <summary>
295 +## Acquire service on all DBUS
296 +## session busses.
297 +## </summary>
298 +## <param name="domain">
299 +## <summary>
300 +## Domain allowed access.
301 +## </summary>
302 +## </param>
303 +#
304 +interface(`dbus_connect_all_session_bus',`
305 + gen_require(`
306 + attribute session_bus_type;
307 + class dbus acquire_svc;
308 + ')
309 +
310 + allow $1 session_bus_type:dbus acquire_svc;
311 +')
312 +
313 +#######################################
314 +## <summary>
315 +## Creating connections to specified
316 +## DBUS session bus.
317 ## </summary>
318 +## <param name="role_prefix">
319 +## <summary>
320 +## The prefix of the user role (e.g., user
321 +## is the prefix for user_r).
322 +## </summary>
323 +## </param>
324 ## <param name="domain">
325 ## <summary>
326 ## Domain allowed access.
327 @@ -214,23 +181,48 @@ interface(`dbus_system_bus_client',`
328 #
329 interface(`dbus_session_bus_client',`
330 gen_require(`
331 + type $1_dbusd_t;
332 + class dbus send_msg;
333 + ')
334 +
335 + allow $2 { $1_dbusd_t self }:dbus send_msg;
336 + allow $2 $1_dbusd_t:unix_stream_socket connectto;
337 + allow $2 $1_dbusd_t:fd use;
338 +')
339 +
340 +#######################################
341 +## <summary>
342 +## Creating connections to all
343 +## DBUS session busses.
344 +## </summary>
345 +## <param name="domain">
346 +## <summary>
347 +## Domain allowed access.
348 +## </summary>
349 +## </param>
350 +#
351 +interface(`dbus_all_session_bus_client',`
352 + gen_require(`
353 attribute session_bus_type;
354 class dbus send_msg;
355 ')
356
357 - # SE-DBus specific permissions
358 allow $1 { session_bus_type self }:dbus send_msg;
359 -
360 - # For connecting to the bus
361 allow $1 session_bus_type:unix_stream_socket connectto;
362 -
363 - dontaudit $1 session_bus_type:fd use;
364 + allow $1 session_bus_type:fd use;
365 ')
366
367 -########################################
368 +#######################################
369 ## <summary>
370 -## Send a message the session DBUS.
371 +## Send messages to specified
372 +## DBUS session bus.
373 ## </summary>
374 +## <param name="role_prefix">
375 +## <summary>
376 +## The prefix of the user role (e.g., user
377 +## is the prefix for user_r).
378 +## </summary>
379 +## </param>
380 ## <param name="domain">
381 ## <summary>
382 ## Domain allowed access.
383 @@ -239,16 +231,16 @@ interface(`dbus_session_bus_client',`
384 #
385 interface(`dbus_send_session_bus',`
386 gen_require(`
387 - attribute session_bus_type;
388 + type $1_dbusd_t;
389 class dbus send_msg;
390 ')
391
392 - allow $1 session_bus_type:dbus send_msg;
393 + allow $2 $1_dbusd_t:dbus send_msg;
394 ')
395
396 ########################################
397 ## <summary>
398 -## Read dbus configuration.
399 +## Read dbus configuration content.
400 ## </summary>
401 ## <param name="domain">
402 ## <summary>
403 @@ -307,29 +299,15 @@ interface(`dbus_manage_lib_files',`
404
405 ########################################
406 ## <summary>
407 -## Connect to the system DBUS
408 -## for service (acquire_svc).
409 +## Allow a application domain to be
410 +## started by the specified session bus.
411 ## </summary>
412 -## <param name="domain">
413 +## <param name="role_prefix">
414 ## <summary>
415 -## Domain allowed access.
416 +## The prefix of the user role (e.g., user
417 +## is the prefix for user_r).
418 ## </summary>
419 ## </param>
420 -#
421 -interface(`dbus_connect_session_bus',`
422 - gen_require(`
423 - attribute session_bus_type;
424 - class dbus acquire_svc;
425 - ')
426 -
427 - allow $1 session_bus_type:dbus acquire_svc;
428 -')
429 -
430 -########################################
431 -## <summary>
432 -## Allow a application domain to be started
433 -## by the session dbus.
434 -## </summary>
435 ## <param name="domain">
436 ## <summary>
437 ## Type to be used as a domain.
