Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 01 Nov 2012 21:42:22
Message-Id: 1351802839.dba2b6538375d00774b18c841338016c17075ff3.SwifT@gentoo
1 commit: dba2b6538375d00774b18c841338016c17075ff3
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Thu Nov 1 20:47:19 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Nov 1 20:47:19 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dba2b653
7
8 Reshuffle and merge
9
10 Apparently some changes in dbus upstream weren't properly merged within our
11 tree. Merge is now done, and the Gentoo-specific bits have been moved into their
12 own distro_gentoo set (allows for easier patching).
13
14 Also, the Gentoo-specific interfaces have been moved to the end of the file.
15
16 ---
17 policy/modules/contrib/dbus.if | 107 ++++++++++++++++++++++------------------
18 policy/modules/contrib/dbus.te | 21 +++++---
19 2 files changed, 71 insertions(+), 57 deletions(-)
20
21 diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
22 index 0c247ec..c8b109f 100644
23 --- a/policy/modules/contrib/dbus.if
24 +++ b/policy/modules/contrib/dbus.if
25 @@ -66,7 +66,7 @@ template(`dbus_role_template',`
26 allow $3 $1_dbusd_t:unix_stream_socket connectto;
27 allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
28 allow $3 $1_dbusd_t:fd use;
29 -
30 +
31 allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
32
33 allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
34 @@ -89,8 +89,10 @@ template(`dbus_role_template',`
35 dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
36 ')
37
38 - optional_policy(`
39 - xdg_read_generic_data_home_files($1_dbusd_t)
40 + ifdef(`distro_gentoo',`
41 + optional_policy(`
42 + xdg_read_generic_data_home_files($1_dbusd_t)
43 + ')
44 ')
45 ')
46
47 @@ -224,6 +226,8 @@ interface(`dbus_all_session_bus_client',`
48 typeattribute $1 dbusd_session_bus_client;
49
50 allow $1 { session_bus_type self }:dbus send_msg;
51 + allow session_bus_type $1:dbus send_msg;
52 +
53 allow $1 session_bus_type:unix_stream_socket connectto;
54 allow $1 session_bus_type:fd use;
55 ')
56 @@ -255,6 +259,8 @@ interface(`dbus_spec_session_bus_client',`
57 typeattribute $2 dbusd_session_bus_client;
58
59 allow $2 { $1_dbusd_t self }:dbus send_msg;
60 + allow $1_dbusd_t $2:dbus send_msg;
61 +
62 allow $2 $1_dbusd_t:unix_stream_socket connectto;
63 allow $2 $1_dbusd_t:fd use;
64 ')
65 @@ -356,7 +362,10 @@ interface(`dbus_read_lib_files',`
66
67 files_search_var_lib($1)
68 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
69 - read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
70 +
71 + ifdef(`distro_gentoo',`
72 + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
73 + ')
74 ')
75
76 ########################################
77 @@ -509,50 +518,6 @@ interface(`dbus_send_system_bus',`
78
79 ########################################
80 ## <summary>
81 -## Create resources in /run or /var/run with the system_dbusd_var_run_t
82 -## label. This method is deprecated in favor of the init_daemon_run_dir
83 -## call.
84 -## </summary>
85 -## <param name="domain">
86 -## <summary>
87 -## Domain allowed access
88 -## </summary>
89 -## </param>
90 -## <param name="class">
91 -## <summary>
92 -## Classes supported for the created resources
93 -## </summary>
94 -## </param>
95 -## <param name="filename" optional="true">
96 -## <summary>
97 -## Optional file name used for the resource
98 -## </summary>
99 -## </param>
100 -#
101 -interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',`
102 - refpolicywarn(`$0($*) has been deprecated.')
103 -')
104 -
105 -########################################
106 -## <summary>
107 -## Create directories with the system_dbusd_var_run_t label
108 -## </summary>
109 -## <param name="domain">
110 -## <summary>
111 -## Domain allowed access
112 -## </summary>
113 -## </param>
114 -#
115 -interface(`dbus_create_system_dbusd_var_run_dirs',`
116 - gen_require(`
117 - type system_dbusd_var_run_t;
118 - ')
119 -
120 - create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
121 -')
122 -
123 -########################################
124 -## <summary>
125 ## Unconfined access to DBUS system bus.
126 ## </summary>
127 ## <param name="domain">
128 @@ -666,3 +631,49 @@ interface(`dbus_unconfined',`
129
130 typeattribute $1 dbusd_unconfined;
131 ')
132 +
133 +########################################
134 +## <summary>
135 +## Create resources in /run or /var/run with the system_dbusd_var_run_t
136 +## label. This method is deprecated in favor of the init_daemon_run_dir
137 +## call.
138 +## </summary>
139 +## <param name="domain">
140 +## <summary>
141 +## Domain allowed access
142 +## </summary>
143 +## </param>
144 +## <param name="class">
145 +## <summary>
146 +## Classes supported for the created resources
147 +## </summary>
148 +## </param>
149 +## <param name="filename" optional="true">
150 +## <summary>
151 +## Optional file name used for the resource
152 +## </summary>
153 +## </param>
154 +#
155 +interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',`
156 + refpolicywarn(`$0($*) has been deprecated.')
157 +')
158 +
159 +########################################
160 +## <summary>
161 +## Create directories with the system_dbusd_var_run_t label
162 +## </summary>
163 +## <param name="domain">
164 +## <summary>
165 +## Domain allowed access
166 +## </summary>
167 +## </param>
168 +#
169 +interface(`dbus_create_system_dbusd_var_run_dirs',`
170 + gen_require(`
171 + type system_dbusd_var_run_t;
172 + ')
173 +
174 + create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
175 +')
176 +
177 +
178
179 diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
180 index 7a4c124..4dfae34 100644
181 --- a/policy/modules/contrib/dbus.te
182 +++ b/policy/modules/contrib/dbus.te
183 @@ -4,7 +4,7 @@ gen_require(`
184 class dbus all_dbus_perms;
185 ')
186
187 -##############################
188 +########################################
189 #
190 # Declarations
191 #
192 @@ -51,7 +51,7 @@ ifdef(`enable_mls',`
193 init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
194 ')
195
196 -######################################
197 +########################################
198 #
199 # Local policy
200 #
201 @@ -142,17 +142,18 @@ seutil_read_default_contexts(system_dbusd_t)
202 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
203 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
204
205 -optional_policy(`
206 - bluetooth_stream_connect(system_dbusd_t)
207 +ifdef(`distro_gentoo',`
208 + optional_policy(`
209 + cpufreqselector_dbus_chat(system_dbusd_t)
210 + ')
211 ')
212
213 optional_policy(`
214 - cpufreqselector_dbus_chat(system_dbusd_t)
215 + bluetooth_stream_connect(system_dbusd_t)
216 ')
217
218 optional_policy(`
219 - policykit_dbus_chat(system_dbusd_t)
220 - policykit_search_lib(system_dbusd_t)
221 + policykit_read_lib(system_dbusd_t)
222 ')
223
224 optional_policy(`
225 @@ -243,8 +244,10 @@ seutil_read_default_contexts(session_bus_type)
226
227 term_use_all_terms(session_bus_type)
228
229 -optional_policy(`
230 - hal_dbus_chat(session_bus_type)
231 +ifdef(`distro_gentoo',`
232 + optional_policy(`
233 + hal_dbus_chat(session_bus_type)
234 + ')
235 ')
236
237 optional_policy(`
Report Message
Find on MARC Find on Google Groups