1 |
commit: dba2b6538375d00774b18c841338016c17075ff3 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Nov 1 20:47:19 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Nov 1 20:47:19 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dba2b653 |
7 |
|
8 |
Reshuffle and merge |
9 |
|
10 |
Apparently some changes in dbus upstream weren't properly merged within our |
11 |
tree. Merge is now done, and the Gentoo-specific bits have been moved into their |
12 |
own distro_gentoo set (allows for easier patching). |
13 |
|
14 |
Also, the Gentoo-specific interfaces have been moved to the end of the file. |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/dbus.if | 107 ++++++++++++++++++++++------------------ |
18 |
policy/modules/contrib/dbus.te | 21 +++++--- |
19 |
2 files changed, 71 insertions(+), 57 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if |
22 |
index 0c247ec..c8b109f 100644 |
23 |
--- a/policy/modules/contrib/dbus.if |
24 |
+++ b/policy/modules/contrib/dbus.if |
25 |
@@ -66,7 +66,7 @@ template(`dbus_role_template',` |
26 |
allow $3 $1_dbusd_t:unix_stream_socket connectto; |
27 |
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; |
28 |
allow $3 $1_dbusd_t:fd use; |
29 |
- |
30 |
+ |
31 |
allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; |
32 |
|
33 |
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; |
34 |
@@ -89,8 +89,10 @@ template(`dbus_role_template',` |
35 |
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; |
36 |
') |
37 |
|
38 |
- optional_policy(` |
39 |
- xdg_read_generic_data_home_files($1_dbusd_t) |
40 |
+ ifdef(`distro_gentoo',` |
41 |
+ optional_policy(` |
42 |
+ xdg_read_generic_data_home_files($1_dbusd_t) |
43 |
+ ') |
44 |
') |
45 |
') |
46 |
|
47 |
@@ -224,6 +226,8 @@ interface(`dbus_all_session_bus_client',` |
48 |
typeattribute $1 dbusd_session_bus_client; |
49 |
|
50 |
allow $1 { session_bus_type self }:dbus send_msg; |
51 |
+ allow session_bus_type $1:dbus send_msg; |
52 |
+ |
53 |
allow $1 session_bus_type:unix_stream_socket connectto; |
54 |
allow $1 session_bus_type:fd use; |
55 |
') |
56 |
@@ -255,6 +259,8 @@ interface(`dbus_spec_session_bus_client',` |
57 |
typeattribute $2 dbusd_session_bus_client; |
58 |
|
59 |
allow $2 { $1_dbusd_t self }:dbus send_msg; |
60 |
+ allow $1_dbusd_t $2:dbus send_msg; |
61 |
+ |
62 |
allow $2 $1_dbusd_t:unix_stream_socket connectto; |
63 |
allow $2 $1_dbusd_t:fd use; |
64 |
') |
65 |
@@ -356,7 +362,10 @@ interface(`dbus_read_lib_files',` |
66 |
|
67 |
files_search_var_lib($1) |
68 |
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) |
69 |
- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) |
70 |
+ |
71 |
+ ifdef(`distro_gentoo',` |
72 |
+ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) |
73 |
+ ') |
74 |
') |
75 |
|
76 |
######################################## |
77 |
@@ -509,50 +518,6 @@ interface(`dbus_send_system_bus',` |
78 |
|
79 |
######################################## |
80 |
## <summary> |
81 |
-## Create resources in /run or /var/run with the system_dbusd_var_run_t |
82 |
-## label. This method is deprecated in favor of the init_daemon_run_dir |
83 |
-## call. |
84 |
-## </summary> |
85 |
-## <param name="domain"> |
86 |
-## <summary> |
87 |
-## Domain allowed access |
88 |
-## </summary> |
89 |
-## </param> |
90 |
-## <param name="class"> |
91 |
-## <summary> |
92 |
-## Classes supported for the created resources |
93 |
-## </summary> |
94 |
-## </param> |
95 |
-## <param name="filename" optional="true"> |
96 |
-## <summary> |
97 |
-## Optional file name used for the resource |
98 |
-## </summary> |
99 |
-## </param> |
100 |
-# |
101 |
-interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` |
102 |
- refpolicywarn(`$0($*) has been deprecated.') |
103 |
-') |
104 |
- |
105 |
-######################################## |
106 |
-## <summary> |
107 |
-## Create directories with the system_dbusd_var_run_t label |
108 |
-## </summary> |
109 |
-## <param name="domain"> |