438 @@ -344,19 +322,18 @@ interface(`dbus_connect_session_bus',`
439 #
440 interface(`dbus_session_domain',`
441 gen_require(`
442 - attribute session_bus_type;
443 + type $1_dbusd_t;
444 ')
445
446 - domtrans_pattern(session_bus_type, $2, $1)
447 + domtrans_pattern($1_dbusd_t, $2, $3)
448
449 - dbus_session_bus_client($1)
450 - dbus_connect_session_bus($1)
451 + dbus_session_bus_client($1, $2)
452 + dbus_connect_session_bus($1, $2)
453 ')
454
455 ########################################
456 ## <summary>
457 -## Connect to the system DBUS
458 -## for service (acquire_svc).
459 +## Acquire service on the DBUS system bus.
460 ## </summary>
461 ## <param name="domain">
462 ## <summary>
463 @@ -375,7 +352,7 @@ interface(`dbus_connect_system_bus',`
464
465 ########################################
466 ## <summary>
467 -## Send a message on the system DBUS.
468 +## Send messages to the DBUS system bus.
469 ## </summary>
470 ## <param name="domain">
471 ## <summary>
472 @@ -438,7 +415,7 @@ interface(`dbus_create_system_dbusd_var_run_dirs',`
473
474 ########################################
475 ## <summary>
476 -## Allow unconfined access to the system DBUS.
477 +## Unconfined access to DBUS system bus.
478 ## </summary>
479 ## <param name="domain">
480 ## <summary>
481 @@ -457,8 +434,8 @@ interface(`dbus_system_bus_unconfined',`
482
483 ########################################
484 ## <summary>
485 -## Create a domain for processes
486 -## which can be started by the system dbus
487 +## Create a domain for processes which
488 +## can be started by the DBUS system bus.
489 ## </summary>
490 ## <param name="domain">
491 ## <summary>
492 @@ -498,7 +475,8 @@ interface(`dbus_system_domain',`
493
494 ########################################
495 ## <summary>
496 -## Use and inherit system DBUS file descriptors.
497 +## Use and inherit DBUS system bus
498 +## file descriptors.
499 ## </summary>
500 ## <param name="domain">
501 ## <summary>
502 @@ -516,7 +494,8 @@ interface(`dbus_use_system_bus_fds',`
503
504 ########################################
505 ## <summary>
506 -## Dontaudit Read, and write system dbus TCP sockets.
507 +## Do not audit attempts to read and
508 +## write DBUS system bus TCP sockets.
509 ## </summary>
510 ## <param name="domain">
511 ## <summary>
512 @@ -529,13 +508,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
513 type system_dbusd_t;
514 ')
515
516 - allow $1 system_dbusd_t:tcp_socket { read write };
517 - allow $1 system_dbusd_t:fd use;
518 + dontaudit $1 system_dbusd_t:tcp_socket { read write };
519 ')
520
521 ########################################
522 ## <summary>
523 -## Allow unconfined access to the system DBUS.
524 +## Unconfined access to DBUS.
525 ## </summary>
526 ## <param name="domain">
527 ## <summary>
528
529 diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
530 index 192037d..1020bac 100644
531 --- a/policy/modules/contrib/dbus.te
532 +++ b/policy/modules/contrib/dbus.te
533 @@ -1,4 +1,4 @@
534 -policy_module(dbus, 1.17.0)
535 +policy_module(dbus, 1.18.0)
536
537 gen_require(`
538 class dbus all_dbus_perms;
539 @@ -6,7 +6,7 @@ gen_require(`
540
541 ##############################
542 #
543 -# Delcarations
544 +# Declarations
545 #
546
547 attribute dbusd_unconfined;
548 @@ -45,45 +45,53 @@ ifdef(`enable_mls',`
549 init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
550 ')
551
552 -##############################
553 +######################################
554 #
555 -# System bus local policy
556 +# Local policy
557 #
558
559 -# dac_override: /var/run/dbus is owned by messagebus on Debian
560 -# cjp: dac_override should probably go in a distro_debian
561 -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
562 +allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
563 dontaudit system_dbusd_t self:capability sys_tty_config;
564 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
565 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
566 allow system_dbusd_t self:dbus { send_msg acquire_svc };
567 -allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
568 -allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
569 -# Receive notifications of policy reloads and enforcing status changes.
570 +allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
571 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
572
573 -can_exec(system_dbusd_t, dbusd_exec_t)
574 -
575 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
576 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
577 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
578
579 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
580 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
581 -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
582 +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
583
584 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
585
586 +manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
587 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
588 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
589 -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
590 +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
591 +
592 +can_exec(system_dbusd_t, dbusd_exec_t)
593
594 kernel_read_system_state(system_dbusd_t)
595 kernel_read_kernel_sysctls(system_dbusd_t)
596
597 +corecmd_list_bin(system_dbusd_t)
598 +corecmd_read_bin_pipes(system_dbusd_t)
599 +corecmd_read_bin_sockets(system_dbusd_t)
600 +corecmd_exec_shell(system_dbusd_t)
601 +
602 dev_read_urand(system_dbusd_t)
603 dev_read_sysfs(system_dbusd_t)
604
605 +domain_use_interactive_fds(system_dbusd_t)
606 +domain_read_all_domains_state(system_dbusd_t)
607 +
608 +files_list_home(system_dbusd_t)
609 +files_read_usr_files(system_dbusd_t)
610 +
611 fs_getattr_all_fs(system_dbusd_t)
612 fs_list_inotifyfs(system_dbusd_t)
613 fs_search_auto_mountpoints(system_dbusd_t)
614 @@ -108,16 +116,9 @@ term_dontaudit_use_console(system_dbusd_t)
615 auth_use_nsswitch(system_dbusd_t)
616 auth_read_pam_console_data(system_dbusd_t)
617
618 -corecmd_list_bin(system_dbusd_t)
619 -corecmd_read_bin_pipes(system_dbusd_t)
620 -corecmd_read_bin_sockets(system_dbusd_t)
621 -
622 -domain_use_interactive_fds(system_dbusd_t)
623 -domain_read_all_domains_state(system_dbusd_t)
624 -
625 -files_read_etc_files(system_dbusd_t)
626 -files_list_home(system_dbusd_t)
627 -files_read_usr_files(system_dbusd_t)
628 +init_use_fds(system_dbusd_t)
629 +init_use_script_ptys(system_dbusd_t)
630 +init_domtrans_script(system_dbusd_t)
631
632 init_use_fds(system_dbusd_t)
633 init_use_script_ptys(system_dbusd_t)
634 @@ -141,6 +142,14 @@ optional_policy(`
635 ')
636
637 optional_policy(`
638 + bluetooth_stream_connect(system_dbusd_t)
639 +')
640 +
641 +optional_policy(`
642 + cpufreqselector_dbus_chat(system_dbusd_t)
643 +')
644 +
645 +optional_policy(`
646 policykit_dbus_chat(system_dbusd_t)
647 policykit_domtrans_auth(system_dbusd_t)
648 policykit_search_lib(system_dbusd_t)
649 @@ -156,7 +165,92 @@ optional_policy(`
650
651 ########################################
652 #
653 +# Common session bus local policy
654 +#
655 +
656 +allow session_bus_type self:capability2 block_suspend;
657 +dontaudit session_bus_type self:capability sys_resource;
658 +allow session_bus_type self:process { getattr sigkill signal };
659 +dontaudit session_bus_type self:process { ptrace setrlimit };
660 +allow session_bus_type self:file { getattr read write };
661 +allow session_bus_type self:fifo_file rw_fifo_file_perms;
662 +allow session_bus_type self:dbus { send_msg acquire_svc };
663 +allow session_bus_type self:unix_stream_socket { accept listen };
664 +allow session_bus_type self:tcp_socket { accept listen };
665 +allow session_bus_type self:netlink_selinux_socket create_socket_perms;
666 +
667 +allow session_bus_type dbusd_etc_t:dir list_dir_perms;
668 +read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
669 +read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
670 +
671 +manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
672 +manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
673 +files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
674 +
675 +kernel_read_system_state(session_bus_type)
676 +kernel_read_kernel_sysctls(session_bus_type)
677 +
678 +corecmd_list_bin(session_bus_type)