110 |
-## <summary> |
111 |
-## Domain allowed access |
112 |
-## </summary> |
113 |
-## </param> |
114 |
-# |
115 |
-interface(`dbus_create_system_dbusd_var_run_dirs',` |
116 |
- gen_require(` |
117 |
- type system_dbusd_var_run_t; |
118 |
- ') |
119 |
- |
120 |
- create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) |
121 |
-') |
122 |
- |
123 |
-######################################## |
124 |
-## <summary> |
125 |
## Unconfined access to DBUS system bus. |
126 |
## </summary> |
127 |
## <param name="domain"> |
128 |
@@ -666,3 +631,49 @@ interface(`dbus_unconfined',` |
129 |
|
130 |
typeattribute $1 dbusd_unconfined; |
131 |
') |
132 |
+ |
133 |
+######################################## |
134 |
+## <summary> |
135 |
+## Create resources in /run or /var/run with the system_dbusd_var_run_t |
136 |
+## label. This method is deprecated in favor of the init_daemon_run_dir |
137 |
+## call. |
138 |
+## </summary> |
139 |
+## <param name="domain"> |
140 |
+## <summary> |
141 |
+## Domain allowed access |
142 |
+## </summary> |
143 |
+## </param> |
144 |
+## <param name="class"> |
145 |
+## <summary> |
146 |
+## Classes supported for the created resources |
147 |
+## </summary> |
148 |
+## </param> |
149 |
+## <param name="filename" optional="true"> |
150 |
+## <summary> |
151 |
+## Optional file name used for the resource |
152 |
+## </summary> |
153 |
+## </param> |
154 |
+# |
155 |
+interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` |
156 |
+ refpolicywarn(`$0($*) has been deprecated.') |
157 |
+') |
158 |
+ |
159 |
+######################################## |
160 |
+## <summary> |
161 |
+## Create directories with the system_dbusd_var_run_t label |
162 |
+## </summary> |
163 |
+## <param name="domain"> |
164 |
+## <summary> |
165 |
+## Domain allowed access |
166 |
+## </summary> |
167 |
+## </param> |
168 |
+# |
169 |
+interface(`dbus_create_system_dbusd_var_run_dirs',` |
170 |
+ gen_require(` |
171 |
+ type system_dbusd_var_run_t; |
172 |
+ ') |
173 |
+ |
174 |
+ create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) |
175 |
+') |
176 |
+ |
177 |
+ |
178 |
|
179 |
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te |
180 |
index 7a4c124..4dfae34 100644 |
181 |
--- a/policy/modules/contrib/dbus.te |
182 |
+++ b/policy/modules/contrib/dbus.te |
183 |
@@ -4,7 +4,7 @@ gen_require(` |
184 |
class dbus all_dbus_perms; |
185 |
') |
186 |
|
187 |
-############################## |
188 |
+######################################## |
189 |
# |
190 |
# Declarations |
191 |
# |
192 |
@@ -51,7 +51,7 @@ ifdef(`enable_mls',` |
193 |
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) |
194 |
') |
195 |
|
196 |
-###################################### |
197 |
+######################################## |
198 |
# |
199 |
# Local policy |
200 |
# |
201 |
@@ -142,17 +142,18 @@ seutil_read_default_contexts(system_dbusd_t) |
202 |
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) |
203 |
userdom_dontaudit_search_user_home_dirs(system_dbusd_t) |
204 |
|
205 |
-optional_policy(` |
206 |
- bluetooth_stream_connect(system_dbusd_t) |
207 |
+ifdef(`distro_gentoo',` |
208 |
+ optional_policy(` |
209 |
+ cpufreqselector_dbus_chat(system_dbusd_t) |
210 |
+ ') |
211 |
') |
212 |
|
213 |
optional_policy(` |
214 |
- cpufreqselector_dbus_chat(system_dbusd_t) |
215 |
+ bluetooth_stream_connect(system_dbusd_t) |
216 |
') |
217 |
|
218 |
optional_policy(` |
219 |
- policykit_dbus_chat(system_dbusd_t) |
220 |
- policykit_search_lib(system_dbusd_t) |
221 |
+ policykit_read_lib(system_dbusd_t) |
222 |
') |
223 |
|
224 |
optional_policy(` |
225 |
@@ -243,8 +244,10 @@ seutil_read_default_contexts(session_bus_type) |
226 |
|
227 |
term_use_all_terms(session_bus_type) |
228 |
|
229 |
-optional_policy(` |
230 |
- hal_dbus_chat(session_bus_type) |
231 |
+ifdef(`distro_gentoo',` |
232 |
+ optional_policy(` |
233 |
+ hal_dbus_chat(session_bus_type) |
234 |
+ ') |
235 |
') |
236 |
|
237 |
optional_policy(` |