679 +corecmd_read_bin_symlinks(session_bus_type)
680 +corecmd_read_bin_files(session_bus_type)
681 +corecmd_read_bin_pipes(session_bus_type)
682 +corecmd_read_bin_sockets(session_bus_type)
683 +
684 +corenet_all_recvfrom_unlabeled(session_bus_type)
685 +corenet_all_recvfrom_netlabel(session_bus_type)
686 +corenet_tcp_sendrecv_generic_if(session_bus_type)
687 +corenet_tcp_sendrecv_generic_node(session_bus_type)
688 +corenet_tcp_sendrecv_all_ports(session_bus_type)
689 +corenet_tcp_bind_generic_node(session_bus_type)
690 +
691 +corenet_sendrecv_all_server_packets(session_bus_type)
692 +corenet_tcp_bind_reserved_port(session_bus_type)
693 +
694 +dev_read_urand(session_bus_type)
695 +
696 +domain_read_all_domains_state(session_bus_type)
697 +domain_use_interactive_fds(session_bus_type)
698 +
699 +files_list_home(session_bus_type)
700 +files_read_usr_files(session_bus_type)
701 +files_dontaudit_search_var(session_bus_type)
702 +
703 +fs_getattr_romfs(session_bus_type)
704 +fs_getattr_xattr_fs(session_bus_type)
705 +fs_list_inotifyfs(session_bus_type)
706 +fs_dontaudit_list_nfs(session_bus_type)
707 +
708 +selinux_get_fs_mount(session_bus_type)
709 +selinux_validate_context(session_bus_type)
710 +selinux_compute_access_vector(session_bus_type)
711 +selinux_compute_create_context(session_bus_type)
712 +selinux_compute_relabel_context(session_bus_type)
713 +selinux_compute_user_contexts(session_bus_type)
714 +
715 +auth_read_pam_console_data(session_bus_type)
716 +
717 +logging_send_audit_msgs(session_bus_type)
718 +logging_send_syslog_msg(session_bus_type)
719 +
720 +miscfiles_read_localization(session_bus_type)
721 +
722 +seutil_read_config(session_bus_type)
723 +seutil_read_default_contexts(session_bus_type)
724 +
725 +term_use_all_terms(session_bus_type)
726 +
727 +optional_policy(`
728 + hal_dbus_chat(session_bus_type)
729 +')
730 +
731 +optional_policy(`
732 + xserver_use_xdm_fds(session_bus_type)
733 + xserver_rw_xdm_pipes(session_bus_type)
734 +')
735 +
736 +########################################
737 +#
738 # Unconfined access to this module
739 #
740
741 -allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
742 +allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
743
744 diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
745 index 73cb712..1c536fe 100644
746 --- a/policy/modules/contrib/evolution.te
747 +++ b/policy/modules/contrib/evolution.te
748 @@ -1,4 +1,4 @@
749 -policy_module(evolution, 2.3.0)
750 +policy_module(evolution, 2.3.1)
751
752 ########################################
753 #
754 @@ -283,7 +283,7 @@ optional_policy(`
755
756 optional_policy(`
757 dbus_system_bus_client(evolution_t)
758 - dbus_session_bus_client(evolution_t)
759 + dbus_all_session_bus_client(evolution_t)
760 ')
761
762 optional_policy(`
763 @@ -383,7 +383,7 @@ tunable_policy(`use_samba_home_dirs',`
764 ')
765
766 optional_policy(`
767 - dbus_session_bus_client(evolution_alarm_t)
768 + dbus_all_session_bus_client(evolution_alarm_t)
769 ')
770
771 optional_policy(`
772
773 diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
774 index 3afaba2..c999516 100644
775 --- a/policy/modules/contrib/gpg.te
776 +++ b/policy/modules/contrib/gpg.te
777 @@ -1,4 +1,4 @@
778 -policy_module(gpg, 2.6.2)
779 +policy_module(gpg, 2.6.3)
780
781 ########################################
782 #
783 @@ -341,7 +341,7 @@ tunable_policy(`use_samba_home_dirs',`
784 ')
785
786 optional_policy(`
787 - dbus_session_bus_client(gpg_pinentry_t)
788 + dbus_all_session_bus_client(gpg_pinentry_t)
789 dbus_system_bus_client(gpg_pinentry_t)
790 ')
791
792
793 diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
794 index 012b782..201a4a9 100644
795 --- a/policy/modules/contrib/mozilla.te
796 +++ b/policy/modules/contrib/mozilla.te
797 @@ -1,4 +1,4 @@
798 -policy_module(mozilla, 2.6.0)
799 +policy_module(mozilla, 2.6.1)
800
801 ########################################
802 #
803 @@ -287,8 +287,8 @@ optional_policy(`
804 ')
805
806 optional_policy(`
807 - dbus_session_bus_client(mozilla_t)
808 dbus_system_bus_client(mozilla_t)
809 + dbus_all_session_bus_client(mozilla_t)
810
811 optional_policy(`
812 networkmanager_dbus_chat(mozilla_t)
813 @@ -493,9 +493,9 @@ optional_policy(`
814 ')
815
816 optional_policy(`
817 - dbus_read_lib_files(mozilla_plugin_t)
818 - dbus_session_bus_client(mozilla_plugin_t)
819 dbus_system_bus_client(mozilla_plugin_t)
820 + dbus_all_session_bus_client(mozilla_plugin_t)
821 + dbus_read_lib_files(mozilla_plugin_t)
822 ')
823
824 optional_policy(`
825
826 diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
827 index fd58d32..2c37cce 100644
828 --- a/policy/modules/contrib/policykit.te
829 +++ b/policy/modules/contrib/policykit.te
830 @@ -1,4 +1,4 @@
831 -policy_module(policykit, 1.2.1)
832 +policy_module(policykit, 1.2.2)
833
834 ########################################
835 #
836 @@ -106,7 +106,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
837
838 optional_policy(`
839 dbus_system_bus_client(policykit_auth_t)
840 - dbus_session_bus_client(policykit_auth_t)
841 + dbus_all_session_bus_client(policykit_auth_t)
842
843 optional_policy(`
844 consolekit_dbus_chat(policykit_auth_t)
845
846 diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
847 index 901ac9b..b48444a 100644
848 --- a/policy/modules/contrib/pulseaudio.te
849 +++ b/policy/modules/contrib/pulseaudio.te
850 @@ -1,4 +1,4 @@
851 -policy_module(pulseaudio, 1.5.0)
852 +policy_module(pulseaudio, 1.5.1)
853
854 ########################################
855 #
856 @@ -104,8 +104,8 @@ optional_policy(`
857 optional_policy(`
858 dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
859 dbus_system_bus_client(pulseaudio_t)
860 - dbus_session_bus_client(pulseaudio_t)
861 - dbus_connect_session_bus(pulseaudio_t)
862 + dbus_all_session_bus_client(pulseaudio_t)
863 + dbus_connect_all_session_bus(pulseaudio_t)
864
865 optional_policy(`
866 consolekit_dbus_chat(pulseaudio_t)
867
868 diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
869 index f09171e..a3530f5 100644
870 --- a/policy/modules/contrib/telepathy.if
871 +++ b/policy/modules/contrib/telepathy.if
872 @@ -44,6 +44,12 @@ template(`telepathy_domain_template',`
873 ## The type of the user domain.
874 ## </summary>
875 ## </param>
876 +## <param name="role_prefix">
877 +## <summary>
878 +## The prefix of the user role (e.g., user
879 +## is the prefix for user_r).
880 +## </summary>
881 +## </param>
882 #
883 template(`telepathy_role', `
884 gen_require(`
885
886 diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
887 index 1ff3f20..f01a972 100644
888 --- a/policy/modules/contrib/telepathy.te
889 +++ b/policy/modules/contrib/telepathy.te
890 @@ -1,4 +1,4 @@
891 -policy_module(telepathy, 1.3.2)
892 +policy_module(telepathy, 1.3.3)
893
894 ########################################
895 #
896
897 diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
898 index bf37d98..4a87f58 100644
899 --- a/policy/modules/contrib/thunderbird.te
900 +++ b/policy/modules/contrib/thunderbird.te
901 @@ -1,4 +1,4 @@
902 -policy_module(thunderbird, 2.3.0)
903 +policy_module(thunderbird, 2.3.1)
904
905 ########################################
906 #
907 @@ -179,7 +179,7 @@ tunable_policy(`mail_read_content',`
908
909 optional_policy(`
910 dbus_system_bus_client(thunderbird_t)
911 - dbus_session_bus_client(thunderbird_t)
912 + dbus_all_session_bus_client(thunderbird_t)
913 ')
914
915 optional_policy(`
916
917 diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
918 index b3efef7..e6497fb 100644
919 --- a/policy/modules/contrib/wm.if
920 +++ b/policy/modules/contrib/wm.if
921 @@ -79,7 +79,7 @@ template(`wm_role_template',`
922
923 optional_policy(`
924 dbus_system_bus_client($1_wm_t)
925 - dbus_session_bus_client($1_wm_t)
926 + dbus_session_bus_client($1, $1_wm_t)
927 ')
928
929 optional_policy(`
930
931 diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
932 index 19d447e..8e1a668 100644
933 --- a/policy/modules/contrib/wm.te
934 +++ b/policy/modules/contrib/wm.te
935 @@ -1,4 +1,4 @@
936 -policy_module(wm, 1.2.0)
937 +policy_module(wm, 1.2.1)
938
939 ########################################
940 #